What Are Phishing and Smishing?
Reading time: 7 minutes
- Online scammers may use phishing and smishing tactics in an attempt to snare your personal or financial information.
- While some phishing and smishing messages are obviously sent by strangers, others may look like communications from legitimate, trusted organizations.
- It's important to learn how to evaluate a message before you click on a link or open an attachment.
Phishing and smishing are common strategies used by online scammers to steal personal and financial information. If you're one of the millions of Americans who regularly use email, text and other virtual messaging platforms, it's vital to understand and recognize signs of potential phishing and smishing attacks.
What is phishing?
Phishing messages are fraudulent messages used by scammers to trick you into clicking a link or opening an attachment that will provide them access to your information or download malware onto your computer.
Phishing messages may look legitimate. They may come in the form of a communication that seems to be from your bank, credit card company, a company you do business with or even your employer. Others may seem to come from a familiar social networking site, an online store or an online payment website or app.
These messages may tell you there's a problem with your account or payment information, or that some suspicious activity or login attempts have taken place. They may also include a fake invoice or ask you to update or confirm personal information.
The goal of phishing is to get you to take the bait, whether that's logging in to your account directly from the message (giving hackers access to your password), clicking on a link or opening an attachment.
How to recognize phishing
While some phishing messages may obviously come from strangers, others may appear to come from an organization you know and trust. Look closely at any messages you receive and ask yourself the following:
- Do you have an account with the business that's contacting you? If so, does the email address match the address associated with your account? Did you sign up to receive email discounts from this company?
- If the message claims to be from an individual, do you know this person?
- Does the message greeting address you by name?
- Did the email come to your junk or spam folder?
- If you hover over the sender's email address and any links in the message, where do they lead and do they look legitimate?
- If there are attachments, did they come from a trusted contact and do you know what they are?
- Are there misspellings and awkward grammar throughout the message?
- Are you being asked for a payment you aren't sure you owe?
- Are you being threatened with lawsuits and penalties if you don't immediately take action?
Don't click on any links or attachments in messages if you can't verify they are legitimate. Even if the sender claims to be from a company you know and do business with, do not click on a link in the email to log in to your account; instead, go to the company's website to log in.
It's also important to know that most financial institutions and government agencies will not request personal information through emails, texts or other types of messages.
How to help protect yourself from phishing emails
Your spam or junk mail filters may keep some phishing messages out of your inbox, but as scammers and hackers constantly try to get past those filters, you might consider some other ways to help protect yourself.
These might include:
- Use security software. Install security and anti-virus software on your computer or mobile phone and set it to update automatically as new threats arise.
- Enable multi-factor authentication. This extra step, which typically requires you to enter a one-time code sent via text or email, makes it harder for scammers to access your accounts, even if they have your username and password.
- Back up your data. In the event of a phishing attack, your data can be destroyed or encrypted. Use an external hard drive, a USB drive or cloud storage to back up your device so that you can safely recover your files.
Help! I've been phished!
If you clicked on a suspicious link or attachment and are worried about potential phishing, here are some steps you can take:
- Disconnect your device from the internet as quickly as possible. This may help reduce the risk of malware spreading to other connected devices and may prevent a hacker from remotely accessing your device.
- Scan your device with antivirus or security software. You may be able to run the scan, even if you aren't connected to the internet.
- Update your passwords. If you entered any personal information, such as a password, use an uncompromised device to change that password on any affected accounts.
- Alert any relevant accounts of the breach. If you entered a credit card or bank account number, contact your credit card company or financial institution.
If you believe information such as your credit card number, Social Security number or bank account details has been compromised, visit IdentityTheft.gov to report the theft to the Federal Trade Commission (FTC) and make a recovery plan.
You might also want to consider placing a fraud alert or security freeze on your credit reports with the three nationwide consumer reporting agencies—Equifax, TransUnion and Experian.
How to report phishing emails
If you receive a phishing email or text message, you can report it and help fight phishing. Forward emails to the FTC at firstname.lastname@example.org and the global Anti-Phishing Working Group at email@example.com. You can forward text messages to SPAM (7726); standard messaging rates may apply. You can also report the phishing attempt to the FTC at ftc.gov/complaint and to the Internet Crime Complaint Center at https://www.ic3.gov.
What is smishing?
While phishing typically refers to email scams, smishing refers specifically to deceptive text messages.
Smishing scams involve contact from an unknown number, often claiming to be from a reputable business. These messages may contain a link that attempts to bait you into clicking it and entering sensitive personal information, such as login details for a secure account or other personal data.
Smishers may try to sell the information they gather from you to other scammers, or entice you to download malware onto your smart device.
How to identify a smishing attack
Smishing has become prevalent as people increasingly use their mobile phones for text messaging and other services like mobile shopping and banking. Since smishing is still relatively new compared to email scams, it catches many mobile users off guard.
Here are a few warning signs that can help you identify a smishing attack:
- The message asks you to click a link to verify personal information.
- The message asks you to provide your personal information by calling or texting the number.
- The message claims to be from a government agency. According to the Federal Communications Commission (FCC), government bodies almost never initiate contact via phone or text. If they do provide text notifications or updates, they need your permission first, which typically requires you to sign up by entering your phone number on the official government website.
What do you do if you suspect a text message might be a smishing scam?
Smishing texts are often disguised as fraud alerts or undelivered package notifications. For example, you may receive a text from an unknown number saying that a package could not be delivered. Or, some text messages say that you have a large purchase or suspicious payment on your bank account. Since many banks and package delivery services now provide text notifications, here's how you can identify potentially fraudulent messages:
- You did not make a recent purchase or request a package to be delivered. If a text message claims that your package has not been delivered or your bank is notifying you of some sort of fraud, check your order history and your bank accounts immediately. Since you need to sign up to receive text notifications from legitimate companies, you can validate any suspicious texts by confirming the contact information of the company the text is claiming to come from.
- The text is coming from an unknown number. Legitimate companies typically send text notifications from only one number. If you are signed up for text notifications from your bank and you receive a message from a different number, check with your bank to confirm their contact information before responding to any message.
- The text redirects you to a new link or asks you to call the number. Smishing scams often entice you to click on a link or call the number. That's when scammers can manipulate you into sharing your information.
To avoid a smishing attack and lower potential risk, never click on a link or respond with your financial or personal information. If you aren't sure whether the number is legitimate, independently verify the company's contact information via a simple web search. Don't respond to a suspicious message with “STOP” or “No” to avoid future text messages; it is safer to delete the message entirely rather than engage with a potential scammer. You can then block the number to avoid future attempts at contacting you. You should also report any potential smishing scams to the FCC and FTC.