What Is Smishing and How to Protect Yourself

Are smishing scams triggering a collective wave of paranoia? 

“Trust nothing and no one. Never call a number you don’t recognize. Never click on links in a notification.”  

How many times have you heard the above recently? Even the IRS is warning about smishing scams. 

Yet, smishing isn’t new. Threat actors weaponized the pandemic to send an avalanche of smishing texts to 76% of businesses worldwide in 2020.  

Today, we reveal how to keep your employees safe from such scams – even when attackers use the most sophisticated schemes and tactics. 

Understanding Smishing 

Definition of smishing 

First, we’ll answer an important question: “What is smishing or what is a smishing attack?” 

The word “smishing” is a portmanteau of “SMS” (short message service) and “phishing.” 

In smishing attacks, scammers send text messages that trick unsuspecting users into revealing sensitive information like bank account, credit card, and Social Security numbers. 

These hackers, often known as “smishers,” send SMS messages because they believe victims are more likely to respond to them. If the evidence is any indication, they may be right: 95% of text messages are read and replied to within 3 minutes or less. Meanwhile, the average open rate for an SMS campaign is 98%, 5X that of email (20%). 

 

How smishing attacks work 

A popular question we often get is, "How do smishing attacks work?” 

First, the attacker sends you a text. They may use caller ID spoofing to mask their real number.  

This means they’re either leveraging an open-source VoIP (voice over internet protocol) tool or an account with a VoIP service provider to replace their original number with one that appears local to your area. 

Next, they may use any number of social engineering techniques to trick you into giving up login credentials or financial information.  

A popular tactic is instilling fear or excitement with text messages like, “Action required: Your tax refund has been put on hold,” or “A tax rebate of X dollars has been issued to you for an overpayment in 2023. Click the link to continue.”   

The common thread with all smishing scams is this: they try to create a sense of urgency in you, so you’re compelled to take immediate action. 

Clicking on the link in the text can lead to an installation of malware on your device and your data being harvested -- without your knowledge or consent. 

Examples of Smishing 

Bank fraud alerts 

In bank smishing, attackers impersonate a financial institution or bank. They may claim your account has been breached, an unauthorized transfer has been initiated, or your account has been locked due to suspicious activity. 

Or you may be asked to confirm a transaction from a trusted retailer like Amazon, Walmart, or Best Buy. 

A link is usually included in the text. Clicking on it takes you to a page that resembles your bank’s online portal. You’re encouraged to input your login credentials and other sensitive information. Don’t click on the link: doing so gives the attackers direct access to your accounts. 

Prize scams 

Prize scams usually promise free money that never arrives. 

They contain links that invite you to claim your prize or lottery winnings. However, there’s a catch: to claim your prize, you must pay a small fee to cover “taxes” or “shipping & handling.” You may be redirected to a fake website that collects your personal data or banking information.  

The FTC reports that unsuspecting consumers have already lost an eye-watering $301 million to this type of fraud – that's $907 per person. 

Service cancellation 

If you’ve ever received a service cancelation notice, you know the feelings of dread and anxiety they provoke. 

In 2023, nearly 20 million Americans and 16 million Britons were behind on their utility bills. Currently, nearly 45% of Americans struggle to pay their gas, electric, heating and/or internet bills. 

Considering this, scammers are weaponizing disconnection smishing texts to frighten vulnerable consumers into taking actions that further compromise their health and safety.  

They send text messages demanding immediate payment or pose as utility company representatives who “guarantee” large discounts on energy bills. The text messages may offer a free home energy audit, free solar panels, or the installation of energy-efficient equipment. When you call the number given, you’re asked to set up an appointment for the audit. 

You meet with the “representative” but never receive the promised equipment or discounts on your energy bill. Instead, you discover your credit card has been maxed out and your checking account depleted after several days.

Wrong number scam 

Wrong number scams are often the text versions of online pig butchering or romance-crypto scams.  

With the latter, you’re contacted on popular social media sites like LinkedIn, Meta, or Instagram. Meanwhile, “wrong number” scammers target their victims through SMS messaging. 

They rely on your friendly, accommodating nature to lure you into a relationship that undermines your financial security and peace of mind. 

Account verification scam 

It’s Friday night, and you’re relaxing on the couch, surfing the web for the perfect espresso machine. 

You do a Google search and decide Amazon has the best prices. 

While you’re comparing prices and product specifications, you get a supposed text from Amazon asking for a verification code to confirm your account login.  

The scammer tells you that Amazon has discovered a problem with your account. They are apologetic and ask for the code to resolve the issue. Don’t take the bait: If the scammer has your username and password, your verification code gives them complete access to your account and payment information on Amazon. 

