1 Products and services may be offered by Royal Bank of Canada or by a separate corporate entity affiliated with Royal Bank of Canada, including but not limited to Royal Mutual Funds Inc., RBC Direct Investing Inc. (Member–Canadian Investor Protection Fund), RBC InvestEase Inc., RBC Global Asset Management Inc., Royal Trust Company or The Royal Trust Corporation of Canada
If you’ve ever received a suspicious text from an unknown number asking you to click a link to resolve a payment or account issue, you may have been a target of a smishing attack. A blend of the terms “phishing” and “SMS,” smishing is a type of phishing carried out over text that tries to trick people into giving away sensitive information.
Smishing attacks have become more common, given text messages’ high read and response rates. According to Gartner Research, only 20 per cent of emails are opened and 6 per cent replied to (as people have become more suspicious of email scams), those numbers rise to 90 per cent and 45 per cent for text/ SMS messages.
People may be more likely to trust a message through text because they’re largely unaware of smishing attacks. And, because people often check their text messages while on the go or doing something else, attackers take advantage of their distracted state to deceive them into clicking links or providing personal or financial information without thinking.
The goal of a smishing attack is to trick an unsuspecting user into giving away sensitive information, which can then be used to carry out other cyber crimes. It’s a social engineering attack that relies on taking advantage of human trust and manipulating a victim’s decision-making. Cyber criminals lower the guard of potential targets by posing as a trusted, legitimate person or organization (such as a bank or delivery service). They also use context to create a situation that seems real, overriding any suspicion that the message might be a scam.
How cyber criminals use smishing
Cybercriminals often use one of two methods to steal data through a smishing attack.
Directing to a malicious website. In this case, the link in a smishing message might lead you to a fake site that asks you to input personal and financial information. The message and the site it leads to may look legitimate, tricking you into divulging your info.
Installing malware on your phone. In this case, the link in a smishing text might trick you into downloading malicious software — or malware — that installs on your phone. The malware will often look like a legitimate link or app, but once on your phone, it gives cyber criminals access to your data and account credentials.
Common examples of smishing texts
Smishing attacks come in many forms, but there are a few common types:
“There’s an issue with your bank account”
Smishing text messages often appear to be from your bank, asking you for personal or financial information such as your account or PIN.
The message might try to get you to click on a link in the text to connect to your bank’s website and verify a recent suspicious charge. They might also ask you to call their customer service number, which they have included within the text message, to talk to them about a recent suspicious charge or a compromised account.
Another variation of this attack is when a message includes an urgent request to unlock your account, asking you to input your username and password to fix an issue.
“Donate to disaster relief now”
Hackers also prey on the sympathies of Canadians to gather personal and financial information. For example, after hurricanes, floods or other natural disasters, a cyber criminal masquerading as a real charity may send a text asking for a charitable donation toward relief efforts. The text would request credit card information, address and sometimes even your Social Insurance Number. Sometimes, scammers will even charge your credit card monthly.
“Click for an exciting offer!”
Fraudulent text messages may come with the promise of a giveaway, reward or another free offer. “Gift smishing,” as it’s sometimes called, typically refers to the offer as limited time or exclusive, creating more urgency and getting you to take action without first stopping to think.
“Your package is out for delivery”
A popular scam these days involves text messages pretending to be from a delivery company. Taking advantage of the rise in online shopping, scammers send texts that include a link for you to “update your delivery preferences” for a package en route. Others may claim there was just a failed delivery attempt on an expensive item.
If you open the message and click the links, you may be asked to provide your credit card information to secure a later delivery, allowing scammers to use it for fraud. In some cases, the link may also lead to the download of malware to your device, giving hackers almost unlimited access to your data or files.
How to protect yourself
While smishing attacks are increasingly common, there is one very simple way to avoid being a victim of one: Do nothing.
By not clicking on a suspicious text or responding to a text from an unknown number, you are doing your best to protect yourself.
Here are other ways to guard against a smishing attack:
Take 6 seconds. If you receive an urgent message to update your account or take advantage of a limited-time offer, take 6 seconds to ask yourself if it seems suspicious. Be skeptical!
Call the bank or retailer directly. Legitimate companies and financial institutions don’t request account updates or login information via text. It’s always a good idea to confirm any requests received by text by calling the organization’s official number (i.e., one on the official website, not the number contained in the text message)
Avoid clicking any links in the message. These could be traps to install malware or capture personal data.
Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
Avoid storing banking information on your phone. If an attacker installs malware on your device, your information could be compromised
While smishing may be more and more common, being aware of the types of smishing attacks can help you spot one. Understanding the ways to protect yourself can keep your personal and financial information secure.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.