Don’t get Smished: A funny-sounding word for a serious fraud risk

Smishing is a cybersecurity attack via mobile text, Whatsapp, or other social media messaging. The word is a combination of “SMS” and “phishing”. These deceptive messages are designed to trick victims into acting on their emotions quickly and can have serious consequences.

How does Smishing work?
The attacker sends a serious-sounding message to thousands of people at once. Even though the message isn’t customized at all, the bad actor is hoping that at least a few victims will take the bait. The message appears urgent, telling victims they must “click here to unlock their accounts” or “respond to suspicious account activity”. The idea is to get the reader to click on a malicious link, so that they end up on a spoofed website where the fraudsters can harvest credentials, install malware, and collect personal data. Next, the attacker can use this information and access to commit fraud and/or identity theft.

Financial services smishing, where these attacks are disguised as notifications from trusted institutions, is unfortunately very common. We have included modified versions of real-life examples below showing bogus messages posing as trusted brands like Charles Schwab

Keep in mind: Unlike many other attacks, smishing isn’t necessarily an indication that you or someone with your personal data has been compromised—the attackers send a message to a large number of randomly chosen phone numbers, hoping some of those people will respond.

How to protect yourself:

  • Do not click on links or attachments included in a text message.
  • Slow down if a message is urgent. You should approach urgent account updates and limited offers as caution signs of possible smishing. Remain skeptical and proceed with caution.
  • Avoid using links or contact information from the message. Go directly to the official channels/websites.
  • Double check the phone number. Odd looking numbers with only 4-digits can be a red flag that the scammer uses to mask their true phone number.
  • Do not enter your username and password or personal information on a webpage if you clicked a link or copied and pasted an address from a text message. Instead, enter the address directly into your browser to visit the trusted website where the account is held to log in as usual.

For general educational purposes only.

Neither Charles Schwab & Co., Inc., nor any of its affiliates or employees makes any warranty, expressed or implied, or assumes any liability or responsibility for the accuracy, completeness, regulatory compliance, or usefulness of any information, tools, resources, or processes described in this material, or represents that its use would protect against cybersecurity or fraud incidents, including but not limited to a system breach, compromise of security, and/or improper access to confidential information. Neither Charles Schwab & Co., Inc., nor any of its affiliates or employees is responsible for any damages or other harm that might occur as a result of, or in spite of, the use of any information, tools, resources, or processes described here. You are responsible for securing your own systems and data.

Schwab does not provide legal, regulatory, tax or compliance advice. Consult professionals in these fields to address your specific circumstances.