By now, you’ve surely gotten at least one: an unexpected SMS message carrying a tiny link just begging to be clicked on. Do so and you might be handing cyber thieves valuable information they can use to swipe your bank account balance, fake your identity or even track your whereabouts.
Dubbed smishing, a contraction of SMS and phishing, some texts are clearly spammy. They tout obvious bait such as energy-boosting supplements, cash prizes from major retailers or CBD gummies in new flavors. Some are more subtle, masquerading as COVID test results, shipping notifications or alerts for online payments that didn’t go through. Either way, they’re dangerous and getting more popular with cybercriminals.
“No, it’s not just you,” says Josh Yavor, who runs information security at Tessian, a cybersecurity company specializing in phishing. “Personally and within the people I talk to, I’ve noticed an uptick, too.”
The vast majority of phishing attacks — attempts to grab personal data from unsuspecting consumers — still come by way of email. Cybercriminals, however, are increasingly taking advantage of distracted consumers who are rarely without their smartphones to bilk people out of their logins and passwords, credit card or other financial information, or even access to their corporate networks.
Criminals are also taking advantage of a relatively new approach to swiping data. Consumers have used email a lot longer than they have used SMS, giving security professionals plenty of experience securing devices and software, Yavor says.
“We are in a situation here where SMS is inherently more dangerous,” he says, because the texting world is far behind the emailing world. “It’s hard to empower and protect our users and consumers in the same way.”
According to the phishing-protection company Proofpoint, the number of reported smishing incidents increased 24% last year in the US and 69% globally. Meanwhile, the Federal Trade Commission reports that scam texts cost US consumers $131 million last year, up from $86 million in 2020, and accounted for 21% of all reported fraud.
More recently, Proofpoint detected a five-fold jump in mobile malware attacks in Europe starting in February. Those attacks included smishing attempts, as well as attacks in which malware was sent directly to devices through a malicious app.
Ryan Kalember, head of cybersecurity strategy for Proofpoint, says the malware being spread through the recent attacks is particularly concerning because it’s capable of recording audio and video, tracking a user’s location, and destroying content.
While researchers originally spotted the spike in the malware in Europe, Kalember says it’s only a matter of time before it hits the US. He predicts that attacks will rise here as the November elections draw closer.
Proofpoint researchers note that smishing is becoming the attack method of choice for cybercriminals looking to compromise mobile devices, especially Apple’s iPhones. Recently, Pegasus, one of the most powerful pieces of spyware ever developed, was first able to worm its way into the phones of countless government officials, journalists and human rights activists after they clicked on a malicious link in a text message or email.
Malware delivered by malicious apps also can compromise a phone, but security improvements to the app stores of both Apple and Google have made that significantly harder. In addition, iPhones are further protected by Apple’s ban on the “” of apps from sources other than its official app store. Google doesn’t impose similar restrictions on Android phones.
Meanwhile, Tessian’s Yavor says consumers are more apt to fall for smishing than email phishing. With so little information displayed in an SMS message, it can be hard to tell whether a message is coming from a favorite retailer or an attacker trying to impersonate them.
Short codes, the five- or six-digit numbers often used by businesses in place of a conventional phone number to send texts, can be readily bought and will mask where a text is coming from, he says. If a link within a text is shortened — a common practice — it could hide a full URL the recipient might otherwise realize is fake.
The small size of a smartphone also helps cybercriminals. Consumers might not notice when a link leads to a spoofed banking or shopping site because of the tiny screen, enticing them to unwittingly hand over their personal or financial information.
Yavor says wireless carriers and SMS app makers aren’t doing enough to educate consumers or add protective tech. Unlike email, which usually has a “report spam” button, SMS has no real equivalent. Sure, users can report smishing by forwarding the messages to 7726 (SPAM), he says, adding that most people don’t actually know about that number.
T-Mobile and Verizon said in statements that they constantly update their filters as they detect spam attacks. They urged customers to both be cautious when dealing with unexpected messages and to report potential scam and spam.
AT&T said in a statement to CNET that it uses “patented, automated protections” to help block spam messages, adding that it’s seen a recent decline in spam on its network as it continues to boost its defenses but didn’t quantify that statement with specific numbers.
SMS message tips
Be on the lookout for suspicious messages. Don’t click the links inside a suspicious text or otherwise engage the sender. Instead, report the message by forwarding it to 7726 (SPAM). If you think a link might be legitimate, go directly to the company’s website instead of clicking on the included link.
Don’t mess with the scammers. Some people like to mess with the people behind the scams by texting them back and leading them on. This is a very bad idea. If nothing else, it lets the scammer know that you’re a real person. But don’t worry if you open up a scam text on your phone. Unless you click on a link or download an attachment, you’re not in danger of being hacked.
Think before you hand over your number. Retailers and other companies love to collect them, but do they really need yours? Like your email addresses, if your phone number is in a company database that gets hacked, it’ll likely end up sold to cybercriminals for use in these kinds of attacks. Just like the rest of your personal information, the fewer people who have it, the better.
Keep your private info private. Never provide personal or financial information in response to an SMS request.
Don’t sideload. Stick with apps from your phone’s official app store. The Apple or Google stores aren’t perfect, but they do vet the apps in them for security and privacy.