Skip to main content Skip to main menu Skip to footer

Vishing and SMiShing - Text message safety

Vishing and SMiShing - Text message safety

Decrease Text Size Increase Text Size

Page Article

You receive a text message or an automated phone call on your cell phone that is designed to alert you to a problem with one of your accounts. You're given a phone number to call or a website to log into and asked to provide personal identifiable information--like a bank account number, PIN, or credit card number--to fix the problem.

But beware:  It could be a "smishing" or "vishing" scam...and criminals on the other end of the phone or website could be attempting to collect your personal information in order to help themselves to your money. While most cyber scams target your computer, smishing and vishing scams target your home and mobile phones.


Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again just like phishing, the smishing message usually asks for your immediate attention.  

Sometimes, if a victim logs onto a phony website with a smartphone, they could also end up downloading malicious software that could give criminals access to anything on the phone. With the growth of mobile banking and the ability to conduct financial transactions online, smishing and vishing attacks may become even more attractive and lucrative for cybercriminals.


Criminals set up an automated dialing system to text or call people in a particular region or area code (or sometimes they use stolen customer phone numbers from banks or credit unions). The victims receive messages like: "There's a problem with your account," or "Your ATM card needs to be reactivated," and are directed to a phone number or website asking for personal information. Armed with that information, criminals can steal from victims' bank accounts, charge purchases on their charge cards, create phony ATM cards, etc.

The typical vishing scam makes use of Voice over Internet Protocol (VoIP), which allows people to talk over their computer lines, and can allow for dialing multiple numbers at the same time. Scammers may work from a list of regional phone numbers or even from a phone book, but what they mainly do is call everyone they can and leave an automated message saying the person’s credit card or bank account has been compromised, depleted or closed. When this process is done by email it’s called phishing, instead of vishing.

People who have left a message are given instructions to call a number to get more information about this alleged compromise. Scammers often use toll-free numbers for this purpose and may even have, for people with caller ID, the legitimate name of the company that is supposedly calling. When people call the number, they’re instructed to dial in their credit card number or bank account number, and even sometimes information like personal identification numbers (PINs), or their social security number. Once this information is obtained, callers may speak to a person posing as a “representative” or they may never get to a representative and are placed on hold. Meanwhile, the damage is done and the scammers may then use the information to steal money or credit card numbers.

What can you do to protect yourself? 

Essentially, it’s pretty easy to avoid a vishing scam or one conducted by email, and now commonly through text messaging on cell phones. Instead of calling the number listed, look up your bank account telephone number or your credit card phone number and call that number instead. If you’re being vished, a bank or credit card company can tell you this immediately by letting you know that there has been no illegal activity on your account or any security compromise of your account. These scams can seem very real though because they often contain warnings about not divulging your personal information, which may make a potential target feel the company calling, texting, or emailing is protecting his/her interests.

  • Be aware. Consumers need to know that these scams exist. T
  • Don’t fall for texts from your network which ask for details.  Your phone network will often text you – if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password, or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
  • If you see a “business” phone number in a text, it’s no guarantee it’s real.  Many SMS phishing attacks will include “toll-free” numbers that look like legitimate business ones – they’re not. Cybercriminals can set up these numbers easily and cheaply, and if you phone the number, you’ll usually be asked to “confirm” details – handing them over to the fraudsters.
  • Don’t reply with “STOP” if you’re being spammed – contact your network instead.  If you’re being spammed repeatedly, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS from specific numbers.
  • Be very suspicious of  “special offers” – especially ones where you have to “act fast”.  Phishers commonly send out SMS attacks in the form of “special offers” from big companies – such as a $1,000 gift card, where only a limited number are available, and you have to click a link to cash in.
  • Set your phone to block apps from unknown sources.  Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you have to unblock this (for instance to install a work app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defense. 
  • Don’t fall for texts from your financial institution which ask for “confirmation details”.  Your financial institution may well text you – for instance to confirm a transaction on PC – but text messages from your financial institution will not, ever, ask you to confirm details, or for passwords. financial institutions also won’t update their apps in this way. If you’re suspicious, don’t click links, and don’t call any numbers in the text. Instead, call your financial institution on its “normal” number and check whether the text is from them.
  • Don’t fall for warnings saying, “Your phone is infected”.  SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps. 
  • Be suspicious of all unknown callers. People should be just as suspicious of phone calls as they are of e-mails asking for personal information. And some experts suggest letting all calls from unknown callers go to voicemail.
  • Don't trust caller ID. Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn't guarantee the call is really coming from that number or company.
  • Ask questions. If someone is trying to sell you something or asking for your personal or financial information, ask them to identify who they work for, and then check them out to see if they are legitimate.
  • Call them back. Again if someone is selling you something or asking for information, tell them you will call them back and then either verify the company is legitimate, or if it's a bank or credit card company, call them back using a number from your bill or your card. Never provide credit card information or other private information to anyone who calls you.

Reporting Text Scams Here

Related Topics


Page Footer has no content