Avoid Fraud

Be Alert to Investor Risks from SMS Phishing Scams
smishing

“Your account shows suspicious activity that might indicate potential theft. Please click the link below to check your account.” Have you, or has someone you know, received a text message like this that appears to be from a brokerage firm? Though the urgent nature of these messages might make it seem that you should take immediate action, don’t engage—chances are they’re fraudulent.

In smishing attempts such as this, scammers send unsolicited messages to targets over short message service (SMS), or text messages. Though the term smishing comes from a combination of the words SMS and phishing, these scams can also be conducted through other messaging platforms such as iMessage, Google Messages and WhatsApp.

Smishing isn’t a new scheme. However, as targets become aware of existing schemes, fraudsters continue to evolve their tactics. 

How Does Smishing Work?

Smishing attacks are designed to manipulate targets into taking an unsafe action, such as clicking a link or replying with sensitive or nonpublic personal information. The messages sent by fraudsters often urge the target to act quickly to avoid an adverse action or secure a purported benefit. In reality, if clicked or visited, the smishing link can lead to poor outcomes, including theft of your data or account login credentials, or the download of malicious software onto your device. 

Many smishing attempts that pretend to be from legitimate financial institutions might include claims that fraudulent activity has been detected in your account, a transaction you requested can’t be executed, or your account has been frozen. You might even receive a text message claiming to be from an institution where you don’t maintain an account, which should be an immediate red flag that the message is fraudulent.

The nature of text messages, which don’t currently allow for individuals to hover over links to see their destination as can be done on an emailed link, can make spotting malicious links more difficult than other types of phishing attacks. 

Smishing continues to grow as one of the most prominent forms of cybersecurity attacks, in large part because individuals might be more likely to click text message links than links received via email. Smishing attacks also allow scammers opportunities to conceal their identities by spoofing phone numbers using easily disposable cell phones, commonly referred to as burner phones, or through software.

As major technology companies have implemented technology solutions to help protect end-users, bad actors have evolved their tactics to get around these new safeguards. For example, some recently implemented protections automatically deactivate links from unknown sources, making them “unclickable” unless an individual takes certain actions such as responding to the message. To work around such protective measures, bad actors might now request that targets take specific steps to activate the fraudulent link, as seen in the examples shown here.

How Can I Reduce My Risk?

Consider these steps to protect yourself against smishing attacks:

  • Be wary of text message requests from unknown numbers, and be very cautious about responding to messages that are unsolicited or from unfamiliar sources. One way to mitigate the threat of smishing is to delete messages from unknown senders without opening them, block the sender and report the messages as spam in the messaging app.
  • If you decide to open messages from unknown senders, wait a few minutes after reviewing the messages before taking any next steps. Smishing schemes are often crafted to solicit an immediate response from the target. It’s often beneficial to pause to fully process and think through unsolicited requests from unknown numbers.
  • Independently confirm websites and requests outside of messaging apps. This may include contacting financial institutions through means verified on legitimate account statements or firm websites rather than using links or information provided in the suspicious message.
  • If you receive an unexpected text from a financial institution, do an internet search with the institution’s name and “text message.” This can help you see if other people are sharing stories about receiving similar messages and if the text you received has been identified as a scam.
  • Enable multi-factor authentication (MFA) for your accounts. MFA uses two or more different authentication factors, such as a text message code or biometric marker, to secure your accounts more thoroughly than relying on just a password.
  • Never send sensitive or nonpublic personal information (e.g., account numbers or passwords) over text messages.
  • Don’t store account information on your mobile device, such as in a notes app or as a contact. This information could be comprised if a scammer obtains access to the device.
  • Although it might not stop every smishing attempt, consider turning on your device’s option to block or filter text messages from unknown senders.

What Can I Do If I Suspect a Successful Smishing Attempt?

Here are some actions you may want to consider taking if you suspect your device was compromised by a successful smishing attempt:

  • Report your suspicions quickly to your mobile carrier and any companies where your accounts could be at risk.
  • On a separate device, change the passwords for any potentially compromised accounts.
  • Contact law enforcement—such as your local police department, the FBI (Field Office or Electronic Tip Form) or, in the case of cybercrime, the Internet Crime Complaint Center—and the Federal Trade Commission (FTC).
  • Lock or freeze your existing financial accounts and monitor them for any suspicious activity.
  • Close any new or unauthorized accounts.
  • Place a fraud alert on your credit profiles.
  • Keep a detailed report of the mitigation steps you’ve taken.

In addition, if you think you’ve been a target or victim of investment fraud, file a regulatory tip with FINRA.

Learn more about protecting your money.