Last update: 04/01/2023
Many people prefer online banking channels to check their bank account, get information, apply for a credit card and manage their finances. But sometimes you can get fraudulent text messages pretending to be from your bank. When that happens, it’s called “smishing”.
We use mobile phones more than any other smart device in our day-to-day. It puts in the palm of our hand everyday things like a torch/flashlight, a calculator and a camera, plus innovative apps such as sleep trackers (linked to a watch or another smart device) and digital wallets that hold our credit and debit cards.
As more people across the globe use them — 3.8 billion smartphone users in 2021, according to Statista —, they’re increasingly being targeted by cyber attacks. But the more we know about such malicious practices and using simple tips, the more we can protect ourselves online.
What is “smishing” and how can we spot it?
Smishing is a scam in which someone tries to get a user’s personal or financial information via SMS or instant messaging (on social networks) by pretending to be an entity such as a bank or a credit card company.
Messages can be fake notices about stolen passwords, deals or rewards that require a user to act fast. They have a link to a website where we’re asked to enter personal or banking details (e.g. our ID number and online banking password), download a file or instal an app. To seem more credible, the website often shows the bank’s or the company’s logo, name and other trademarks.
Let's look at an actual case to understand more clearly: Guillermo is buying the week’s groceries at a supermarket close to his home. As he checks the shopping list he’s made on his phone, he gets a text message that says:
This alarms Guillermo; but instead of jumping to conclusions, he spots things that suggest it’s smishing. First, Guillermo knows his bank would never ask him for personal details or access codes in an SMS with links. And as he scans the link, he notices it neither matches his retail bank’s websites nor shows security protocols such as “https”.
He realizes it’s a cyber scam and, if he clicks on the link, a screen will pop up with a form and two fields asking for his ID number and online banking password, plus a “send” button.
How are “smishing” and “phishing” different?
Smishing fraud happens with a text message on our mobile phone. But that’s not the only channel where we can get swindled.
It’s also common on email, where the scam is known as “phishing”. Phishing is like smishing in many ways. This time let’s suppose our friend, Guillermo, is at work, emailing clients. Suddenly, he sees a new email in his inbox. It appears that a known appliance brand is contacting him because he’s won a toaster and €100. However, he hasn't entered any sweepstake.
First, he checks the sender's address and notices that it’s different from the corporate address and the brand’s name is misspelled. Then, he sees that the body of the email contains the brand’s logo and a message telling him to submit his personal and banking details within two hours of receiving the email to have the toaster and the money (in cash) sent to him.
He’s certain it’s a phishing scam. As he should, he marks the email as spam using the function provided on the toolbar of his work email and then reports it to the appliance company being imitated on its official channels.
This kind of fraud doesn’t only happen via SMSs and email. There's also “vishing”, where a cybercrook might phone Guillermo, pretending to be a colleague of his personal bank manager. Likewise, this person would try to obtain his personal and banking information by telling him to change his app password due to a suspicious charge. But the only thing Guillermo would find suspicious is the phone call because he knows his bank would never ask him to provide those details or transfer money to another account.
If you don’t recognize the sender or weren’t expecting the message, make sure the message comes from a trusted domain or a properly written address. If the message is about banking operations, perform them on your bank’s website, app or other official channels.
Don’t use the same password for different platforms. Use “passphrases” that combine three or more words that make your passwords stronger.