What is Smishing? How to Identify + Report It

SMS phishing (“smishing”) is a form of phishing in which an attacker uses SMS text messages to trick recipients into taking an action and compromising sensitive information.

Smishing is on the rise... because it's been proven to work

You may have received a text message or two from unknown numbers in the past; smishing texts capitalize on the instant nature of text messaging and the likelihood that your cyber-awareness might be on low guard when using your personal mobile device. While these unknown number texts may seem inconsequential, they are often a successful way of social engineering.

In recent years, mobile attacks have risen in popularity, as many people began to trust text messages more than emails. As a result, over 40% of all mobile threats last year involved SMS-based attacks.

These attacks are also simple to set up; creating an account with voice-over-IP (VOIP) platforms can be simple and inexpensive, and threat actors will utilize these tools to carry out their campaigns. Many of these attacks attempt to obtain personal information to be used in future attacks, while other attacks try to capture verification numbers for multi-factor authentication in order to compromise login credentials to platforms hosting valuable data.

General Smishing Guidelines

• Do not respond to text messages from unknown senders unless you anticipated the reachout or can identify the sender. Once you reply to a smishing attempt, the attacker knows they've reached a potential victim and can continue to target your number.
  
  
• Never send personal information or login information via text message.
  
  
• Avoid clicking on unexpected links via text message.
  
  
• Report smishing and scam text messages when you identify them.

How can you report a smishing attack?

Unlike with email, there's not a one-click solution to report a spam message or suspicious actor. However, with a few steps you can send your report to the carrier, which may result in the attacker’s account(s) being suspended and making it inconvenient for them to start up the attack again.

Here's how to report an offending phone number:

1. Use a carrier lookup tool (https://freecarrierlookup.com/) to identify the underlying telecom provider and their contact email.
2. Email the telecom provider, including the reason for reporting the SMS, the scammer’s phone number, and the date and time of the unwanted SMS.
3. The telecom provider may be a wholesale provider (like Bandwidth) and may need to contact their customer to investigate. Once the investigation is completed, the providers are obligated to act. Many times, entire accounts are disconnected and suspended.

The Federal Trade Commission also recommends forwarding spam texts to 7726 ("SPAM").

On an iPhone:

1. Touch and hold down the message; once the menu pops up, select “More.”
2. Select the blue forward arrow in the bottom right
3. Enter 7726 in the To field and hit send
4. You will receive a text from 7726 asking for the address/number of the smishing text message
5. Respond with the number you received the smishing text from, and you’ll receive a “thank you” message as confirmation

On an Android device:

1. Touch and hold down the message; once the menu pops up, select “Forward Message.”
2. Enter 7726 in the To field and hit send
3. You will receive a text from 7726 asking for the address/number of the smishing text message
4. Respond with the number you received the smishing text from, and you’ll receive a “thank you” message as confirmation

Lastly, you can report fraudulent text messages directly to the Federal Trade Commission (FTC) on their Report Fraud portal. Simply click “Report Now” and select “Phone, internet, TV service,” then “Cellular or landline phone service". 

The FTC will take you through a quick questionnaire about the message, the number that sent it, and other relevant details.