Smash texting scams: How to avoid smishing attacks

If you’ve recently received a bunch of suspicious texts from unknown numbers claiming to be USPS, your bank, or another major company asking you to resolve some sort of urgent issue, you’re not alone. Hopefully these bizarre missives tripped your shadiness alarms and you kept your link-clicking fingers at bay, because those texts aren’t legit. They’re a relatively novel iteration of the phishing scam, in which thieves hiding behind the opacity of a screen hope you’ll buy their business disguise enough to give them what they want. This text-centric update on the classic con goes by “smishing,” a portmanteau of “SMS” and “phishing.”

Don’t feel too bad if you briefly regarded such texts as plausibly authentic, however. They’re cunningly crafted to take advantage of this unique moment in tech, a time when the dangers of an increasingly complicated and online economy have us returning to the relative simplicity of the dumbphone era in search of additional guardrails like using SMS for two-factor authentication or receiving text alerts when a package has been delivered. But since even the savviest among us have off days or unfocused moments when a smishing scam could slip by undetected, we’ve put together a primer on how to spot and avoid them.

Gmail has correctly determined that this email is not from the real Illuminati. Credit: Screenshot: Gmail

How Smishing Works

Smishing scams operate on the same principle as the email phishing scams they spun off of, but they’re much easier for scammers to deploy. Scammers send out a bunch of official-looking messages from a spoofed number that solicits users’ logins or other vital/sensitive information, which can then be used for ID theft and account pilfering.

While email services have gotten pretty good at the process of weeding out the bad stuff over the decades, phone carriers and manufacturers are still in the early stages of spam filter development. On top of that, the general public has gradually become more and more educated about phishing threats. So, rather than waste energy attempting to recreate the look and language of a genuine Bank of America email that will not only fool AI filters but also the end user, scammers have taken to the much easier route of shotgun blasting out SMS messages to tons of numbers with the hope that some sucker will take the bait.

On rare occasions, the nefarious message will attempt to have the recipient install data-harvesting malware disguised as a legitimate app. This method is more commonplace for Android users, as that is both the most common smartphone operating system on the planet and also the OS that gives users more freedom to download apps from unvetted sources.

Spotting the Scams

Clocking a smishing text off looks alone is much harder than recognizing an “off” looking email as a phishing scam. Many of the authentic SMS messages businesses send look quite ugly and strange, especially when compared to the sort of text formatting we’re used to receiving from our friends and family. These aesthetic issues have myriad causes. The company might have outsourced the task to a third party. Formatting can get jumbled along the way while going from a computer drafting program to SMS (which can further vary from carrier to carrier). The human creating the message template might have just had a weird sense of what looks “official.”

Credit: Screenshot: iMessage

Moana failed to consider human error as the culprit behind her misspelled name Credit: Screenshot: Whocallsme

This method of corporate communication is still so strange and unfamiliar that sometimes even real texts get mistaken for scams. Take, for instance, this text from Ikea via the queuing service Waitline. It was sent and received in conjunction with a bona fide return at the company’s Burbank, Calif., store. But as a Google of the phone number it was sent from reveals, many people wrote the message off as fake.

Think About It

Ultimately, you are your own best line of defense against scammers, and one of the easiest ways to avoid them is to just use common sense any time a smishing text comes your way. Do you even bank with Chase? No? It’s unlikely they’re locking you out of your account if that account doesn’t exist. Are you expecting a package? From DHL? Even so, it’s wise to comb through your emails for an order receipt and/or tracking number to look up the shipment yourself rather than clicking on a random link in a text. And — this should come as no shock — you have and will never win a prize that asks you to collect it by clicking a link sent by an unknown number.

Check the sender

Let’s presume this suspicious corporate text purports to be coming from a company you actually do use. Your next step should be to review the sender. The VOIP services used to send such messages means they will almost always show up as green bubbles for iOS users. Furthermore, iMessage allows emails to be sent alongside SMS messages, so some spam that would have once been easily snared in Gmail’s filters now gets a second chance at success in your messages. But a simple inspection of the sender’s contact card can often reveal an email address that is a jumble of letters and numbers and decidedly not from the real company.

Credit: Screenshot: iMessage

A glance at the sender is often all you need to determine a text’s authenticity. Credit: Screenshot: iMessage

Additionally, be wary of messages that come from numbers like “5000,” which are indicators of the email-to-text services scammers frequently use.

Inspect the text

Smishing texts often contain telltale clues about their inauthenticity. First, look for obvious giveaways like misspelled words, strange punctuation, improper grammar, or erroneous extra spaces between words and punctuation. No Fortune 500 company is sending out communication that sloppy.

Keep an eye out for messages urging you to act fast or claiming limited time. Scammers are hoping a fomented sense of urgency will cause you to abandon your common sense.

Texts often truncate URLs, which smishers use to their advantage. Their scam works by convincing the user to click a link to a shady site, so they’ll often create a URL that’s frontloaded with legit seeming bits and hope the phone’s URL shortening protocols hide the more obvious giveaway parts of the address stuffed at the back. It’s a good rule of thumb to just never click on any link sent by someone you don’t know. If you’re genuinely concerned about any claim a smisher is making in their bait text, you can always investigate by logging into your account through the normal methods or looking up the real customer support info yourself.