This simple SMS scam is so dumb, it’s dangerous

• What is smishing?
• How to defend yourself against smishing

I’m normally not a fan of mash-up jargon, especially if it’s describing something meaningful. I’ll admit, however, that it’s hard to top the word “smishing.” On the surface, it sounds innocent and cute, and it’s a lot easier to say than the thing it’s describing. In a way, this piece was an excuse to use the term in writing.

Practically speaking, smishing is actually a very serious topic. At best, it’s an annoying waste of time, bandwidth, and resources. At worst, it’s something that could rob you of thousands of dollars, or worse. I’m going to break this article into two sections: one explaining smishing, and the other how you can protect against it, whether you’re using an iPhone or an Android device. Your mind may actually be your best weapon.

What is smishing?

Exploiting your curiosity

Smishing is a blend of “SMS” and “phishing.” SMS is the base protocol all cellphones support for text messaging. There are plenty of other protocols, but SMS is the only one a criminal can count on you having. Perhaps more importantly, it’s possible to maintain complete anonymity with SMS by using pre-paid SIM cards. Smishing simply wouldn’t work if carriers or police could match a phone number to a real name.

Smishing, then, is simply a phishing attack conducted via text message. You’ll get a message out of the blue from an unknown contact, typically urging you to take action on something important, like a tax refund, an undelivered package, or maybe a suspended bank/payment account. The real goal in these cases is to get you to tap on a link and share personal data, which the attacker can then use to steal money via identity fraud. Hypothetically, they could use a link to infect your phone with malware, but both Android and iOS are so locked-down that this is extremely unlikely.

You’ll get a message out of the blue from an unknown contact, typically urging you to take action on something important.

That leads me to some of the more insidious forms of smishing, though. Some attackers won’t send a link right away — they’ll start with a message that sounds friendly, and implies it was delivered to the wrong person. Hypothetical examples might include “Hello, is this your new phone?” or “Are we still on for dinner on Friday?” In reality, the goal is to keep a conversation going long enough to build trust before asking you to send cash or cryptocurrency. Once they have what they want, they’ll vanish, leaving you feeling gullible and betrayed.

Smishing becomes life-threatening in countries with authoritarian governments. Instead of fraud, texts may be intended for surveillance, which could lead to you or others being harassed, arrested, imprisoned, or even executed if you’re considered a threat to the regime. What’s worse is that some surveillance doesn’t require you to tap on a link — infamously, the NSO Group’s Pegasus spyware can perform a “zero-click” attack without any action on your part.

No matter where you live, there are a variety of ways you can minimize the chances of becoming a smishing victim.

How to defend yourself against smishing

Never trust unknown numbers

This tactic can be tricky. While most texts will, probably, originate from names in your Contacts list, a lot of apps and websites now depend on anonymous SMS messages for things like delivery updates and verification codes. It’s what fraudsters are counting on, in fact. Blocking all unknown numbers can prevent smishing, but probably at the cost of other parts of your life.

Instead, whenever you get a message from an unknown number, treat it with suspicion, no matter if you get dozens of similar legitimate ones daily. Normally, legitimate texts will come in response to specific actions, like a two-factor authentication (2FA) request, or signing up for billing or shipping alerts. They also tend to originate from the same numbers every time. So a message that’s both unprompted and doesn’t have a conversation history with you should raise a red flag. When a number is dependable, consider adding it to your Contacts to avoid confusion.

Scan message previews before opening them

Both Apple Messages and Google Messages display previews of incoming texts, letting you check their origin and a brief snippet before opening them. Use the origin info to verify what I talked about in the last section. As an addendum to that, if a message is coming from an international area code, and you’re not expecting something from a specific friend, relative, or business, it’s almost certainly a scam.

The snippet is where critical thinking really comes into play. “Urgent action” scams often appeal to your sense of panic or greed, giving the impression of dire consequences if you don’t respond. They may also include their web link right up front. When they do, the URL will probably be a dead giveaway — a genuine Microsoft link, for example, is going to point to a page on microsoft.com, not a link that happens to mention the company’s name. Some smishing URLs may also be misspelled, or filtered through a shortening service to disguise them.

“Urgent action” scams often appeal to your sense of panic or greed, giving the impression of dire consequences if you don’t respond.

Trust-building scams will normally start with something vague that doesn’t make sense to receive from a person you know. A friend or family member isn’t probably isn’t going to say “hello” if you keep in touch with them on a regular basis. They’re also not going to start a conversation by pitching you on a business or investment idea, at least if they have any tact. Lastly, don’t fall for “accidental” romantic texts. You might be lonely, but it’s more likely you’re being scammed than falling in love with someone who meant to text someone else.

Take advantage of your phone’s anti-phishing features

If an SMS message is immediately suspicious, the best response is usually to delete it right away without opening it. This may better protect you against spyware and save you a few seconds. That said, both Android and iOS offer ways of filtering and/or reporting junk messages. Apple Messages, for instance, will (sometimes) offer a Delete and Report Junk button when you go to delete a conversation. In Google Messages, you’ll need to tap and hold on a conversation, then select Block > Report spam.

If you do open a conversation, you may be warned about dangerous links by your phone’s scam detection algorithms. As a final line of defense, you can turn to your web browser’s anti-phishing settings. These vary from app to app, but at a minimum, you’ll want your browser checking for known scam URLs, and warning you away from visiting non-encrypted websites. To change these options for Safari on an iPhone, go to Settings > Apps > Safari and toggle on Fraudulent Website Warning and Not Secure Connection Warning.