Dealing with a smishing attack
You receive a text message, commonly from your bank, telling you there’s a problem with your account, issues with making a payment or some suspicious activity. The text will contain a link for you to click or a number to call to sort out whatever the problem is. This is what is called a smishing attack.
If it’s a link, it will direct you to a fake website which will harvest your bank login information. If there’s a phone number, it won’t be your bank and the scammer on the end of the line will try to get you to reveal information such as passwords and PINs.
Fraudsters won’t just pretend to be your bank. Sometimes they’ll claim to be from an online account such as PayPal, or a service you subscribe to, such as Netflix. Fake text message scams have also been reported targeting customers of government organisations such as HMRC and the DVLA.
How to spot a smishing (text message scam) attempt
You got a text message in the first place - It is very rare that an organisation like a bank would send you a text to start a discussion on a serious issue like suspicious activity on your account. If you get a text message - and this isn’t normal - then consider it a scam.
A strange phone number - A smishing message will come from a number you haven’t seen before. It certainly will not match the official number of the person or organisation they are pretending to be. Check the number by visiting the organisations website.
The creation of a sense of urgency - Smishing messages often ask recipients to verify personal information, such as bank details or a password. They can create a sense of urgency by warning that your account has experienced suspicious activity or pretending to be someone you know who is in urgent need of financial help. These are massive warning signs. If you are ever unsure, contact the company or person using the contact details you already have for them or that are on their legitimate website. Never use any contact details or click any links provided in the text message.
Links to unrecognised website addresses - Smishing messages may ask you to click a link within the message. These URLs can be slightly misspelled or completely different to what you are expecting, so always double check before you click.
Poor spelling and grammar - You can often detect a smishing message by the way it is written. The writing style might be different to that usually used by the sender and it might contain spelling mistakes and poor grammar.
What to do if you have fallen for a smishing scam
It is very easy to fall for a smishing scam, even cyber security experts can fall for them. Don’t feel ashamed or embarrassed. The key focus once you realise you have fallen for one is acting quickly.
Take the device you were using offline - There is a chance you have malicious software on the device you used and you should turn off wireless, bluetooth or any cabled internet connections. This will limit the malicious softwares ability to work - for example sending phishing links to everyone in your email contacts.
Change your passwords - If you provided a password, clicked on a link or downloaded an attachment it is worth changing the passwords for the accounts you have used on the device. Use a different device to change your passwords, not the device that got hit.
Contact the organisation that was spoofed - Report the smishing attack to the company, whether it’s your email provider, your utility company, or your employer that the criminal impersonated. Let the company know that you changed your password, and follow their instructions for safeguarding your information and your account. If you gave out financial information, you will need to contact your bank and may need to cancel your existing card and get a new one.
Scan your devices for malicious software - Whether you downloaded an attachment or clicked on a link, it’s a good idea to scan your phone for viruses and malware. Anti-virus software can examine your phone, alerting you to any files that may have been infected. You can see our guide for finding and removing malicious software here.
Watch out for warning signs of identity theft - If you’ve revealed any financial information or other sensitive data like your bank details, you need to watch for signs of identity theft. First, keep a close eye on your bank and credit card statements, looking for any withdrawals or purchases that you didn’t authorise. You can also ask your bank to alert you of any unusual activity.
Report the crime
How to avoid falling for a smishing scam again
Be suspicious of text messages - Anyone who knows your phone number can text you and it is likely your phone number is easy to find online. Be suspicious of every text message you receive - ask yourself if the text could be a scam.
Trust your gut - Most people who fall for smishing scams had a funny feeling about the text before they clicked the link, shared the information or downloaded the attachment. If it doesn’t feel right it probably isn’t. Delete the text and check direct with the person or organisation that ‘sent’ the message.
Never provide personal information over text message - Never divulge personal information requested by text such as your password, security code or credit card number. Legitimate organisations will not ask you to do this.
Type in the website address into your browser, don’t follow text message links - Never click a link in an text message. If you receive an text from an organisation go to their website and log in there. This greatly reduced your chance of being scammed.
Check any phone numbers online before calling them - If a phone number is provided in an text message you should go to the organisations website and call their regular number.
To help people like you we rely 100% on donations from people like you.
Without donations we cannot keep our service free and provide help to the most vulnerable victims of cyber crime when they need it most. As a not-for-profit organisation, 100% of your donation goes towards keeping The Cyber Helpline up and running - so 100% goes towards helping people like you. Donate now and help us support victims of cyber crime.