Digital integration is a key component of modern society, with investors increasingly using mobile devices to access financial accounts and online applications allowing for investments to be made quickly from anywhere with phone service or Wi-Fi. However, with this convenience comes risk -- scammers understand this reliance and continue to exploit it to steal data and wealth from investors.

One way that scammers try to steal data and wealth from investors is through smishing, a tactic in which scammers send unsolicited messages to targets over short message service (SMS), or text messages. Though the term smishing comes from a combination of the words phishing and SMS, these scams can also be conducted through other messaging platforms such as iMessage, Google Messages and WhatsApp.

Smishing isn't a new scheme. However, a newer development with this type of fraud involves scammers requesting that targets respond to messages to get around protections put in place by providers that would otherwise automatically deactivate hyperlinks in messages received from unknown numbers.

How Do Smishing Attempts Work?

In smishing attacks, scammers send text messages designed to manipulate targets into taking an unsafe action, such as clicking a link or replying with sensitive information. These messages often urge the target to act quickly to avoid an adverse action or secure a desirable outcome. The nature of text messages, which don't currently allow for individuals to hover over links to see their destination as can be done on an emailed link, can make spotting malicious links more difficult than other types of phishing attacks.

Smishing continues to grow as one of the most prominent forms of cybersecurity attacks, in large part because individuals might be more likely to click text message links than links received via email. Smishing attacks also allow scammers opportunities to conceal their identities through spoofing phone numbers using easily disposable cellphones, commonly referred to as burner phones, or through software.

As major technology companies have implemented technology solutions to help protect end-users, bad actors have evolved their tactics to get around these new safeguards. For example, some recently implemented protections automatically make links from unknown sources "unclickable" unless an individual takes certain actions, such as responding to the message. In response, bad actors might now request that targets take specific steps to activate the fraudulent link (see Figure 1).

Image source: FINRA.

If clicked or visited, the smishing link can lead to poor outcomes for the target, including data theft or the download of malicious software onto the device.

How Can I Reduce My Risk?

Consider these steps to protect yourself against smishing attacks:

• Enable multi-factor authentication (MFA) for your accounts. MFA uses two or more different factors, such as a text message code or biometric marker, to secure your accounts more thoroughly than relying on just a password.
• Approach text message requests from unknown numbers with caution, including not responding to unexpected messages and those from unfamiliar sources. One way to mitigate the threat of smishing is to delete messages from unknown senders without opening them, block the sender and report the messages as spam in the messaging app.
• If you decide to open messages from unknown senders, wait a few minutes after reviewing the messages before taking any next steps. Smishing schemes are often crafted to solicit an immediate response from the target. It's often beneficial to pause to fully process and consider unsolicited requests from unknown numbers.
• Independently verify websites and requests outside of messaging apps. This can include contacting financial institutions through means verified on legitimate investment account statements.
• Avoid sending confidential information (e.g., account numbers or passwords) over text messages.
• Don't store account information on your mobile device, such as in a notes app or as a contact. This information could be comprised if a scammer obtains access to the device.
• Although it might not stop every smishing attempt, consider turning on the option to block or filter text messages from unknown senders.

What Can I Do If I Suspect a Successful Smishing Attempt?

Here are actions you can take if you suspect your device was compromised by a successful smishing attempt:

• Report your suspicions quickly to your mobile carrier and any companies where your accounts could be at risk.
• On a separate device, change the passwords for any potentially compromised accounts.
• Contact law enforcement and the Federal Trade Commission (FTC).
• Lock or freeze your existing financial accounts and monitor them for any suspicious activity.
• Close any new or unauthorized accounts.
• Place a fraud alert on your credit profiles.
• Keep a detailed report of the mitigation steps you've taken.

In addition, if you think you've been a target or victim of investment fraud, file a regulatory tip with FINRA.

Learn more about protecting your money.