Our phones, tablets, and other technology are a constant presence in our lives—our personal information is on there, from photos and contacts to bank accounts and social media. Because of that, hackers are constantly attempting scams like phishing and smishing. Although they have a few differences, they have one common goal: to steal your personal information. We’re breaking down the differences between phishing and smishing, how to spot the signs, and how to protect yourself.
What is phishing?
Phishing is when criminals use fake emails, social media posts, or direct messages with the goal of luring you to click on a bad link or download a malicious attachment. If you click on a phishing link or file, you’re handing over your personal information to cybercriminals. A phishing scheme can also install malware onto your device.
Signs of a phishing attempt
The signs can be subtle, but once you recognize a phishing attempt, you can avoid falling for it. Before clicking any links or downloading attachments, take a few seconds and ensure the email looks legit. Here are some quick tips on how to clearly spot a phishing email:
- Does it contain an offer that’s too good to be true?
- Does it include urgent, alarming, or threatening language?
- Is it poorly crafted writing, riddled with misspellings and bad grammar?
- Is the greeting ambiguous or very generic?
- Does it include requests to send personal information?
- Does it stress the urgency to click on unfamiliar links or attachments?
- Is it a strange or abrupt business request?
- Does the sender’s email address match the company it’s coming from? Look for little misspellings like “pavpal.com” or “anazon.com.”
What to do if you see a phishing email
You’ve already done the hard part—recognizing that an email is fake and part of a phishing attempt.
If the email came to your work email address, report it to your IT manager or security officer as quickly as possible. If the email came to your personal email address, don’t click on any links—even the unsubscribe link—or reply back to the email. Delete the email entirely.
You can take your protection a step further and block the sending address from your email program.
What is smishing?
With the increased use of mobile devices to manage so much of our lives, it’s no surprise scammers have moved to this medium to target your sensitive information. According to the 2023 State of the Phish, phone-oriented attack delivery attempts increased to 300-400K daily.
If you have a mobile phone, you’ve most likely experienced smishing. Smishing is a phishing message received via text message. Just like an email phishing attempt, the scammers are targeting your sensitive information.
Scammers choose smishing over phishing particularly because people are more inclined to click texts than emails. SMS click-through rates are between 8.9%-14.5%, whereas emails have an average click-through rate of only 1.4%. Our phones are glued to our hands, and people often check notifications instantaneously.
How does smishing work?
Similar to what you might experience in your email, these messages use emotional triggers to entice you to interact with the links. The themes typically target your personal information, such as your username and password, bank account information, credit card information, or Social Security number.
Signs of a smishing attempt
Like phishing attempts, the signs can be subtle (and similar), so recognizing them is key. Below are a few ways to spot a smishing attempt:
- Phone numbers and area codes may be spoofed, making them look like they’re from a trustworthy source, like your financial institution.
- Texts appear concise and urgent, eliciting an emotional response.
- You’re urged to click on a link or call a phone number to resolve the problem.
- Texts contain unusual greetings or generic salutations, such as “Hi sirs” or “Dear customer.”
Some common smishing scams include fake package delivery alerts, “wrong number” text scams, account verification scams, or scam surveys—just to name a few.
What to do if you receive a smishing text
Make sure you have multi-factor authentication turned on for your accounts. This ensures scammers can’t access your accounts unless they physically have your device.
Don’t click on links or reply to the message—delete the text altogether. Report spam texts to your phone carrier and the FTC at reportfraud.ftc.gov.
You can take your protection a step further and block the sending phone number from your cell phone. On iPhones, go to Settings > Messages > Message Filtering > Filter Unknown Senders. On Androids, go to Settings in Google Messages > enable Spam Protection.
Ensuring your device’s software is updated is also crucial. Enable automatic updates if possible. Software updates are an easy way to stay one step ahead of hackers—they provide new security patches where criminals previously may have been able to access your information.
What to do if you accidentally click a smishing link
If you accidentally click a link, don’t enter personal information, like usernames or passwords. Disconnect your device from the internet and scan your device for malware (if you’re not tech-savvy, leave that to a professional).
Contact your financial institutions and freeze your credit. Set up fraud alerts with one of the three major credit bureaus (Experian, Equifax, and TransUnion). Once you’ve notified one bureau, they must notify the others.
You also want to change your credentials (from a different device that’s not infected), so your personal or financial information can’t be compromised. If you don’t already, use different passwords across accounts so it’s more difficult for hackers to access your credentials or account numbers.
Bottom line
These scams aren’t going away anytime soon, especially with our reliance on technology. It’s important to stay aware and be cautious when opening emails and texts from unknown contacts. Continue to educate yourself with blogs and security articles, and inform your friends and family, too. By working together, we can all protect our personal information from hackers and scammers, and minimize the risk of being a cybercrime victim.
