Anatomy of a Phishing Scam, Part II: Phishing via Text Messages

3 min read

In Part I of this topic, I explored how the process of an email phishing scam works and the processes and tools you can use to help defend yourself. In the second and last part of this series, I want to focus on a different kind of attack that’s just as easy to spot, once you know how to spot it.

Phishing by SMS or text message is known as “SMiShing”. I know: stupid name, but it’s a thing. I recently received the text message you see here. Honestly, I thought nothing of it: I occasionally get contacted by my banks and credit agencies when there’s a security flag on my accounts. As a result, this text didn’t seem unusual at first and I didn’t hesitate to call the number. Once I dialed and heard the message, however, I hung up immediately, realizing that I’d just been duped by a fairly average phishing attack.

Text Messages

Seems pretty real right? WRONG. This is a phishing attack.

My first mistake was this: I didn’t really pay attention to the text message and I should have. As a result, I almost got caught. Of course, when I went back and took another look at the text, I noticed three obvious giveaways that I should have noticed immediately:

  1. There was no identifying name of any bank, agency or credit card provider in the text alert.
  2. The phone number I was asked to call wasn’t a toll-free number.
  3. Most embarrassingly, I have no credit cards that start with the digits 5077! 

The creators of this phishing attack had a particular method: they hoped that a general text like theirs sent out to a huge number of people would convince enough unsuspecting victims like me to press the link to call the number.

If you’re someone who is used to getting legit alerts from your bank or credit card companies, then you might — as I did earlier — not take a more careful look at the text you receive. But you should. Here’s the actual recording that played to me, so you can hear it for yourself:

How SMiShing Works:

SMiShing scams work by looking or sounding as official as possible. However, lesser quality scams are designed to work by casting as large a net as possible. In this case, that means sending the same text message to hundreds of thousands of people. Or more. Since bulk text messaging costs as low as $0.01 per text, the cost is only $1000 to text 100,000 people and $10,000 to text a million. Even a 1% success rate in gaining access to people’s credit card information would yield a potentially massive financial windfall.

If you think this sound far-fetched, reconsider: every single day, people see a bogus text, think it’s real and then willingly give away their credit card numbers, their email address/password, their Amazon account credentials or worse.

How to Notice a SMiShing Scam:

Real banks and credit cards always use professional protocols when contacting you about fraud. As a result of knowing what those protocols are, you can use it to help identify a SMiShing scam. When in doubt, assume it’s a fraudulent call. If it’s not, the burden of proof is on your bank or lender and they’ll rise to the occasion by providing some of what you see listed here:

  1. Real banks and credit card companies will usually call you on the phone, not text you, to alert you to potential fraud. The phone number will either be a recognizable number or recognizable phone number format from within your own country. If you see a call or text from 101–000–100, be immediately suspicious.
  2. When a bank or credit card calls you, the human calling will always identify the name of the bank or card up front. For example, “This is Joseph calling from the fraud alert team at American Express” is far more authentic than, say, a computerized voice saying “Welcome to the California EBT Customer Service Hotline…”
  3. Sometimes, fraud alert calls might be automated. Even then, a protocol will be followed. You might be asked to confirm a purchase with your card on a specific date, for a specific amount and at a specific retailer. They’ll give you information first. Then you can simply confirm/deny if you made those charges.
  4. Banks and credit cards companies already have your banking/credit card information, so they’ll never ask you to provide that info. Instead, they’ll ask you to verify your identity so that they can confirm that they’re speaking to the right person to alert about something important.

If you call an automated number and realize, as I did, that it’s a SMiShing scam, hang up and don’t provide any further information. Block the number from ever contacting you again and then report the scam to your bank or credit card.

How to Block Future SMiShing Scams:

There’s no perfect way to stop all SMiShing scams but here are a few of the best ways to help minimize the damage:

  1. Don’t respond to ANY text message from a number you don’t recognize. It’s just not that important! Anyone who’s already close to you is already in your Rolodex and knows how to reach you if something important is happening.
  2. Block any number associated with a SMiShing scam. If you get a SMiShing scam from a number, block it! If you use an iOS device, use this guide. If you’re on an Android device, use this guide.
  3. Only provide your cell phone number to friends and family. Whenever I am asked to provide a phone number for any service, website or individual, I provide a secondary Google Voice number instead of my actual cell phone. I suggest you do the same. It’s easy, 100% free and I talk about it at length here. 

How to Report a SMiShing Scam:

While most of the country’s most popular banks and institutions provide guides to assist you with preventing or avoiding phishing attacks (see Wells FargoAmerican ExpressBank of AmericaChase Banks & Credit Cards, CitibankTD BankPNC BanksCapital One, & HSBC)

Submit what happened to you to the Internet Crime Complaint Center (IC3), so they can do the work to track down any other leads. The only catch here: they’re really looking to hear from victims: people who have lost money as a result of a digital scam. Hopefully, using the tips and tricks above, contacting the IC3 will be the last resort.

David Koff David Koff has had a successful and incredibly fun dual-track career in both technology and the arts for about 25 years. He's got a love for the analytical side of technology from coding to problem-solving. He's also an accomplished performer and teacher of improvisation, a life skill that he believes all humans should study for some amount of time.

Leave a Reply

Your email address will not be published.