Malicious apps 

In this smishing variation, scammers create counterfeit apps that mimic popular, legitimate apps. Your employees may receive texts about the “best apps” for driving business success, complete with fake glowing reviews and high app store ratings. 

Once they install the fake app, it appears to work as advertised. However, unbeknownst to them, their devices are now infected with keylogger malware.  

The malware runs undetected in the background, logging every keystroke they make. This means attackers now have access to their login credentials – and your business systems. 

In some cases, ransomware may “lock” their devices, rendering them unusable until a fee is paid to the attackers. 

Shipment errors 

This smishing scam is also called “package delivery smishing.” Attackers send messages that appear to come from trusted carriers like UPS, FedEx, or DHL.  

This scam is popular during the holidays, when shoppers are preoccupied with meal planning and travel preparations. A typical text message may say, “There’s a problem with your delivery. Your package will be returned if not confirmed within 24 hours.” 

You may also get a text that reads like this: “We are unable to complete your shipment due to insufficient postage. Please pay $2.98 to resume delivery.” 

The amount for payment is usually small, so you’d be more likely to follow through. 

You’re encouraged to click on a link to resolve the issue. When you do so, you’re redirected to a clone website that has all the “right” logos, images, and text. There, you’re asked to confirm your shipping address and input your banking or credit card details to cover the shipping fee. 

Clicking on the link could lead to attackers draining your funds, installing malware on your device, or stealing your identity to open lines of credit in your name. 

Impersonating employer 

Many LinkedIn professionals include their mobile phone numbers in their profile.   

In 2024, scammers are weaponizing trust in the platform – by posing as fake recruiters to trick job seekers into applying for non-existent jobs.  

They send texts that say, “I’m a recruiter with Google. We’re hiring, and we’re looking to move fast in filling some critical positions. Please read the job description and let me know a good time to chat.” 

The job description includes information on wages and benefits. The pay is usually in the six figures for less than full-time hours. However, there are scant details about the actual job function. However, one of your employees is intrigued, clicks on the link to apply, and attends a tele-interview.  

After a nail-biting two days, they’re offered the “job.” The scammer then sends a fake employment contract to sign and tells your employee they need to purchase work equipment from Google. They harvest PII from the contract and mail your employee a ridiculously large check to cover the cost of the equipment.  

Soon, your employee receives a message saying that the amount sent was “incorrect.” To “resolve” the issue, they ask them to send some of the money back.  

If your employee complies, they will still end up without that dream job at Google – plus the scammers can now use the harvested PII to access your company systems. 

Smishing vs Other Phishing Attacks 

Similarities 

Both smishing and phishing attacks rely on social engineering techniques to manipulate victims.  

Attackers impersonate legitimate brands to gain the victim’s trust and obtain sensitive data such as banking information, credit card info, and login credentials. 

Both types of attacks use immense pressure to create visceral reactions in victims, so that they’re compelled to act without conscious thought. 

Differences 

The most significant difference between smishing and phishing is the medium used for communication. 

Smishers contact their victims via SMS text messages, while phishers generally use emails to carry out attacks.  

As the threat landscape evolves, scammers are showing a preference for smishing. Here's why: text messages are harder to track than emails.  

While email headers contain metadata that shows the route an email took to reach your inbox, cell phone numbers can be masked or spoofed to hide their true origin. Smishers may also use pre-paid disposable phones or email-to-text services to avoid detection. 

Recognizing Smishing Attacks 

Signs that you are being smished 

If you’ve never been smished, trust us: it’s only a matter of time.  

No one is immune -- not even celebrities, it seems.  

In 2023, Andy Cohen (host of the late-night Watch What Happens Live! show) lost an undisclosed sum of money to scammers who targeted him with a combination of phishing, smishing, and vishing.

The scam occurred right after he lost his debit card. Cohen says he received an email from what he believed was his bank’s fraud department. He clicked on the link in the email, which took him to his bank’s online portal. Cohen signed in – giving the scammers access to his account. 

The scammers then asked him to sign in to his Apple ID account, which he refused. 

The next day, Cohen received what looked like a legitimate text from his bank – asking if he was trying to use his card. After his denial, he received a call from a bank “representative.” The rep said he wanted to review Cohen’s latest charges and sent over some “codes.” 

In the end, the codes turned out to be numbers required for processing wire transfers out of his bank account. 

So, how can your employees avoid falling into the same trap as Cohen? Here are the six (6) signs to look for (#6 will upset you): 

• Unsolicited text messages 
• Requests for personal information 
• Shortened URLs that hide the true destination of a link 
• Requests for payments 
• Outrageously lavish or generous offers, prizes, promotions, or discounts 
• The use of emotional blackmail to hijack your brain’s traditional defenses 

We generally trust communications from familiar sources and institutions – realizing this trust can be exploited is an unsettling thought.  

