Don’t Let Yourself Get Smished

Maria-Kristina Hayden was visiting with her 70-year-old father when he received a text message on his phone. He seemed puzzled. "The text message was from an unknown number, and it said, 'Hey, do you want to golf later this week?'" says Hayden. "My dad is a golfer, and he has many friends that he golfs with throughout the month. But he didn't recognize the number."

Fortunately, Hayden is the founder of OUTFOXM, a Dallas-based cyber response company that helps individuals and organizations prevent cyberattacks. She checked her father's phone to confirm that it was not a number that was saved in his contacts list. It wasn't listed, and after a few more questions, her father said, "This is probably a scam. Is this what you are trying to tell me?"

The scam is called smishing, a mashup of SMS and phishing. SMS is the abbreviation of short message service, or texting. Phishing involves thieves communicating with strangers — at first using email, now via texts — in the hope of persuading them to share confidential financial information, such as credit card numbers or bank account passwords.

"SMS phishing, or smishing, is a variant of the kind of phishing we've been hearing about for years," says Hayden. "But SMS phishing doesn't arrive through email. It arrives on your phone. That could be a text message, a WhatsApp or a Signal message, or any kind of messaging app that you use on your phone in a text-like fashion."

The goal of smishing is the same as phishing: to induce recipients to reveal personal information. One example is a bank impersonation scheme. Fraudsters pretend to be your bank by mimicking the legitimate outreach banks do to alert customers about potentially fraudulent activity on their account, explains Michael Steinbach, Head of Global Fraud Prevention at Citi.

"This often starts with a text notifying you of potential fraud on your account. Once you (the victim) are engaged, the fraudster claims that they are trying to protect your money and that they want to help you reverse the fraud on your account," says Steinbach. "Whenever someone is smishing, their key goal is to gain your trust — and sometimes, they are very convincing."

Smishing messages may promise free gift cards or prizes, claim to pay off your student loans or other debts, or offer a credit card with low or no interest. "They will try to trick us emotionally and get us to override our natural skepticism," says Hayden. "In my father's case, they may have gotten my father's number from a golf magazine he subscribes to, and they know people on the list will respond to golf-related messages."

A smishing message may suggest the link is directed to a credit card company website or other business, but the scammers often make small changes in the website address or use link-shortener software so the address is unrecognizable. The link is used as a method to download malicious software to the victim's computer or to gather personal information.

The smisher may ask the person to call a specific number instead of including a link. Then the caller is asked to provide sensitive data over the phone.

Steinbach says there are a few red flags to look out for to avoid falling victim to a scam:

• Moving money won't undo fraud. "A legitimate bank will never require you to initiate an additional transaction to reverse a fraudulent one," says Steinbach. "Any outreach from your financial institution — and especially one via text — asking you to move money is an immediate red flag."

• If they are rushing you, they might be scamming you. If someone texts you with a sense of urgency and displays a lack of professionalism when talking to you, that is another red flag. Legitimate institutions will not rush their clients, threaten them or issue ultimatums.

• When in doubt, share nothing. If you receive a message, especially one that seems a bit suspicious, do not share any personal information. Instead, call the phone number listed on your credit card, debit card or monthly financial statement to confirm whether the request is legitimate.

Perhaps you have clicked on one of the links in a text message or gave information to someone and have second thoughts. Here are some things you can do:

• Alert the authorities. Follow the instructions of the Federal Trade Commission by copying the suspect text message and then immediately forwarding it via text to the FTC at 7726 (SPAM).

• Block the number. After forwarding the suspicious text to the FTC, call your cell phone service provider and tell it to block the phone number on the text from your mobile.

• Check your security software. If you don't have any security software on your phone, download some quickly. If you already have some, make sure it is fully updated, and then run a scan to seek any malicious software downloads. Perform regular software updates so your phone is receiving security patches or fixes as soon as they are available.

• Report any doubts. If you have given away personal information, immediately report the situation to IdentityTheft.gov.

Here are some tips to avoid falling victim to a smishing scam:

• Secure all of your digital gear. Both Steinbach and Hayden strongly suggest installing malware- and virus-protection software on every internet-capable device you use, including phones, tablets, routers, etc. "If it is online, protect it," says Steinbach.

• Follow spending and accounts. The more you know about your financial accounts, the more adept you'll be at spotting potential fraud, says Steinbach. Routinely check your statements and sign up for push alerts from banks and other organizations.

• Trust your instincts. If something seems off, always use caution. But don't panic. Get help from bank and credit card institutions or other organizations to report possible smishing. Change passwords and check the status of your accounts for any unknown charges or withdrawals.

• Don't reply at all. Hayden says that recipients of questionable texts should not send any sort of reply. "Saying, 'No thanks, stop contacting me,' or asking who this is . . . that by itself is dangerous, even if there is no link at all. Sometimes scammers buy long lists of phone numbers, and they don't know which numbers are in use. So, they will send a test text message to the entire list and see if they get any responses," says Hayden. "If they do, they know there is a human at the other end of that phone number, and then the phishing attempts can start."

Steinbach says that caregivers should take an active role in educating and supporting older adults on how best to protect and monitor their personal information:

• Protect all passwords. Help them understand how to keep their online life secure, especially when it comes to passwords. Offer guidance such as not using similar passwords on many accounts. Encourage substantially different passwords between accounts, with 10 to 18 digits at minimum.

• Promote the use of MFA. Teach them about the importance of multi-factor authentication (MFA) and how to use it. "MFA is great because it adds an additional layer of security to your accounts," Steinbach says. "In addition to using your password, it also offers another method of authentication, such as a code sent to your phone. Whether you are 21 or 91, you should be using multi-factor authentication everywhere it is available."

• Encourage routine monitoring. Help older adults in your care to create a system that allows them to regularly monitor financial accounts. "Without instilling fear or panic, talk about what to be on the lookout for and the importance of being aware at all times. All of us are more likely to fall for a scam when we're not paying attention," says Steinbach.
  
  Make sure they are comfortable not responding to texts or phone calls that don't seem legitimate. Help them create schedules to regularly monitor their accounts and protect their personal information. Explain and set up tools such as mobile alerts and quick lock, and make sure they understand the messages they are receiving.

Rosie Wolf Williams is a freelance writer whose work has appeared in USA Weekend, Woman's Day, AARP the Magazine and elsewhere. Read More