Text Phishing "SMiShing"
Here are a few steps to prevent text message spam:
- Delete text messages that ask you to confirm or provide personal information: Legitimate companies don’t ask for information like your account numbers or passwords by email or text.
- Don’t reply, and don’t click on links provided in the message: Links can install malware on your computer and take you to spoof sites that look real but whose purpose is to steal your information.
- Treat your personal information like cash: Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. Don’t give them out in response to a text.
- If you are an AT&T, T-Mobile, Verizon, Sprint or Bell subscriber, you can report spam texts to your carrier by copying the original message and forwarding it to the number 7726 (SPAM), free of charge.
- Review your cell phone bill for unauthorized charges, and report them to your carrier.
- To block spam messages -- but not all incoming texts from friends and family -- call your carrier’s customer service number (usually 611) and instruct them to “Block all text messages sent to you as email” and “Block all multimedia messages sent to you as email.” You also might be able to log into your account online and activate these blocks there.
- If dialing 611 or going into your phone settings online does not slow down spam, check with your mobile provider about other options to block future spam messages.
- Set up and use a free email account that’s only for things like promotions, contests, and the like. This way, you can easily segregate those messages from your personal and work correspondence.
More prevention tips:
- Attacks using verification codes to bypass 2 Factor Authentication. Be suspicious of SMS messages asking about verification codes, particularly if they you request one. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.
- Don’t fall for texts from your network which ask for details. Your phone network will often text you – if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password, or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
- If you see a “business” phone number in a text, it’s no guarantee it’s real.
Many SMS phishing attacks will include “toll free” numbers that look like legitimate business ones – they’re not.
- Don’t reply with “STOP” if you’re being spammed – contact your network instead. If you’re being spammed repeatedly, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS
from specific numbers.
- Be very suspicious of “special offers” – especially ones where you have to “act fast”.
Phishers commonly send out SMS attacks in the form of “special offers”
from big companies – such as a $1,000 gift card, where only a limited number are
available, and you have to click a link to cash in.
- High-value “special offers” that sound too good to be true usually are. If it’s your local pizza place offering two-for-one on Tuesdays, you might be safer. Think first, and think hard if you’re being asked to click a link.
- Set your phone to block apps from unknown sources. Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you have to unblock this (for instance to install a work app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defense. It’s also worth using Google’s built-in “Verify Apps” function, which monitors apps for suspicious activity.
- Don’t fall for texts from your bank which ask for “confirmation details”.
Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number – Google it if you don’t know – and check whether the text is from them.
- Don’t fall for warnings saying, “Your phone is infected”. Recent SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps. Reputable security companies will not “push” products in this way. ESET’s Cameron Camp says, “Malware posing as security apps, also known as “scareware”, are some of the most pervasive scams on Android in recent months.”
- Don't trust caller ID. Just because your caller ID displays a phone
number or name of a legitimate company you might recognize, it doesn't guarantee
the call is really coming from that number or company.
- Register your number with the National Do Not Call registry at donotcall.gov.
Even though criminals and unscrupulous telemarketers may ignore the list, if you
are on the list and get a call from a supposed telemarketer, that could be a tip
that the offer is bogus. Most legitimate telemarketers obey the rules and laws
about contacting consumers. Also, the Website provides a place where complaints
can be filed.
- Report incidents. Report fraud to www.ftc.gov or
call (888) 382-1222. The FTC wants the number and name that appeared on the
caller ID as well as the time of day and the information talked about or heard
in a recorded message. If you think you've been a victim of a vishing attack you
can also contact, the
Internet Crime Complaint Center. File a complaint with the FCC if you receive an unwanted commercial email message sent to your mobile phone, an autodialed/prerecorded telephone voice message or an unwanted text message to your mobile phone. There is no charge for filing a complaint. Call 1-888-CALL-FCC (1-888-225-5322). For those outside the US, the following numbers can help out. In Canada report vishing or phishing attempts online at the Reporting Economic Crime Online government organization, or call 1-888-495-8501. In the UK, you should make your report directly to the bank indicated in the scam.