Vishing and SMiShing - Text message safety


  Decrease Text Size Increase Text Size

You receive a text message or an automated phone call on your cell phone that is designed to alert you to a problem with one of your accounts. You're given a phone number to call or a website to log into and asked to provide personal identifiable information--like a bank account number, PIN, or credit card number--to fix the problem.

But beware:  It could be a "smishing" or "vishing" scam...and criminals on the other end of the phone or website could be attempting to collect your personal information in order to help themselves to your money. While most cyber scams target your computer, smishing and vishing scams target your home and mobile phones.


Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again just like phishing, the smishing message usually asks for your immediate attention.  In many cases, the smishing message will come from a "5000" number instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.

Sometimes, if a victim logs onto a phony website with a smartphone, they could also end up downloading malicious software that could give criminals access to anything on the phone. With the growth of mobile banking and the ability to conduct financial transactions online, smishing and vishing attacks may become even more attractive and lucrative for cyber criminals.


Criminals set up an automated dialing system to text or call people in a particular region or area code (or sometimes they use stolen customer phone numbers from banks or credit unions). The victims receive messages like: "There's a problem with your account," or "Your ATM card needs to be reactivated," and are directed to a phone number or website asking for personal information. Armed with that information, criminals can steal from victims' bank accounts, charge purchases on their charge cards, create a phony ATM card, etc.

The typical vishing scam makes use of Voice over Internet protocol (VoIP), which allows people to talk over their computer lines, and can allow for multiple dialings of numbers at the same time. Scammers may work from a list of regional phone numbers or even from a phone book, but what they mainly do is call everyone they can and leave an automated message saying the person’s credit card or bank account has been compromised, depleted or closed. When this process is done by email it’s called phishing, instead of vishing.

People who are left a message are given instructions to call a number to get more information about this alleged compromise. Scammers often use toll free numbers for this purpose and may even have, for people with caller ID, the legitimate name of the company that is supposedly calling. When people call the number, they’re instructed to dial in their credit card number or bank account number, and even sometimes information like personal identification numbers (PINs), or their social security number. Once this information is obtained, callers may speak to a person posing as a “representative” or they may never get to a representative, and are placed on hold. Meanwhile, the damage is done and the scammers may then use information to steal money or credit card numbers.

What can you do to protect yourself? 

Essentially, it’s pretty easy to avoid a vishing scam or one conducted by email, and now commonly through text messaging on cell phones. Instead of calling the number listed, look up your bank account telephone number or your credit card phone number and call that number instead. If you’re being vished, a bank or credit card company can tell you this immediately by letting you know that there has been no illegal activity on your account or any security compromise of your account. These scams can seem very real though, because they often contain warnings about not divulging your personal information, which may make a potential target feel the company calling, texting or emailing is protecting his/her interests.

Be aware. Consumers need to know that these scams exist. To find out more information, go to the FTC Website.

Don’t fall for texts from your network which ask for details.  Your phone network will often text you – if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password, or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).

If you see a “business” phone number in a text, it’s no guarantee it’s real.  Many SMS phishing attacks will include “toll free” numbers that look like legitimate business ones – they’re not. Cybercriminals can set up these numbers easily and cheaply, and if you phone the number, you’ll usually be asked to “confirm” details – handing them over to the fraudsters.

Don’t reply with “STOP” if you’re being spammed – contact your network instead.  If you’re being spammed repeatedly, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS from specific numbers.

Be very suspicious of  “special offers” – especially ones where you have to “act fast”.  Phishers commonly send out SMS attacks in the form of “special offers” from big companies – such as a $1,000 gift card, where only a limited number are available, and you have to click a link to cash in.

High-value “special offers” that sound too good to be true usually are. If it’s your local pizza place offering two-for-one on Tuesdays, you might be safer. Think first, and think hard if you’re being asked to click a link.

Set your phone to block apps from unknown sources.  Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you have to unblock this (for instance to install a work app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defence. It’s also worth using Google’s built-in “Verify Apps” function, which monitors apps for suspicious activity.

Don’t fall for texts from your bank which ask for “confirmation details”.  Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number – Google it if you don’t know – and check whether the text is from them.

If you’re an Android user, protect your phone with an antivirus app.  Google’s own Verify Apps function is a useful first line of defence – and Android users should turn it on. Security apps such as ESET’s Mobile Security and Antivirus add a few extra layers of defense, blocking known phishing attacks – and scanning all apps on your phone for malicious activity in real time. You can also block specific numbers from texting you – or block all unknown senders.

Don’t fall for warnings saying, “Your phone is infected”.  Recent SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps. Reputable security companies will not “push” products in this way. ESET’s Cameron Camp says, “Malware posing as security apps, also known as “scareware”, are some of the most pervasive scams on Android in recent months.”

Be suspicious of all unknown callers. People should be just as suspicious of phone calls as they are of e-mails asking for personal information. And some experts suggest letting all calls from unknown callers go to voicemail.

Don't trust caller ID. Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn't guarantee the call is really coming from that number or company.

Ask questions. If someone is trying to sell you something or asking for your personal or financial information, ask them to identify who they work for, and then check them out to see if they are legitimate.

Call them back. Again if someone is selling you something or asking for information, tell them you will call them back and then either verify the company is legitimate, or if it's a bank or credit card company, call them back using a number from your bill or your card. Never provide credit card information or other private information to anyone who calls you.

Register your number with the National Do Not Call registry at Even though criminals and unscrupulous telemarketers may ignore the list, if you are on the list and get a call from a supposed telemarketer, that could be a tip that the offer is bogus. Most legitimate telemarketers obey the rules and laws about contacting consumers. Also, the Website provides a place where complaints can be filed.

Report incidents. Report vishing calls to or call (888) 382-1222. The FTC wants the number and name that appeared on the caller ID as well as the time of day and the information talked about or heard in a recorded message. If you think you've been a victim of a vishing attack you can also contact, the Internet Crime Complaint Center.

For those outside the US, the following numbers can help out. In Canada report vishing or phishing attempts online at the Reporting Economic Crime Online government organization, or call 1-888-495-8501. In the UK, you should make your report directly to the bank indicated in the scam.

eFraud Prevention™, LLC