The mobile high-tech threat: Smishing

Mon Apr 20, 2009 9:55AM EDT

See Comments (123)

What's the best way to disguise a phishing attempt so no one can tell where a request for personal information or a password really came from? Easy: Send it via text message.

"Smishing" is the name being given to the not-entirely-new but growing practice of sending phishing come-ons and scams via SMS message. And spammers are apparently finding it an increasingly easier proposition to text a phishing message to you rather than to email it traditionally.

Why's that? You've probably received hundreds or thousands of phishing emails and immediately saw through the ruse: Images were broken, the "from" address was wrong, words were misspelled, or links in the message were obviously directing you to phony websites. There are dozens of things that phishers have to get right for an email scam to fool anyone, and that's apparently quite difficult to do. Making things even tougher, many of those emails are now blocked by ISPs and spam filters and never make it to their intended targets.

Those problems don't really exist at the SMS level: Very few SMS messages are blocked, and since they are composed entirely of text, no images required, it's often impossible at a glance to determine if a message is real or fake.

One popular smish threatens the user that he is about to be charged for something unless he cancels it, with a message like: "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order by clicking here: phonysite.com." Of course there are no pending charges, and the site you're directed to is completely fake, its goal being to collect your credit card number (which you will helpfully enter in order to "cancel" the charges), or install a bit of malware on your computer (or even, someday, on your phone).

Smishing messages may instead direct you to call a toll-free number in order to complete or cancel some financial transaction, the only difference being that a human operator will handily take down your credit card or bank account number for you, to save you the trouble of typing it online. Of course, the number you called is phony, too.

What should you do if you receive a message you fear is a smish attack? The answer should be pretty obvious but bears repeating: Virtually no credible financial institution, utility, or other business will communicate with you via SMS with the exception of your cell phone provider. Don't recognize the website or phone number being sent to you? Don't call it. If you're worried about an upcoming charge, contact the service provider or bank directly via means you know are legitimate and ask them directly about the message. They'll likely tell you what you already know: Just ignore it.

Comments on The mobile high-tech threat: Smishing

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 26 Posted by timberman27 on Thu Sep 3, 2009 10:10PM EDT Report Abuse

    For crying out loud use common sense!!! I can't believe people are faling for this! We are living in a 21st cntury and by now I imagine that we would be using that common sense when it cmes down to giving out persinal info via text messaging! Are you kidding me?

  • 27 Posted by jaroslawbaran on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    how stupid you have to be to answer text or cell phone message with your personal info, how stupid??????

  • 28 Posted by rnaka530 on Thu Sep 3, 2009 8:44PM EDT Report Abuse

    Wells Fargo I believe has recently implemented a "text message balance service" which I feel will become a nice target for these smishers. Be aware

  • 29 Posted by russianbossman87 on Thu Sep 3, 2009 8:56PM EDT Report Abuse

    even your search provider doesnt ask for things like that via text msg

  • 30 Posted by jzlight83 on Thu Sep 3, 2009 4:45PM EDT Report Abuse

    I just recently got one of these messages on my cell phone as well. The difference is you said ignore it unless it is a cell phone provider. The text I received stated it was cingular which of course no longer exsists. It stated that to call this 800 number. I knew it was a scam but called it anyway. It asked for my credit card information to verify it was correct. I just hit random numbers and # signs it stated thank you after entering a fax expiration date from a time that had already expired. Then it ended the call. It was a complete scam to try to get your information. Be careful.

  • 31 Posted by vickiontheweb on Thu Sep 3, 2009 10:34PM EDT Report Abuse

    If all you texters didnt have your head up your A@@, none of this could happen.

  • 32 Posted by johng19811 on Thu Sep 3, 2009 4:39PM EDT Report Abuse

    I have a question, I got an e-mail from Mr. Carrick from Microsoft award team. The email went on to tell me that I had won a award and to call this number or email this guy to verify that I am who I am so that I could get my check from the UK. Has anyone else gotten e-mails saying you have won some prise and to do this or that to get you money? I keep getting them from ALOT of diff. people and there is no way to unsubscribe what should I do? I would like it too stop, I get 3 or more a day from diff. ppl who I do not know and I cant get my email to filter it out! ANY HELP OUT THERE?

  • 33 Posted by kschwandt.rm on Thu Sep 3, 2009 4:54PM EDT Report Abuse

    It would be much easier for them to go to doctors' offices especially in MN, they dropped a page from my file that had my SS#, address, full name, and medications on the floor in a hallway where patients walk back out to the lobby, thank God I was the first one to pick it up on my way out. Privacy is a joke....

  • 34 Posted by michaelsgreene on Thu Sep 3, 2009 7:18PM EDT Report Abuse

    #17 I didn't know you could get massage service on your cellphone. Where do I sign up?

  • 35 Posted by risitaluv on Thu Sep 3, 2009 8:42PM EDT Report Abuse

    I received to texts saying something about my bank account at a credit union needing to be confirmed. I knew it wasnt true so I ignored them. The write of this is right, just ignore them knowing that now financial institution is going to send you a text message. Or call your bank instead.

  • 37 Posted by muchacho50 on Thu Sep 3, 2009 7:29PM EDT Report Abuse

    Ok I work for Bank of America and this article is not entirely true. Some credit card companies are in fact coming up with the times and texting customers that have identified contact information as a cell phone. BUT when we text them we do not ask for personal information, simply request that they call us so we can try to assist them with getting their account up to date. 9 times out 10 if you have your cell phone listed as a contact number on you account, when you call your account information will appear for the representative so you will not have to enter any sensitive information in. Bottom line, don't block all text messages, don't stop using your cell phone, simply do what makes sense. If you really feel nervous about a phone number that texts you... google it! There are plenty of sites that identify toll free numbers that call people.

  • 38 Posted by lewisamc on Thu Sep 3, 2009 6:49PM EDT Report Abuse

    Many people, likely younger people or those just generally clueless, will get scammed by this. I got some kind of text like this recently and it was obvious, at least to me, that it was some lame scam.

  • 39 Posted by gonestacmac on Thu Sep 3, 2009 4:11PM EDT Report Abuse

    why would anyone with any sense reply to a message from someone they don't know?

  • 40 Posted by nightbutterfly69 on Thu Sep 3, 2009 7:38PM EDT Report Abuse

    my bank does the balance over text if you text first, but you have to sign up, but that means this article is not entirely factual.....i still text and i just dont sign up for anything like that which is the best way not to get unwanted texts.

  • 41 Posted by jcgamer107 on Thu Sep 3, 2009 4:30PM EDT Report Abuse

    Yep, I bit on one of those a few months ago. The message (claiming to be from my bank, Flagstar) said my debit card had been deactivated and that I need to call this 800 number to reactivate it. Not thinking and wanting to take care of the "issue", I called the number and punched in my debit card # and pin # when prompted for it. Pretty embarrassing. Fortunately I got the money back, with a lesson learned: A financial institution wouldnt ever (as far as I know) contact you via text messsage, and they will never ask you to give them your credit/debit card number or pin #! Call the institution directly like it says in the article if you receive any sort of message like that. Don't be duped!

  • 43 Posted by jody_91765 on Thu Sep 3, 2009 4:38PM EDT Report Abuse

    If someone is trying to con you via text, the best way is to ignore it if you suspect it is a con or if you want to play along, give them a phony number to get back at them or if you know how... send them a virus.

  • 44 Posted by lindaisinkorea on Thu Sep 3, 2009 6:52PM EDT Report Abuse

    to ramon 461: good advice even if completly impractical. That's like saying to avoid car problems don't ever buy a car.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.