Beware of Smishing: How to Protect Yourself from SMS Scams

What Is Smishing?

Smishing, or “SMS phishing”, is a type of cyber‑fraud in which criminals send deceptive text messages to trick recipients into clicking malicious links, revealing sensitive personal or financial information, or transferring funds. The messages often impersonate trusted entities such as banks, delivery services, or government agencies to appear credible. In 2021, a Singaporean bank was hit by a wave of SMS phishing scams, resulting in 790 customers falling victim and losing a total of S$13.7 million.

Common Indicators of a Smishing Scam

1. Urgent Language: for example, “Your account will be closed!” or “Act now, verification required!”

2. Suspicious Links: Suspicious or shortened URLs that do not match the legitimate institution’s domain. Clicking these can instantly download malware or redirect you to a fraudulent website designed to steal your credentials.

3. Unexpected messages: Texts about packages you didn’t order, prizes you didn’t win, or verification codes you didn’t request.

4. Requests for sensitive information: PINs, one-time passwords (OTPs), or personal identifiers are normally not made by legitimate institutions via SMS.

How to Protect Yourself

1. Don’t click unfamiliar links. Pause and verify first.
2. Don’t reply to suspicious texts. Responding confirms your number is active.
3. Verify with official channels: Contact your bank, delivery service, or government agency through official websites or phone numbers, not the ones in the text.
4. Enable security features, multi-factor authentication (MFA), spam filters, and phone security settings.

If You’ve Been Targeted

1. Don’t engage with the message.
2. Block the sender.
3. Change passwords if you entered them.
4. Monitor bank accounts and credit reports.

If You Clicked a Link

1. Disconnect from Wi-Fi or mobile data.
2. Run a security scan on your device.
3. Contact your bank if financial info was entered, freeze your credit if personal identifiers (SSN, etc.) were shared.

Individual alertness is the first step, but manual spotting isn’t always enough. You can run simulated phishing campaigns to help your team practice identifying these scams in a safe environment before a real attack occurs.