Smishing – learning to spot and secure against an emerging cyber threat

Anyone’s who’s used email over the years will be familiar the wide range of fake communications that encourage us to hand over our sensitive data - known as ‘phishing’ - and measures for identifying and securing against such communications are now an established part of cyber security best practice.

Smishing is a new form of cyber-attack that organisations must be aware of and ensure their employees are able to spot in order to ensure human error does not compromise the integrity of critical data.

But the world of cybercrime never stays still for very long, with bad actors constantly looking for novel ways to not only breach security ecosystems, but catch unsuspecting individuals unaware. As a result, you could be targeted by text and WhatsApp message scams, working on the assumption that many people will be unaware of this new attack vector.

Such attacks are called ‘smishing’, and to maintain the integrity of both corporate and personal data, it is essential that you are aware of how they work and what action to take if you suspect you have been targeted.

What is smishing?

It’s an emerging incarnation of a familiar cybercrime technique.

You receive a text or WhatsApp message, commonly purporting to be from your bank, telling you there’s a problem with your account, issues with making a payment, or some sort of suspicious activity.

The text will contain a link for you to click or a number to call to sort out the supposed problem.

If it’s a link, it will direct you to a fake website that will harvest your login information via a fake but convincing-looking form.

If there’s a phone number, the scammer on the end of the line will try to get you to reveal sensitive information, such as passwords, PIN numbers, and answers to security questions.

But fraudsters won’t just pretend to be your bank. Sometimes they’ll claim to be from an online account such as PayPal, or a service you subscribe to, such as Netflix. Smishing attacks have also been reported targeting customers of Government organisations, such as HMRC and the DVLA.

Is a text from a company always a scam?

No. Many companies utilise text messages for legitimate communications with customers and prospects.

This is why it’s important to know how companies will typically get in touch with you. You can normally set your contact preferences – such as phone call, email or text message – in your profile.

How to spot a smishing scam

Smishing can be difficult to spot, particularly if it appears to be from someone who would normally contact you by text.

But, like email scams, there are some tell-tale signs. For example, there might be spelling mistakes, or the text might address you as ‘Sir’ or ‘Madam’. Real messages from companies you already engage with will usually address you by your full name.

You can also look at the phone number it’s been sent from. First, it won’t be the same as the one on your bank card. Second, it might be sent from an overseas number. You could also do a search for it online. If it’s a known fake number, it’ll already have been identified as such on the internet.

If in doubt, ring the number you usually use to contact the company to check if they’ve been in touch recently.


How to avoid getting scammed by fake text messages

The best way to avoid falling victim of smishing is to be wary of any text message you receive.

Never click any links in texts. If in doubt, go directly to the website and login as normal. If there really is a problem, you’ll already have a message waiting in your account dashboard telling you what to do.

If you do click the link, be vigilant. Many scammers have developed very close replicas of genuine websites, which can be difficult to spot at a glance. Nonetheless, there’ll always be some signs it’s not legitimate, such as odd spelling in the web address, or low-quality graphics.

If there’s a number for you to call, check it matches with the one on the back of your debit or credit card. If in doubt, call the number on your bank card to find out if there’s an issue.

How to report scam text messages and smishing scams

If you believe you have received a smishing communication, then you should report it to the company who allegedly sent you the message. This will give them the chance to alert other users to the risks.

If you’ve been a victim of a smishing scam, then you need to report it to Action Fraud by calling 0300 123 2040. Alternatively, visit –

How to protect yourself against smishing scams

The most important thing you can do is never click on links in suspicious texts or call the phone number in the message.

But, if you do, never give out personal details, under any circumstances.

No legitimate company is going to ask you to reveal personal or security information over the phone. Under no circumstances tell a caller your PIN, password, or any other piece of information that could compromise your account.

In terms of your devices, follow cyber best practice and install all the latest updates for the anti-virus software and operating systems on all your devices – including phones and tablets – as soon as they become available. These will help protect you if you do end up on a fake website that’s trying to harvest your information.

Be vigilant!

The strategies employed by those with nefarious intent are constantly evolving in terms of scale, frequency, and sophistication, but the primary cause of data breaches worldwide remains human error. That is why it’s essential that you take the time to inform yourself and your employees of the latest developments in cyber security best practice and ensure the latest threat intelligence is acted upon at all levels of your organisations – including providing additional training for employees when necessary.

Do not hesitate to contact us if you would like to find out more about optimising your cyber security ecosystem and ensuring human error never compromises your critical data.


Related articles