What is Smishing?

Have you ever been sent a text message with a link or telephone number to call? Be careful! It could be an ID theft scam known as smishing. A link or telephone number often appears in the body of a text message telling you to click here or call a telephone number to win a prize. If you click on the infected link or call the telephone number, it may try to compromises your device with malware or ask you to input personal information. This is an example of a fraud technique called Smishing. You have heard the term phishing; this is phishing done by SMS text messages rather than an email, therefore, SMs phISHING.

How Smishing Works

The fraudsters send a text message with a website link or telephone number to call. They use winning a fake prize or that your account has been deactivated as the bait in hopes for a response from the potential victim.

If you click on the infected website link, it may download malware, which compromises your device or the website will ask you to input personal information such as, social security number, credit card type, credit card number, and PIN.

If you call the automated phone number that you are given, it will sound very official and will ask you to input personal information such as, social security number, credit card type, credit card number, and PIN.

The fraudster will use this information to duplicate a debit/credit/ATM card and beginning using it. The downloaded malware software may allow the fraudster to remotely control your phone and use your phone to access your banking information. Fraudsters can use the information collected to perform ID theft.

Actual WPI Example

A fraudster gets a name and cell phone number. They search the web and WPI is returned in the results, perhaps a staff or faculty page or student publication or athletic feature. They easily find the WPI President's name and send a text hoping for a response.  If they receive a response, the next step would be to lure you into providing more info so DO NOT REPLY.

Text message from +1 (657) 348-9205: "Hello [NAME], let me know if you get my text. Thanks. Grace Wang."

How to Identify and Avoid Smishing

  • Do not lend your phone to others.
  • Avoid clicking on links you are not familiar with.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
  • Protect your mobile device with a password and lock it when it's not in use.
  • Keep your mobile device in a safe location.
  • Be aware that fraudsters will continue to create fraudulent applications. Don't download applications onto your phone without checking them out first. Verify the legitimacy of an application by checking the app publisher or seller before downloading it to your mobile phone.
  • Do not modify (jailbreak) your mobile phone, it will make your mobile phone susceptible to an infection from a virus, trojan, or malware.
  • WPI Information Security is always available to answer any questions or concerns about smishing/text messages.
  • There is a handy tool that has been around since 1876, the Telephone. Use it to contact someone immediately, if necessary.

What is Vishing?

Voice phishing, or vishing, uses telephone communication to attempt to fraudulently gain personal and financial information. Scammers may call a landline or mobile phone, often claiming to be officials, trying to persuade people to provide identity or account details. False phone numbers may be provided via social media, text, or email where the scammer answers and often creates a sense of urgency to obtain information. Kaspersky offers a detailed definition and examples of vishing (Related Actions).

How to Prevent Vishing

Don't give in to the "immediate need" the scammer creates. Contact the company or agency by other means - not by the phone number of the caller. Call the customer service number on your bank or credit card. Ask them to verify the caller's identity as a representative, or ask them to confirm the issue you received a call about. Additional information from the Federal Trade Commission is in How to Stop Unwanted Calls (Actions).

Vishing can be reported to :

  • WPI Information Security  using Request Help on this page.
  • The Federal Trade Commission (Related Actions) or at (888) 382-1222
  • The FBI's Internet Crime Complaint Center (Related Actions)