Why you’ve already been targeted by ‘Smishing’

Australians are being urged to be on alert for “smishing” attacks, a form of cybercrime that uses deceptive text messages to trick people into handing over personal information or clicking malicious links.

With mobile phones now central to daily life, cybersecurity experts are warning that scammers are increasingly exploiting SMS to spread malware, commit fraud and steal identities.

What is smishing?

Smishing combines the terms “phishing” and SMS (Short Messaging Service) into a modern portmanteau. While traditional phishing typically occurs via email, smishing takes place over text messaging channels.

Like other forms of phishing, smishing relies on social engineering – targeting and manipulating victims with fear, urgency or impersonation – to prompt them to act quickly without verifying the source.

What then is vishing?

While it may sound like another made-up tech buzzword, “vishing” combines the terms “voice” and “phishing” to describe scams carried out or attempted over a phone call. Unlike traditional phishing, which usually happens via email, vishing takes place through phone calls, voicemails or automated recordings. Vishing too aims to pressure victims into revealing sensitive information or transferring money without properly ascertaining the caller’s identity.

For example, a phishing scam may appear as an email from a bank asking a customer to reset their password. A smishing attack could take the form of a text message asking a recipient to confirm a parcel delivery via a suspicious link. A vishing scam might then involve a caller posing as an Australian Taxation Office (ATO) representative threatening legal action unless a payment is made.

How smishing works

Smishing attacks typically follow a simple three-step process:

• A scammer sends a deceptive text message designed to look legitimate.
• The recipient clicks an infected link or provides personal information.
• The scammer uses the stolen data to commit fraud, launch further attacks or sell the information online.

Cybercriminals may use malicious links, malware, threatening language and psychological manipulation to increase the chances of success.

Five common types of smishing attacks

Smishing messages are often tailored to current events or widely used services. Common examples include:

1. Delivery and package-tracking scams

One of the most prevalent forms of smishing involves fake delivery notifications. Victims may receive a message purporting to be from Australia Post or a courier service such as DHL, TNT or UPS, claiming there is an issue with a parcel. The goal is to lure recipients into clicking a harmful link or providing personal details.

2. Financial services scams

These messages impersonate banks, credit card companies or government agencies. Fraud alerts about suspicious account activity are common tactics, urging recipients to click a link or call a number.

Some scams claim that taxable income has been recalculated and request additional information such as payslips or Medicare details. Authorities have repeatedly warned that the ATO will never ask for personal information via text message.

3. Confirmation and customer support scams

Fake confirmation texts may reference online orders, invoices or appointments. Victims are directed to fraudulent websites that request login credentials or other sensitive information.

Scammers also pose as representatives from trusted retailers or service providers, claiming there is a problem with an account. Instructions to resolve the issue often lead to spyware-infected websites.

4. Gift or giveaway scams

These messages promise free gifts or contest prizes, enticing recipients to click malicious links. Instead of a reward, victims may end up infecting their devices with malware.

Several high-profile incidents have demonstrated the scale of the threat:

In 2023, UPS warned customers after attackers targeted recipients with smishing messages demanding payment before delivery.

During the Tokyo Olympic Games in 2021, a smishing campaign attempted to sell fake event tickets to steal personal and banking information.

In the United States, scammers posed as the United States Postal Service in a campaign designed to harvest login credentials.

Warning signs to look out for

Cybersecurity experts say common red flags include:

• Suspicious or unusual phone numbers
• Misspelled words and grammatical errors
• Links with unusual or shortened URLs
• Urgent requests demanding immediate action
• Messages requesting money transfers
• Prize notifications for competitions never entered

Opening a text message is generally safe. However, clicking malicious links or downloading attachments can introduce malware to a device.

How to avoid smishing scams

To reduce the risk of falling victim to smishing, users are advised to:

• Avoid sending personal information such as passwords or credit card details via text
• Refrain from clicking suspicious links
• Verify messages by contacting the organisation directly through official channels
• Avoid responding to suspicious texts, as replies confirm that a number is active
• Enable two-factor authentication for additional account security
• Install reputable antivirus software to help detect and block threats

What to do if you receive a smishing text

If a suspicious message is received, experts recommend not responding, marking the message as spam and reporting the number to your mobile service provider.

Victims can also report scams through official channels such as Scamwatch, update passwords for potentially compromised accounts, monitor bank and credit card statements for unusual activity and run malware scans using trusted antivirus software.