More examples of smishing messages 

Fear and greed are the two most leveraged emotions by scammers. 

Think about the last time you received any of the following text messages: 

• Congratulations, Tim! You just won a free all-expenses paid trip to Aruba.  Click on the link to claim your prize NOW. 

• Congratulations, Nancy! You are the lucky winner of our 20-million-dollar jackpot. Reply with your bank information so we can deposit the funds in your account IMMEDIATELY. 

• Breaking: this ONE cryptocurrency trick is generating millions for those in the know. Get the secret strategy they don’t want you to have http://sdhe*875.dl

• WARNING: The IRS is filing a lawsuit against you. For more information, call +12873645230 as soon as possible. Otherwise, your arrest warrant will be forwarded to your local police department and your bank accounts and any social benefits will be frozen. 

Why do smishers focus on these two emotions?  

The truth is that these emotions effectively cloud judgment and prompt impulsive actions. Fear and greed are also the two most prominent sentiments highlighting the state of the stock market. The Fear and Greed Index, created by CNN Business, works on a 100-point scale. A low number indicates a more fearful bear market, while a higher number indicates a greedier bull market.  

Smishers are experts in psychological manipulation – and your emotions are their playground.

How smishermen trick victims  

As can be seen, scammers focus on triggering the most visceral emotions to inspire prompt action. After fear and greed, these are the two (2) most leveraged tactics: 

• An appeal to your curiosity: Scammers know it’s almost impossible to resist an offer for exclusive information or secret strategies no one else (seemingly) has access to. 

• An appeal to your empathetic or compassionate nature: Scammers often try to exploit a national or global tragedy to steal from well-meaning citizens. In 2022, fraudsters claiming to be victims of the Russia-Ukraine war sent an avalanche of text requests for donations.  

Protecting Against Smishing 

Best practices to avoid smishing scams 

Smishers exploit your humanity and personal vulnerabilities to launch successful attacks. 

The following best practices can help you and your employees avoid becoming smishing victims: 

• Implementing anti-spam filters to block smishing messages: The most advanced filters assess the sender’s reputation, analyze the content of incoming messages for phishing elements, and use behavioral analysis to detect anomalies. 

• Implement multi-factor authentication (MFA): Scammers focus on stealing credentials because they “hold the keys to your kingdom.” Passive or passwordless authentication methods remove a key avenue for account takeovers. 

• Keep all mobile devices updated: Updates may include improved spam filters and better detection of malicious links. 

• Regularly review and revoke unnecessary app permissions on iOS and Android. For Android, use the Google Play Protect, RCS for Business, and Safe Browsing features to protect against SMS Blaster attacks that bypass carrier protections to inject SMS phishing messages into smartphones. 

• Establish an internal incident response team that stays informed about the latest social engineering attacks targeting workers. 

• Download apps from trusted sources only. 

• Implement ML-based analysis to identify the intention, expected action, and emotional sensitivity of the message. 

Educating yourself and your team 

Education is the first line of defense in SMS crime prevention. Here are six (6) things you can do immediately to protect your employees: 

• Hire third-party experts to identify brand impersonations and receive real-time alerts when scammers spoof your website. 

• Implement a gamified or interactive training program to raise awareness and train employees on desired responses to real-life scenarios. 

• Teach employees how to recognize red flags. 

• Instruct employees on best practices for secure communication, such as using tools like Signal, which offers end-to-end encryption, compliance with privacy regulations, and regular security updates. 

• Provide clear reporting channels and an anonymous reporting option to emphasize that there will be no repercussions for reporting attacks. 

• Continually invite feedback on your reporting and incident response capabilities. 

Using security software for smishing protection 

Whether your employees use iOS or Android phones, implementing a reputable mobile security software solution to detect and block suspicious messages is important.  

In the current market, some mobile security tools come with a Scam Alert feature for both iPhones and Androids. This means your employees will get an alert when they receive suspicious texts that are accompanied by malicious links. 

That said, security solutions like the above may not suffice due to the new generation of attacks such as deepfake phishing, which often involve a combination of smishing, vishing, and social engineering tactics to compromise your business. 

For example, an attacker could target one of your employees by masquerading as the CEO of your company. They might send texts and leave a voice message to request what appears to be a legitimate transaction. 

In 2019, attackers used AI to clone the voice of a parent company’s CEO. As a result, a C-suite level officer from a UK energy firm was tricked into sending EU €220,000 (US$240,000) to a Hungarian supplier. And in 2020, a bank manager in the United Arab Emirates was tricked into authorizing $35 million in transfers to close an acquisition he had previously discussed with the company director. 

The scammers used AI to clone the voice of the director. To date, there’s no indication the money has ever been recovered. 

