SCAMS: Smishing (text messages)

Over the next few weeks, I will be putting together some articles on the common scams that can happen to anyone. (Including my Mum!)


Smishing is a common scam which works by the attacker assuming an identity you may trust & contacting you via text messages.

Generally, they use three methods:

1. Build Trust by posing as a legitimate person or business you know, to make you feel secure. The messages often imitate the tone of who they are impersonating to make you lower your guard. These messages may also appear in the same text thread as previous legitimate correspondence.

2. Use a common situation that could be relevant to the target, making the message appear legitimate. Depending on the sophistication of the message, if you reply with more detail such as a name, the messages will be more personable to not raise suspicion.

3. Make it time-critical and elevate an emotional response so you are more likely to override your suspicion and provide the information (or money) they are requesting.

Targets are sometimes random but often these are selected by region, institution, or other affiliation and can often be masked by changing the number to display a familiar contact or institution number.

Some common examples of Smishing attacks

Financial Services attacks are masked as notifications for the financial institution. These scams may request you contact the institution due to suspicious activity, follow a link to provide more details, or even make a payment.

Free Gifts or Offers from reputable companies. These are designed to elicit an emotion of excitement and will encourage us to sign up to claim an offer or even pay now for shipping.

Invoice or Order Confirmation with the prevalence of online shopping. This prays on the fact we have probably ordered something recently and you can track the item by clicking a link, or you may need to pay extra shipping fees. These can be difficult to decern though can usually be picked up by the absence of not ordering anything recently or the absence of the business name you have ordered from.

Customer support attacks will claim to be a trusted institution that many use, like the Big 4 banks, Apple, Google, Amazon etc. requesting you login via a link which may be a fake page, call back to reset, or troubleshoot your account.

Government Agency requests for call back to action late payment where they can confirm your details or get payment details.

Prevention is better than cure

Until the broader industries adopt better technology and processes here are some tips to help not become a victim:

Do not respond. Perform an independent search on the internet and call the business’ official number.

Respond, don’t React if a message is urgent. Slowing down and thinking about the message and not immediately reacting to an urgent request will give you time to consider your actions and allow you to respond to the message accordingly. Call the affected individual to confirm on the number you have or search the internet and contact the business by their official phone number or website.

Contact the financial institution or Government Department directly. Most will never request account or login details via text. Never click on the link and use internet search to login to the official website and check for messages on your online account.

Never click any unsolicited link if you haven’t instigated it.

Use multi-factor authentication (MFA) on any account that allows this. Even if you were to provide your password, the requirement for another authentication method such as text, email or authenticator software will prevent the attacker gaining access to your accounts.

Never provide a password or account recovery code to anyone (even the institution) if you haven’t contacted them. Most large organisations don’t require you to provide user passwords or codes to reset an account. However, don’t confuse this with verification codes initiated by your call to the institution. Good business practices are for them to send a code to you to make sure you are who you are.

You are not alone! The simplest way to avoid these is to never click on a link or provide information via text message. Sometimes the best response is no response.

If you find yourself a victim these are somethings to limit any future damage:

1. Report immediately to the business

2. Contact your financial institution and try and stop payment or request a trace and recall

3. Cancel card(s) and change login and passwords.

4. Monitor your finance, credit or affected account from any unusual activity

5. Be vigilant and never give your personal identification details unnecessarily

6. Although it may be embarrassing, contact other people you know that may be affected by the information that was provided so they do not become a victim. 

Over the following weeks we will be providing more tips and advice so remember to follow or subscribe to find out more ways to protect yourself.

Stay tuned for the next topic: What is an email Phishing scam

*The intended audience for this article is general public and therefore written less technical and not for Security Professionals 

2023 © One Click Verify