What Is Smishing and How Does It Work?

Emails and fraudulent websites aren’t the only ways phishing scams occur. Smishing is yet another way criminals can deceive people into releasing sensitive information using SMS text messages. Here's what you need to know about what smishing is, how it works, and how to defend against it.

What Is Smishing?

The word smishing is actually a combination of the words SMS and phishing. Phishing is a scam that involves tricking people into giving up personal (usually financial) information. SMS stands for 'short message service' and it's basically a form of text messaging that comes with a paid cell phone service and usually has a limited maximum number of characters that can be used per message sent. And so, the combination, smishing, is essentially a phishing scam that happens via SMS text messages.

Person holding a smartphone with both hands and engaging in a text message conversation. — Tom Werner/DigitalVision/Getty Images

These phishing text messages can appear in a variety of formats, but oftentimes the intent is the same: to gain access to your personal or financial information. According to Consumer Reports, scammers who use smishing may pretend to be "government workers, tech support representatives, long-lost friends, or financial institutions."

The smishing messages can contain things like suspicious links to websites that may steal your information, phone numbers, or provide the option to download a malware-like app that "can be used to intercept messages or quietly collect personal data."

Once criminals get your personal or financial information, they can commit identify theft-related crimes like applying for multiple lines of credit in your name. They can also gain access to your online financial accounts, provided they managed to get you to give up your login information.

How to Defend Against SMS Phishing

You may not be able to block all smishing messages from reaching your phone, but you can usually prevent accidentally giving up your personal information to the scammers who use smishing. In fact, here are a few simple tips to help you do just that:

Don't bother responding to a suspicious text. Just delete the message and block the sender. In fact, according to the Federal Communications Commission (FCC), even if such a message says you should reply back with a "STOP" text if you don't want anymore messages from that number, you shouldn't do so. Refrain from replying to the suspicious message at all.
If you don't know the sender, don't click any links or call any numbers provided in the text. Such links can lead to malicious websites designed to steal your information or get you to download malware onto your device. If you want to make sure a text message is legitimate, look up the correct contact information for the company or bank in question, then contact them directly to verify they're the ones who contacted you.
Avoid downloading apps via text messages, if possible. Smishing messages may prompt you to download an app to your mobile device via a link provided in the message. As mentioned earlier, smishing messages that do this may try to get you to download a malicious app that can then be used to steal your personal information. And according to cybersecurity company Norton by Symantec, the best way to prevent this is by not downloading and installing apps from text messages. Instead, the company advises that apps should only be installed from trusted app stores.