The easiest way to protect your employees against deepfake smishing and vishing scams is to require that all official transactions be verified through known communication channels and to apply the use of secret pass phrases or codes for these transactions. 

What to Do if You're a Victim of Smishing 

Steps to take if you fall for a smishing attack 

If any of your employees have fallen for a smishing scam, it’s important to act quickly to mitigate the damage. At minimum, these are the five (5) steps you should take: 

• Tell your employees to change the passwords to all business-related accounts. 

• Implement phishing-resistant multi-factor authentication on all business accounts. 

• Contact all banking institutions you do business with to inform them of the breach. 

• Report the incident to your IT department and have them scan for malware and ransomware. If any business devices have been infected with ransomware, use a ransomware file decryptor to avoid paying an exorbitant price for your data. 

• Monitor all business accounts for suspicious charges. 

Reporting smishing incidents 

Reporting smishing attacks can help law enforcement personnel track and combat these scams. To report an incident, contact the following authorities: 

• Federal Trade Commission (FTC): Report the incident to the FTC so it can be shared with more than 2,800 law enforcement entities. 

• Internet Crime Complaint Center (IC3): The IC3 is an arm of the FBI. When you file your complaint, be sure to include the names of the victims, a detailed description of the incident, and any losses incurred.  

• Telecom or Wireless Providers: Forward the message to 7726 or “SPAM.” Your provider will use the information to calibrate their spam filters in the ongoing effort to protect your business. 

• Federal Communications Commission: Report unwanted texts using this FCC form.

• Social Security Administration: Report SSA smishing scams by using this SSA reporting form.

• USPS: Report incidents of package delivery smishing by sending an email to USPS. 

Recovering from smishing-related identity theft 

If several of your employees fell for the smishing scam, the likelihood of identity theft is significant. Taking the following three (3) steps can help in the aftermath of the attack: 

• Implementing a credit/security freeze or fraud alert with all three credit bureaus: Equifax, Transunion, and Experian. A fraud alert requires creditors to verify identities before initiating new lines of credit. Meanwhile, credit or security freezes make it impossible for new accounts to be opened in yours or your employees’ names. 

• Regularly review credit reports for any unauthorized transactions. 

• Implement awareness training to help your employees stay informed about multi-channel attacks utilizing texts, emails, videos, Teams chats, mobile apps, and web browsers. 

LastPass: Your Smishing Defense 

How LastPass protects against smishing 

LastPass can be a trusted partner and resource in protecting your business against smishing attacks. Here’s what we can do for you: 

• Secure password generation: Easily create the strongest, most secure passwords by letting our online tool do the work for you. 

• Industry-tested compliance: At LastPass, we are SOC2, SOC3, TRUSTe, ISO27001, and ISO27701 certified. This demonstrates our commitment to your data security. 

• Military-grade encryption and storage: We perform 600,000 rounds of the hashing algorithm PBKDF2-SHA256 to derive an AES-256 bit key to encrypt your vault. In addition, our Zero Knowledge architecture means your data is secure even from us. Only YOU can decrypt your vault. 

• Autofill capabilities: LastPass only autofills passwords for verified domains. This means if a smishing message links to a malicious site, LastPass won’t autofill credentials, alerting your employees to the scam. 

• Phishing-resistant MFA: Our groundbreaking phishing-resistant MFA follows CISA recommendations for a positive security posture. 

• Cross device syncing: Our automatic device syncing feature means you can access your passwords anywhere on the device of your choosing. 

Features and tools to enhance your security 

Do your employees regularly share passwords with their colleagues? If so, password fatigue is a high possibility. A global survey of more than 2,400 respondents from locations around the world found that almost 50% reuse passwords at work for ease and convenience. 

Yes, employees know it’s a risk (92%) but most of them (65%) do it anyway. 

With these security features, LastPass ensures that password sharing won’t keep you up at night: 

• Secure, time-limited sharing: Your employees can grant temporary access to their passwords and revoke them after a set period. 

• Password hygiene security score: LastPass allows your employees to run a security challenge on their iOS or Android phones. The challenge will generate a security score and rank, which tells them how they rank against all other LastPass users who have run the security challenge. 

• Passwordless authentication: This is now the industry standard for protecting businesses. LastPass supports passwordless authentication methods that leverage biometrics, FIDO2 USB security keys, and passkeys. 

Why LastPass is the trusted choice for password management 

In early 2024, LastPass became the first password manager to achieve FIDO2 server certification. This certification sets the industry standard for cryptographic logins. In addition, LastPass is also the first password manager to earn the coveted ISO 27701 certification for privacy data management. 

Our commitment to your security sets the standard for all other password managers. If you’re looking to protect your employees, switching to LastPass may be the best decision you make this year. Start by taking LastPass Business for a free, no-obligation trial run today.