Tech Experts Warn of Growing ID Theft Tactic Called Smishing

Guest Post by Kayla Matthews

Don't let the funny name fool you. The identity theft tactic known as "smishing" is anything but cute. In fact, it's one of the most personal, invasive and, unfortunately, effective ways to separate somebody from their important information.

What is smishing and how does it happen?

“Smishing” sounds a little like “phishing.” So what makes them different?

Phishing is where an unscrupulous individual attempts to trick somebody else into giving up their account credentials, financial information, or another piece of sensitive personal information. Hackers make these attempts using spam emails, fake (but convincing-looking) websites, social media messaging, instant messages and other communication tools.

In phishing and smishing alike, the targeted information typically includes credit card numbers, bank account numbers, Social Security numbers, home addresses, and usernames and passwords for online accounts.

Smishing is considered distinct from phishing because it specifically uses SMS and text messages to get in touch with the targeted individual. It earned a name of its own, not to mention increasing media and industry attention, because people tend to take these types of messages more seriously and are more likely to trust and respond to them.

What forms does smishing take?

Smishing is a textbook case of social engineering, which itself is a consequence of unsecured technologies like email and regulators’ sluggish response to epidemic levels of spam and robocalls. Social engineering is about capturing somebody else’s information for personal gain or conditioning that person to take a desired action later on.

The Facebook-Cambridge Analytica scandal uncovered a social engineering campaign designed to identify peoples’ political leanings and then serve them personalized ads designed to either reinforce their biases or compromise their convictions.

Most phishing and smishing attempts have a more obvious financial incentive for the party carrying out the deception. Once the fraudsters have the desired information, they can apply for new credit cards in the victim’s name or commit other types of fraud — including mail identity theft, driver’s license identity theft, account takeovers, tax identity theft, child identity theft, health insurance fraud, and many others.

Smishing preys on the politically motivated as well, plus individuals in other social circles:

• People who have supported legitimate fundraisers and causes in the past
• People participating in online forums and communities
• People supporting or donating to presidential candidates

Ultimately, the best victims for smishing and identity theft are people who are technologically illiterate and potentially lonely or disillusioned. In 2016, 37 percent of seniors in the U.S. reported experiencing some form of fraud. One-fifth of these cases concerned identity theft.

Once the fraudster has made contact, they’ll use all the persuasive language they can muster to convince the other party to give up the desired information.

How big is the problem of smishing and identity theft?

Cases of identity theft declined slightly in 2018 after peaking in 2017. Even so, a 2019 identity theft study found that 14.4 million Americans fell victim to some form of identity fraud in 2018.

According to the Federal Trade Commission, one-quarter of identity theft and fraud cases in 2018 involved the loss of money. In total, U.S. consumers lost around $1.48 billion due to fraud and the cost of recovering from fraud.

As far as smishing goes, the FTC received complaints of more than 93,300 unwanted text messages in 2018, indicating a 30 percent increase since 2017. As many are fond of saying, the text message is “the new phone call” — and according to tech and cybersecurity experts, criminals are changing their tactics accordingly.

How can people protect themselves against smishing?

The seductive nature of smishing campaigns, and how best to protect oneself, is best understood with examples. Here’s what to look for:

• Messages with hyperlinks, claiming the victim has “unused funds” to add to their “digital wallet.”
• Messages claiming to be from the Social Security Administration or the IRS asking for personal financial information.
• Messages claiming to be from “tech support” that request account names and passwords in order to “unlock” the account on the victim’s behalf.
• Messages claiming to be from financial institutions, offering new services in exchange for personal banking information.

Fifth Third Bank had to warn customers in three states in 2018 after smishing campaigns made off with around $68,000 from 125 of their customers. In this case, the combination of successful smishing attempts and new “cardless ATMS” — a convenient but perhaps ill-advised feature for legitimate customers — was a recipe for disaster.

There are a few steps to take if you believe you’re being targeted by a professional “smisher”:

Never respond to requests for personal information received over digital communication channels. Never click on any hyperlinks in a message if it’s from a sender you don’t know or don’t trust. Never install an application through a hyperlink you received in a suspicious message.

If somebody contacts you claiming to represent a bank or another company you have a relationship with, hang up immediately. Find the official phone number for the company and call them yourself. Tell them what happened and why you’re concerned. They’ll either confirm it was them or help you get to the bottom of the fraud attempt.

Be suspicious of messages that claim a sense of urgency or that use overly friendly language. Many smishing attempts may also have telltale spelling and grammar errors that give them away. If you do receive a suspicious text from a number you don’t recognize, delete it immediately and block the number.

Finally, remember to report the incident to the FTC and to the FCC. Common sense can get you out of even the ugliest smishing attempts but bringing justice to those responsible requires collective action.

Kayla Matthews, a tech and security journalist, has written articles for sites including WIRED, Information Age, Security Boulevard, and the National Cyber Security Alliance. To see more of her work, follow her on Twitter @KaylaEMatthews or check out her tech blog, Productivity Bytes.