Investors are increasingly using mobile devices to access financial accounts and online applications, allowing them to quickly make investments from anywhere through phone service or Wi-Fi. However, this convenience also comes with risks.
One way scammers try to steal data and wealth from investors is through SMS phishing, a scam where fraudsters send text messages to targets via SMS to deceive them. While the term SMS phishing comes from a combination of phishing and SMS, these scams can also occur through other messaging platforms such as iMessage, Google Messages, and WhatsApp.
SMS phishing is not a new scam. However, the latest development in this fraudulent activity is scammers requesting targets to reply to messages to bypass protection measures set by providers, or else these measures will automatically disable links from messages sent by unknown numbers.
In SMS phishing attacks, scammers send messages aimed at manipulating targets to engage in unsafe behavior, such as clicking on links or providing sensitive information. The nature of text messages currently does not allow individuals to hover over links to view their source, making it more challenging to detect malicious links compared to other types of phishing attacks.
SMS phishing continues to be one of the most prominent forms of cyber attacks, largely because victims are more likely to click on SMS links. SMS phishing attacks also use disposable phones or software to spoof phone numbers to conceal their identities.
As technology companies implement technical solutions to protect users, bad actors continuously improve strategies to bypass these new protection measures. For example, some recent measures automatically make links from unknown sources “unclickable” unless individuals take certain actions like replying to messages. In response, bad actors may now ask victims to take specific steps to activate fraudulent links.
Clicking on or accessing SMS phishing links can lead to negative consequences for targets, including data theft or malicious software downloaded to devices. Enable multi-factor authentication (MFA) for accounts, such as SMS codes or biometrics, to protect accounts instead of solely relying on passwords.
Handle SMS from unknown numbers with caution, including not replying to unexpected messages and messages from unfamiliar sources. One way to mitigate SMS phishing threats is to delete messages from unknown senders without opening them, block the sender, and report the SMS as spam in messaging applications.
If deciding to open messages from unknown senders, wait a few minutes after viewing the message before taking any further action. SMS phishing schemes are typically designed to prompt targets for immediate responses. Pausing to fully process and consider requests from unknown numbers is often helpful.
Verify websites and requests outside of messaging applications. Contact financial institutions through verification methods listed on investment account statements to avoid sending private information (such as account numbers or passwords) via SMS.
Avoid storing account information on phones, such as in note-taking applications or as contacts. If scammers gain access to device permissions, this information may be misused.
While it may not be possible to prevent every SMS phishing attempt, consider enabling options to block or filter messages from unknown senders.
Promptly report to mobile operators and companies where the account may be at risk.
Change the passwords of any compromised accounts on other devices.
Contact law enforcement and the Federal Trade Commission (FTC).
Lock or freeze existing financial accounts and monitor for any suspicious activity.
Close any new or unauthorized accounts.
Set up fraud alerts on credit profiles.
Keep a detailed report of actions taken.