9 Smishing Examples You Must Know

Hackers are relying on smishing attempts to steal money and data more than ever. Since users believe mobile phones are more secure than computers, threat actors are more successful when they employ these attacks. Learning the top smishing examples will help you defend yourself.

The top smishing attacks include e-commerce, COVID-19, and bank-related attempts. Threat actors often impersonate officials, employees, and similar authorities to achieve their goals. Recognizing these attempts and alerting the authorities is a must.

The number of daily smishing attempts grows at the same rate as mobile users do. As big companies create apps for their customers, hackers start to target these devices to get what they want. For that reason, learning everything about smishing is vital.

Table of Contents

How Does Smishing Work?

A smishing attempt is a cybersecurity attack employed by hackers via SMS. Threat actors often impersonate government officials, bank employees, and similar authority figures to create a sense of urgency in their victims.

Hackers take advantage of mobile phone vulnerabilities and overconfident users to achieve their goal, showing no sign of stopping: smishing attempts increased by 700% in 2021 alone. Since these attacks happen quickly, most users don’t realize what happened until it’s too late.

However, before explaining the most common smishing examples, you must understand what smishing is – and what smishing isn’t.

Smishing vs. Phishing

The main difference between smishing and phishing is that smishing happens via SMS and phishing via email. They’re both equally dangerous. Fortunately, the same cybersecurity best practices will help you protect yourself.

Smishing and phishing are not the only methods hackers use to steal your information and money. You could also fall prey to a vishing attempt, which happens via phone call. 

Although these attacks differ in methodology, they can all do serious damage: the biggest phishing attack cost millions of dollars and caused millions in damages.

Although hackers constantly reinvent themselves and their methods, you’ll easily see through what a threat actor is doing after you acquaint yourself with basic smishing.

Key Signs of a Smishing Attempt

  • An unexpected message. Most hackers instill a sense of urgency in their victims before a smishing attempt. More often than not, they do so in a simple way, such as offering a cash or gift card prize for a limited amount of time, hoping you click a link without thinking about it. 
  • An unlikely alert. Other common smishing attempts create a sense of urgency by employing thinly-veiled threats, such as unusual activity alerts. Common examples include fake bank messages alerting you about unusual activity that never happened.
  • An unreasonable request. More often than not, hackers look to get vital information from their victims. During a smishing attempt, they’ll try to get passwords or other pieces of data from you. Remember, no bank or company will ask for such a thing over SMS.
  • A suspicious number. A telltale sign of a smishing attempt is a number you don’t recognize, which indicates the smishing attempt came from someone using a VoIP service, a way of sending a text message via email.

Top Smishing Examples

Smishing attempts follow a certain pattern you’ll easily recognize once you become familiar with the most common examples. 

1. Bank Text

The most common smishing attempt comes in the way of a bank alert. It could either be about a suspicious transaction, unusual activity, an unpaid loan, or anything that’ll make you jump from your chair and take action – because that’s what a threat actor hopes for.

Take a deep breath when you get a text message from your bank. If possible, contact your local charter and ask what’s going on. Never click a link on a message you haven’t requested. 

Otherwise, you may end up handing your bank account to hackers.

2. Contest Win

You can tell a smishing attempt is happening when you get a text message saying you won money or a gift card in a contest you never signed up for. Unfortunately, most people fall for this because winning a prize feels great.

The main gist is this: you accept the prize, click the link, and end up with malware on your phone. You may also fill out a contact form to receive your prize, only to fall victim to data mining that could set you up for a lot of trouble.

3. Company Congratulations

An uncommon, though successful, smishing attempt requires a little background work. A threat actor will impersonate your boss and congratulate you for your work this season. The trick comes after that.

Once the threat actor impersonating your boss congratulates you, they’ll ask you for help. They send you a link to complete a job, and that’s when they’ll get something from you. 

The link will redirect you to a fake site requesting you to do something as small as logging in with your work credentials – to help hackers get your user and password combination. 

The message could also ask you for critical information that you shouldn’t disclose, and you may fall for it because of the sense of urgency. Contact your manager or HR directly if something like that happens.

