What is Smishing?
Smishing is a form of cybercrime using social engineering similar to phishing, but via text messages. The name derives from “SMS phishing” and uses the same techniques to bait you into divulging your personal information. Smishing as a growing threat to mobile users.
Most smishing messages contain a sense of urgency, as is common with social engineering. Messages may ask for your ‘immediate attention’ for something (even a price) or ask you to confirm an order/purchase or may claim that your bank account / credit card has been suspended unless you take action. All of these messages will hook you into giving away some sort of personal information, usually financial information. In some cases, simply visiting a link will download viruses/malware onto your phone, which could disclose any information you have stored on it.
It can be hard to spot smishing attacks when directed to legitimate-looking websites or official sounding voice systems. However, just like with phishing attacks, know that financial institutions will never request this information via a text message.
Cal Poly will never ask for your password via email, phone or a non-calpoly.edu web form. All password changes are handled through the Cal Poly Portal. If your account has been compromised, ITS will change your password immediately and then contact you regarding next steps. If you are not contacted but you know or think you responded to a smishing text, use the Cal Poly Portal to change your password and questions and then notify firstname.lastname@example.org.
What is the threat from smishing texts?
- Identity theft
- Credit card fraud
- Stolen bank information - loss of $$
- Damage to individual's good credit
- Access to protected Cal Poly information could cause a security breach
- Damage to Cal Poly's reputation
What to do if you receive a smishing text message?
- Never click on links in an unsolicited text message
- Never respond to unsolicited text messages
- Don’t take action on messages that require you to ‘confirm’ or ‘do’ anything
- If you receive an unusual link from someone you know, check with them to make sure they sent it
- Add your phone number to the Do Not Call Registry can help reduce some unwanted spam, but not likely protect you from scammers
- Do not display your mobile phone number in public (or on the Internet)
- Check with your mobile service provider about options to block future text messages from select senders
- File a complaint with the FTC if you receive messages from an unwanted / unsolicited source
- Don’t reply with ‘Stop’ – the message is not from a mobile premium service. Replying will only confirm your details to scammers and put you on a ‘target list’.
- If you do click on a link by mistake, exit immediately. Do not fill out forms or attempt to contact anyone.
- Consider an antivirus / anti-malware software solution for your smartphone
- If you receive a generic text message from an unknown source that sounds like it’s from a friend – it may not be. This could be an initial ‘hook’.
- Look up the phone number online to see if it is legitimate. It’s best to also look up the bank or institution (if applicable) to verify the number on their site, since a scammer could put up a real-looking website with that number listed.