Scammers Turn to Smishing for ID Theft

How to spot and avoid text smishing scams: Internet Scambusters #849

Smishing — using smart phone texts to phish for victims’ confidential information — is soaring, and it’s more dangerous than email phishing.

In this week’s issue, we’ll tell you why and what the experts say, as well as giving you tips to avoid the scammers.

We also have a warning about fake subscription notices for a well-known education magazine.

Let’s get started…

Scammers Turn to Smishing for ID Theft

Phishing, the scam that involves tricking people into giving away confidential information, is surging via text messaging, posing a greater than ever risk of identity theft.

The reason? People trust text messages more than they do email, so they’re more likely to fall for the scam.

This type of phishing, better known as “smishing,” has been around for years but because consumers have wised-up to email tricks and, in fact, are using email less and less for simple messages, scammers have switched their focus to SMS texts to target their victims.

According to computer blogger Luke Larsen, the crime “has come full-force to texting, and it carries even more potential danger than it does through email.”

Writing for the online tech site Digital Trends, he says that cyber crooks are buying up smart phone numbers from databases on the dark web and then targeting them to trick users into giving up personal info.

The text usually contains a link that downloads malware, which steals as much data as it can find. And therein lies the threat:

“Your smartphone knows a lot more about you than your PC, so an installed piece of malware might steal the phone numbers in your contact list and spread the virus in hopes to exponentially multiply,” Larsen says.

“Even important bits of personal data, like banking credentials or your tracking location, can be at risk.”

Insider View

His views are echoed by industry insider Ruby Gonzales, communications director of NordVPN, which recently published a report on the trend.

She says that, as personal use of email is falling, legitimate marketing companies have turned to SMS and some social media sites to sell their products and services.

Users have become accustomed to receiving offers by text, including clickable links. They’re also less likely to have spam filters on their texting service, like they do with email, and it’s often difficult to check whether links inside SMS messages are valid or not.

“It’s a wider channel for criminals,” Gonzales says, “and they are trying to exploit it in the same way as all other channels that are opening.”

Scammers are also using texts to pose as tax authorities, not just in the US but also in the UK and Canada. The tactic creates a false sense of realism because many people don’t realize that text messages can be a threat.

“They say that the user is due a tax refund or needs to provide more information,” she explains. “Basically, they try to get users’ information, and that can be used for stealing their money.”

Dangerous messages sometimes use shortcodes — one-word responses users are asked to key in to acknowledge they got it. That can be enough to trigger a malware download.

For example, scam messages posing as donation requests from charities may provide a single word response that immediately forwards a donation. Scammers have used the same tactic, Larsen says, to steal money right out of bank accounts.

You might also end up with additional charges on your phone bill, according to a recent warning from the Federal Trade Commission (FTC).

Research suggests as many as one in three smartphone users had been targeted by a smishing attempt in just six months last year, although the actual number is likely to be higher since most people don’t report scam attempts.

What to Do

The best thing you can do to avoid falling victim is to never click on a link inside a text message.

Certainly, you should never respond to a request for a password or other confidential information. Instead, visit the real website of the organization that seems to be asking and check if it’s a genuine request.

You should also use extreme caution even if the message asks you to send the word “Stop” to stop receiving messages, as many do, unless you’re 100% sure that it’s genuine.

Sending a “Stop” message may not land you in immediate trouble but it signals to a phishing scammer that there’s a bite on the line.

In fact, for the same reason, you should never reply to text messages from someone you don’t know. It simply opens the door for an onslaught of spam.

In most cases, it’s actually illegal for businesses to send unsolicited texts to mobile devices without your permission. So, if you get one, that’s a big red flag.

Block the sender if you can. But otherwise, just delete the message.

And don’t share your cell phone number on social media.

In addition, it’s wise to install an anti-malware app on your phone.

Contrary to what many people believe, Gonzalez says, phones are more susceptible to malicious software than PCs.

“Specifically, Android phones,” she warns, “because Android is a more open system.”

To learn more about smishing, check out this article from Internet security company Kaspersky: What Is Smishing and How to Defend Against It?

Alert of the Week

Publishers of the non-profit education magazine Science News are warning of deceptive and unauthorized renewal notices, charging high subscription rates.

If you’re a subscriber, any genuine renewal notice will refer to your account status and request payment to the magazine’s processing center in Kettering, Ohio.

If you’re not sure if it’s genuine or not, call 800-552-4412 or email

That’s it for today — we hope you enjoy your week!