Each day, about 20 billion text messages are sent to two billion smartphone users worldwide. Most of these texts are opened within three minutes, and many within a few seconds.
The massive number of text messages and their rapid-fire response rate – by comparison, only one in four email messages are opened within 10 minutes of arrival – amounts to unbridled opportunity for fraudsters exploiting the du jour device for deception: the pocket-held computer that also happens to make phone calls which many of us carry or have nearby 24/7.
Called “smishing” (named after Short Messaging Service technology that sends text messages), it’s an attempt to trick you into revealing private information via SMS or text message. Angling for credit and debit card numbers, PINs, usernames and passwords, even Social Security numbers, smishing texts often purport to be from a government agency, your bank or other respected companies. Typical ploys allege a problem with your account; promise free gift cards; offer low-cost merchandise, mortgages and credit cards; and click-bait like customer satisfaction surveys that lure you to open imbedded links or attachments that can also harbor malware. Today, nearly half of clicks on malicious URLs are made from mobile devices – more than doubling the long-running rate of 20 percent, notes cyber security firm Proofpoint.
Although smishing has been around since last decade, it’s on the rise – and increasingly even more dangerous. Studies show that the rate of text spam specifically designed to defraud is seven times higher that of spam arriving by email. And with small screens and the inability to hover a mouse to preview a link, it’s harder to spot text-sent trouble. Your smishing self-defense:
- Don’t reply to text messages from senders you don’t recognize. Even sending a “remove,” “stop” or “opt-out” response tells SMS senders that your mobile number is active, and ripe for more messages. Be especially wary of texts from a “5000” or other shortened number (versus a complete 10-digit phone number) indicating the message is actually an email sent to a phone.
- Never reply to text messages asking you to “confirm” or provide personal or financial information. Legitimate companies don’t text requests for account numbers, log-in details, and other sensitive data. Government agencies don’t correspond by text (and are unlikely to even have your mobile phone number).
- Slow down. Most people instinctively deal with text messages ASAP – and smishing scams work best when creating a false sense of urgency. Rather than calling back numbers provided in text messages (doing so is another tipoff of your working cell number), take a few minutes to verify the actual contact numbers of legitimate business that may need to contact you.
- Forward suspicious text messages to short code 7726 (which spells “SPAM” on your keypad), which allows cell phone carriers to identify and block smishing messages.
- Be stingy with your cell phone number. Don’t post it online, on social media, or provide it for contests, surveys, touted “deals” or “free trial”
- If you haven’t already, install anti-malware software on your Android phone; some products also can block smishing texts. (Apple’s iPhones have built-in protection.) When you receive a bona fide notification of an upgrade to your phone’s software, install it immediately.
- Keep tabs of your phone bill, looking for suspicious charges – even if you don’t respond to unknown texts.
For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.
In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe. This is especially true when the SMS comes from a phone number that doesn’t look like a phone number, such as a “5000” phone number. This is a sign that the text message is actually just an email sent to a phone.
You should also exercise basic precautions when using your phone. Don’t click on links you get on your phone unless you know the person sending them. Even if you get a text message with a link from a friend, consider verifying they meant to send the link before clicking on it. A full-service Internet security suite isn’t just for laptops and desktops. It also makes sense for your mobile phone. A VPN such as Norton WiFi Privacy is an advisable option for your mobile devices. This will secure and encrypt any communication taking place between your mobile device and the Internet on the other end. Never install apps from text messages. Any apps you install on your device should come straight from the official app store. These programs have vigorous testing procedures to go through before they’re allowed in the marketplace. Err on the side of caution. If you have any doubt about the safety of a text message, don’t even open it.