What’s smishing? How to spot the latest texting scams

Person’s hands at a desk looking at a mobile phone.
« Return to Learn

Few things are certain in life, especially now that we’ve entered a digital age of rapid change. One of those certainties is that whatever new forms of communication we invent, social engineers will find a way to exploit them to try and steal your identity. 

Many consumers have already caught on to phishing scams, which use emails that appear to be from reputable sources to trick you into giving up sensitive information. Folks are also becoming more aware of vishing, or the use of voice calls to do the same. As these avenues become less effective for cyber thieves, many are turning to text messages instead. 

Smishing — a term that combines “phishing” with short message service or SMS (commonly known as text messages) — is the latest frontier for identity theft. It’s particularly effective because people are more likely to trust text messages than other forms of communication. According to Gartner, users read 98% of text messages and respond to 45%. 

Reports of smishing have skyrocketed recently, increasing by more than 300% within the past two years. If you have a phone that receives text messages, you’ve likely already been the target of more than one smishing scam. Keep reading to find out what you need to know about smishing, how to spot it and how to protect yourself. 

How smishing scams work 

If you know what smishing texts look like, they’re easy to spot. Here’s how the basic scam works: 

  1. A hacker sends you a text message using social engineering tactics to make you think it’s legitimate. For example, the text may appear to come from your financial institution, your phone provider, a charitable organization or even someone you know personally. 

  1. The text encourages you to click on an infected link or call a “customer service” hotline and provide them with your personal information such as usernames, passwords, emails, etc. 

  1. The hacker uses your information to commit fraud or sells the stolen data on the dark web. 

We reached out to OCCU’s Information Security Manager, Jessa Womack to get more expert details on what smishing is and steps you can take to validate if a message is legitimate. Here’s what we learned: 

“Most smishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly; your card is being shut off, fraud charges are pending, etc.  The messages usually include a link to click that will then ask you for credentials (which then the malicious actor uses against you),” says Womack.  

How to avoid falling for a smishing scam 

The key to sidestepping a smishing scam is to stay alert to the tactics listed above and refuse to respond to any texts that meet these criteria.  

“If you’re unsure whether the message is legitimate, take a deep breath and call or visit the site or service in question manually — ideally, typing the company’s exact URL. Be cautious of Google searching the company and clicking a potentially spoofed ad or typo-squatted webpage. The key is to reach out to the company from another source, outside of the phone numbers or links provided in the suspicious message, to validate its legitimacy,” says Womack. 

Here are the few things you should always keep in mind when reading or responding to text messages: 

  • OCCU will never contact you via text message and ask you to provide sensitive financial or login information. In fact, you can safely assume that no reputable financial institution, organization or service provider would ever do so. This is an essential security policy that all responsible organizations share precisely for the purpose of protecting you and your identity. 

  • When in doubt, go straight to the source. Do not respond to the text message. Instead, call the person or organization the text appears to have originated from, and ask them whether it’s legitimate. It’s probably not. 

  • Do not respond to, or click on links from, anyone you don’t know. 

What to do if you’ve been scammed 

If you’re involved in a smishing scam, the first thing you need to do is give yourself a break. It’s not your fault — we all get caught unaware sometimes. The next thing you need to do is report it immediately. Contact your financial institution right away and ask about canceling fraudulent transactions and blocking future charges. 

“If you are concerned that you’ve fallen victim to a social engineer using smishing methods, don’t be embarrassed!” says OCCU Leadership team member Matthew Wilson, VP of Risk and Administration. “Get on the phone with your financial institutions and let them know so that we can all assist in monitoring your accounts for fraudulent transactions.” 

The next step is to consider freezing your credit reports and notifying the Internet Crime Complaint Center (IC3), he adds. 

Finally, if you realize you’ve accidentally provided financial information to a fraudster, don’t hesitate to come to us for help. OCCU has your back. Our security team will help you navigate the situation with compassion and understanding while working with you to minimize damages and recover from identity theft. 

Above all, it’s time to start being as wary of text messages as you are of email and phone spam. Social engineers may be clever, but they’re not that hard to spot if you stay on the lookout. Stay safe out there! 

Important member security tip: OCCU does not send emails or text messages or make unsolicited phone calls that ask you to give personal information like PIN numbers or digital banking passwords. If you are ever in doubt, please don’t hesitate to report suspicious activity to our team or contact us. We’re here to help and keep our members safe.