How to Guard Against Smishing Attacks on Your Phone

Among the many threats to your internet security is “smishing,” in which bad actors try to steal your data or money through a text message that attempts to trick you into following a link you shouldn't or revealing personal details or login information that should be kept private.

The attack takes its name from phishing emails that “fish” for a response that leaves you vulnerable to various threats, but here the dangerous message arrives via SMS, direct to your phone, which might make you more likely to fall for the scam.

The damaging effects of smishing attacks can be serious and varied, whether they involve someone gaining access to your bank accounts or taking over your social media accounts. But if you know the warning signs to look out for and the preventative steps to take, you can avoid getting caught out.

Smishing attempts traditionally arrive via SMS text message, though they can pop up on any messaging platform, from WhatsApp to Instagram. They'll often come with a link attached that you're supposed to click on, or they might ask for a direct response, but you'll need to take some action to be affected by the attack (just receiving the message won't cause any damage).

The first kind of attack you'll come across is a link to a shady website, possibly one that's mocked up to look like a well-known company website or social media network. You'll be prompted to enter your username and password details, but rather than logging you in to the site in question, whoever set up the fake site will take these details and use them for nefarious purposes.

The second kind of attack will push you to download a dangerous app or run it in your web browser. The good news is that your phone will block a lot of malware apps automatically—it's particularly difficult to install a non-approved app on iPhones—but this is still something to look out for when messages come in.

In the third version, you might get messages asking for personal or financial details directly—with prompts to reply to a text with your bank details, for example, or with login details for a certain website. As with the redirects to fraudulent websites, these details will go straight to the people behind the smishing attempt, who will most likely use them to try to steal money or information.

While we can't offer a foolproof guide to spotting every single smishing attack you might come across, there are some red flags to look out for. One is messages coming from numbers that don't seem correctly formatted or that contain unusual characters—these might be genuine messages from businesses or automated services, but they might also be smishing attempts, so proceed carefully.