Security · April 21, 2022

How to Identify a Smishing Attack

If you get a text purporting to be from a reputable source that asks you to provide personal information or click a link, it might be a smishing attack. Smishing—a combination of short message service, or SMS, and phishing—aims to part you from your sensitive information, identity and money. It's catching on with scammers as the public becomes more aware of phishing strategies and cybersecurity issues in general.

But identity thieves don't give up when one well runs dry—they just move on to the next. That's why you need to learn about smishing so you can protect yourself and your assets.

What is smishing?

When you send and receive texts on your phone, you're likely using SMS for your communications. A smishing text is one that asks you to click a link or respond with sensitive data. If you click, you'll be taken to a site that's controlled by the attacker. In some cases, the site will look reputable—such as your bank's portal, a social media site or a government agency—and you'll be asked to provide sensitive data. Other times, the link will lead to malware that's designed to compromise your device.

What does a smishing attack look like?

There are several ways a scammer can create a legitimate-looking text message. For instance, a smishing text might try to frighten you into sharing information by claiming you owe money to the IRS. It might try to confuse you by claiming to be a legitimate company, such as FedEx or DHL, that's attempting to deliver a package. Some of these attacks may also try to lure you into clicking a link by claiming you've won money or a gift card from a legitimate website.

You may also receive a text that includes some information about you, such as your name and address, which may reassure you that the text is legitimate. But remember that scammers can access basic public information about you online and use it to trick you into thinking the message is from a trusted source.

How can you protect yourself from smishing?

There are several online theft-prevention strategies you can follow to make sure a smishing attack doesn't succeed.

  • Keep your phone's operating system and web browser up to date. There's a reason companies provide system updates—to stay ahead of hackers and scammers. Keeping up with these security updates can help keep smishing texts from reaching you.
  • Watch out for urgent text messages. A text that urges you to act quickly is a red flag. Scammers want you to act quickly without thinking about it.
  • Pay attention to the phone number. Illegitimate phone numbers often don't look quite right. The phone number may be formatted oddly, include unusual characters or have too few digits.
  • Don't store your credit card or account information on your phone. If this information isn't available on your phone, malware can't get to it.
  • Research before responding. A quick web search can help you determine if the text you've received is a legitimate communication from a reputable source or a smishing attempt. Google it before you click a link or respond.

Staying secure

Learning how to identify a smishing attack is an important part of keeping your identity, phone and finances secure. But it's not the only method of protecting yourself from cybersecurity threats. Understanding how to keep your personal information protected online, on your phone, and in person can help ensure that your identity and money remain your own.


A few financial insights for your life

No results found

This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information, and encourages you to consult a professional for advice applicable to your specific situation.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.