AVG Signal Blog Security Phishing What is Smishing and How to Avoid it

Written by Colin Asher
Published on January 23, 2020

The psychology of smishing

The more things go mobile, the more prevalent smishing will be, so it’s important to hone your hackles to rise upon receipt of a devious text message. While people have gotten used to email spam, they are probably less likely to doubt the legitimacy of an SMS message.

This article contains:

    Smishers rely on your quick reaction to a message that may appear basically identical to an actual message from, for example, your bank. One tactic – or tip off – of a fake message is the imploring of an immediate response such as,“Urgent!” or “Reply now!” The less you think, of course, the better for the scammers. However, even if you give the message a good look-over, it could still fool you.

    How do smishy numbers look?

    While some smishes come from strange phone numbers, fake messages can simply use the name of a business instead of a visible number – the way many real businesses already do. One such tricky smishing scam happened in the Czech Republic with a text that really appeared to be from their postal service. Further complicating the matter is the fact that many real businesses will use a “shortcode” to send text messages. This is a small group of numbers that appears instead of a real phone number – and yes, scammers use similar brief numbers to their heart’s content. And yet even more dastardly is that sometimes the fraudulent messages can insert themselves into your existing legitimate message threads! Yes, things can get a bit bleak, but press on, heroic reader, and you’ll find ways to arm yourself with knowledge and train yourself to recognize certain tells of fake messages. 

    How a smish might occur

    Here is how an especially slippery smishing scam might go. You get a message from what appears to be your bank telling you to download their new app. You click a link inside the message, and a web page opens up that looks exactly like your bank’s website – or at least how you imagine your bank’s website would look (who can remember anyway, since things look different on mobile, and banks aren’t known for having scintillatingly memorable webpages anyway).

    So now you’re on this official-looking page that doesn’t have any raging signs of anything phishy. You are simply shown a button to download a banking app. Well, slick as this whole operation is, you might be able to spot one problem, which is that the link doesn’t show the label for the Google Play or Apple App Store. Now Apple won’t innately let you download apps that aren’t on their App Store, but Android phones are more susceptible to malware downloads. But in both cases, these stores have a careful verification process, so there’s less chance a piece of pure malware would be there (though it has happened). 

    If you’ve already clicked your way to this initial download screen, the smishers still don’t have you completely hooked – you can still slip away by not downloading the fake app. But if you do download the fake app, you can really get into some hot water. Once downloaded, that app will likely prompt you to enter your bank info – and those details are then delivered right into the hands of the hackers. Or, in the particularly nasty case of the aforementioned Czech Post smish, the newly downloaded fake app – full of juicy malware – disappeared and created an overlay to appear in the user’s other apps, prompting, yes, credit card info to be entered, and the rest is history.

    Avoid smishing with these tips

    • If the message is clearly from a number you don’t know, or a company you know you don’t have business with, don’t click on any links within. Simple, but effective. 

    • Whether you’re worried about smishing or not, an eternal rule of thumb for existing more securely on the internet is to have different passwords for different accounts. Yes, this can be annoying when you’re trying to quickly hammer in the right password, but password managers can help with that, and it pays off in the long run in the event that you do get compromised by a scam. 

    • Get AVG AntiVirus FREE, which can recognize phishing websites and prevent you from clicking your way to doom.

    • Be cautious of strange-looking numbers, but remember, as mentioned above, strange-looking numbers can still be legitimate, so really think before you click onward – and never click if you’re in doubt. Doing a quick search online for the number in question may reveal it to be a scam number. 

    • Messages containing: “Congratulations, you’re a winner!”; “Urgent!”; and “Reply now!” are not things you should ever pursue further.

    There is a lot of strange phishing in today’s digital ocean. While you may get fooled, arming yourself with knowledge is a great defense.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Colin Asher