Smishing: Don’t take the bait
By now, most of us are on alert for phishing emails, where scammers try to bait us into clicking a fraudulent link, sharing personal information, or downloading malicious software. But we may not be as vigilant with smishing, which is phishing by text or chat, such as WhatsApp, Facebook, and Instagram direct messages.
The term smishing is a mashup of phishing and SMS, the acronym for short message service or what we refer to as texts. Despite the cute name, smishing is a serious threat. We tend to let our guards down when using our cell phones, and scammers are benefiting from our trust. They’re getting stealthier, too, using automation technology to send multiple smishing texts at once from undetectable email addresses or fake phone numbers.
The good news is that while it’s easy for scammers to send smishing texts, it’s also easy to avoid falling for them. You just need to know what to look for. So read on to learn how to stay safe on your mobile device.
Know how it works
Smishing texts usually try to lure you into clicking a link that leads to a malicious software download (malware) or website that looks legitimate. From there, the cybercriminals collect personal information like social security and credit card numbers, which they then sell or use to steal money or commit online fraud. Less frequently, the text message urges you to call a phone number that an imposter answers, demanding the information.
Spot the clues
If you see any of the following details in a text or chat, it might be a smishing scam.
- Requests for personal information.
- Instructions to click a link or call a number.
- Incorrect website address (URL) or phone number. Search online for the purported sender’s website address and phone number and compare it to what’s listed in the text. Even if it’s off by just one digit, it’s a red flag.
- Spelling and grammar errors.
- Texts from numbers with only a few digits, which are usually from undetectable email-to-text services and are often spam.
- Threats and urgent demands for immediate action.
Recognize common smishing scams
Here are the three smishing scams we hear about most often. There are lots of variations, but they all tap into people’s emotions to get them to take an action that ultimately leads to identity theft.
Suspicious activity on a bank account. Customers have told us they’ve received texts that look like they’re from our bank or another financial institution saying there’s been suspicious activity on their account and they need to click a link to resolve the issue right away. Other versions claim the user has been locked out of their account and, most recently, customers report receiving “CBNA Alert” texts asking them to approve or deny a payment to a well-known company like eBay or Target. In each case, the link leads to a fake website login page that looks a lot like the real one. If the user logs in, the scammers steal their login and account information.
Delivery issue. Many of us have received texts pretending to be from a well-known store or a delivery service like Home Depot or FedEx. The messages say there’s a problem with a delivery and you need to click a link to follow up, authorize, or claim a package. In reality, the link directs the user to a fake website or a malware download.
Order confirmation. People pay attention to these texts from popular brands like Apple and Amazon because they’re curious or alarmed, thinking “I didn’t order anything” or “What did I order?” They often comply with the instructions to click a link to confirm or resolve an issue with an order because they’re afraid of being wrongly charged.
Mind your dos and don’ts
It sounds counterintuitive, but the best way to avoid being scammed is to do nothing. Seriously. You’ll only be smished if you take the bait. Here’s what else to do and not to do to stay safe while texting.
- Don’t click links, download apps, call numbers, or respond to texts even if the message says to “text STOP,” because doing so confirms your number is active and makes you more susceptible to future threats.
- Don’t store your bank and credit card account information on your phone. If your phone gets compromised by malware, the information can also be compromised.
- Do delete suspicious texts.
- Do update your phone’s security apps.
- Do install anti-malware on your mobile device.
- Do use your phone’s spam filters to block spam texts and unknown callers.
- Do confirm the sender’s contact information. Search for the actual information and compare it to what’s in the text.
- Do opt for multi-factor authentication (MFA) when offered, which provides another layer of protection if your password is stolen.
- Do remember: Community Bank and most financial institutions will never text you to ask for personal information, passwords, PINs, or account numbers.
If you’re concerned about a text or think your account may have been compromised, call your local branch or our Customer Care Center at 1-866-764-8638.