4. Delivery Tracking

Big retailers and small e-commerce stores alike use SMS notifications when a package is on the way. When that happens, you receive a tracking URL to follow your order.

If you’re not too keen on buying stuff online, you may quickly disregard a message about a package you haven’t ordered. However, a lot of people rely on online shopping, making them the perfect victim of this smishing attempt.

For that reason, paying attention to the URL you receive on your phone is important. Disregard any message that doesn’t come through the usual channels or from the usual phone numbers.

5. IRS Notification

Few things are scarier than the tax men – threat actors know this. Most of us know we have to pay taxes, though we seldom keep up to date with the rules and regulations about the subject.

Hackers take advantage of that information to send messages that appear to come from the IRS, threatening unexpected victims. They often cite a missed payment, late taxes, or something similar to take money from people.

Plenty of victims fall for such a thing out of ignorance. Sometimes, they do so because they prefer to pay a small sum to the IRS rather than a lot to their accountant. 

It’s always better to contact your accountant when that happens.

6. Old Scams

You probably heard about the Nigerian prince locked up in jail. He needs $500 to escape prison, and he’ll deliver $50,000 for your troubles. It’s one of the oldest internet scams we know about.

These scamming attempts are too funny to be true, though people continue to fall for them. Some are not tech-savvy enough to know what’s in front of them. 

Others will reply for fun, letting hackers know they have targeted an active phone number (which threat actors do to collect a database of future targets).

7. Pandemic Information

One of the latest smishing attempts includes taking advantage of the COVID-19 government response to lure victims. In this attack, threat actors leverage health or financial concerns to push victims to give up something valuable (information or money) or download malware to their phones.

Common pandemic smishing attempts include:

  • An urgent message regarding contact tracing, which asks for vital information (such as a credit card number).
  • An alert asks you to update your census information.
  • A message about financial relief that follows up with a questionnaire.

Contact government officials regarding any possible financial relief or census before replying to any SMS.

8. Password Reset

Almost every website and app requires users to register. For that reason, you have login credentials all over the place, making it difficult to remember them all. Using a password manager will help you with that.

However, you may receive an urgent text message telling you to change your password because of a data breach or something similar. You read that SMS and quickly decide to take matters into your hands. That’s when you unsuspectingly give away your password to a threat actor.

Before changing your password because of a data breach, contact the company in question to verify that information – and change your password after accessing the site, not via a link you haven’t requested.

9. Unusual Activity

You may receive a text message addressing unusual activity on an account. It may even use a friendly tone warning you about hackers trying to get into your account, although the message is coming from the same hacker trying to do just that.

It’s difficult not to fall for such a thing, considering the biggest companies (Apple, Google, Meta, and more) use a similar system: they’ll notify you when a third party is trying to access your account. However, they’ll do so via the proper channels (e.g., Google will use their Google.com mail).

You should double-check before you do anything. If you fall for a smishing attempt, don’t panic. There’s room to maneuver.

What To Do After a Smishing Attempt?

  • Disregard the message. You must not click links or download software from an SMS you haven’t requested. Chances are, you’re dealing with a smishing attempt. For that reason, you need to calm down and think clearly, no matter how urgent the issue may seem. Asking the scammer to stop contacting you is also a bad move since they are looking for active phone numbers.
  • Contact the company. If the scammer is trying to impersonate a bank employee, government authority, or similar figure, contact whoever the SMS is allegedly coming from directly. In other words, call your local bank branch if you received a message that appears to be from your bank. Don’t call the number that sent you the SMS.
  • Alert the authorities. You must alert the authorities once you confirm you’re dealing with a smishing attempt. Threat actors send massive amounts of SMS daily to lure as many victims as possible, so you have to help the police deal with the source of the issue.

Conclusion

Smishing attempts follow a similar pattern: a threat actor will impersonate an authority figure and try to rush their victims into doing something they shouldn’t. More often than not, hackers pretend to be government authorities, bank employees, and similar figures.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.