What is smishing and what can you do to protect yourself against it?

In 2020, the UK economy lost more than £1.26 billion to fraud, and as cybercriminals become ever more sophisticated in their attempts to relieve you of your hard-earned cash, today we’re looking at smishing and some of the steps you can take to avoid falling foul of common scams.

According to a report published earlier this year by UK Finance, which represents the UK’s banking and finance industry, the numbers of attempted scams using mobile apps, push payments and internet fraud all continued to show significant rises.

Push payments, where a scammer impersonates a legitimate organisation, rose by 22%, with the total amount of money lost amounting to £479m – over a third of all reported cases - and when it comes to mobile phone fraud, smishing cases are on the rise. This article looks at how you can protect  yourself and your loved ones against fraudulent text messages.

What is smishing?

The term  ‘smishing’ is derived from a combination of SMS and phishing. It’s a practice used by cyber criminals to steal sensitive financial and personal information via text message.

Typically, a smishing scam involves a fraudster impersonating a well-known organisation who sends the victim a request to verify their account details, claim a refund or request payment. Recent scams have involved the DVLA, HMRC, Netflix, banks and  Royal Mail.

Other variations on a smishing scam can include sending notifications of a lottery win, bitcoin payment and in more sinister cases, messages supposedly from loved ones in trouble.

A smishing scam typically aims to try and persuade the victim to click on a link, which can result in identity theft, malicious software being downloaded onto a mobile phone as well as sharing banking details and passwords.

How can I spot a smishing message?

To the uninitiated, smishing messages can be alarming, but there are some tell-tale signs that can help you to spot scams. For example, the DVLA has confirmed that it never sends text messages requesting payments to motorists, whilst HMRC regularly publishes a list of common scams: https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples

There are other ways of spotting scam text messages too and things to watch out for include:

• Spelling mistakes.
• Check the phone number. Is it sent from a recognised number associated with the organisation it is claiming to be? Has it been sent from a hidden or unknown number?
• Some organisations protect their sender ID so that the number is replaced with the name of a company. However, some scammers also do this: look out for slight differences or unusual characters in the sender ID. Simply because a message says it comes from a particular organisation doesn’t necessarily mean it’s legitimate.
• Carefully look at any web links. Very often scammers use official looking websites, but with subtle differences. If the website is different to the one you would usually use, it is a fake.
• Does the message ask you to reply within 24 hours or immediately? This is a commonly used tactic to prey on the vulnerable.
  

If you are unsure, search the name of the company. For example, HMRC’s website is gov.uk, in this  fraudulent message the web link points to a very different location.

The National Cyber Security Centre (NCSC) has also published further guidance on dealing with suspicious text messages, which can be accessed here:  https://www.ncsc.gov.uk/guidance/suspicious-email-actions

Our top tips to keep safe:

• Never reply to any suspicious text messages.
• Never disclose any personal information.
• Never disclose passwords, pin numbers or any information that could compromise your bank accounts.
• If you suspect a message is fraudulent, forward it to 7226. This is a free of charge service run by Action Fraud or call 0300 123 2040.
  

What is the industry doing?

Last April, the UK Government announced plans to trial a new system called the SMS SenderID Protection Registry. The registry was created to allow organisations to register and protect message headers, making it more difficult for scammers to impersonate legitimate businesses.

The scheme has been backed by a number of key UK organisations including Mobile UK and UK Finance, and it has also received the backing of the NCSC. Reports from the trials suggest smishing attempts were reduced by up to 90%.

However, it’s not the only scheme being trialled. In 2019, Google launched its own SMS verification service, with legitimate companies receiving a verification badge when messages are sent. The technology has proved to be slow to be rolled out, and at present, Verified SMS is not available globally. However, as the technology behind the mobile phones in our pockets continues to evolve, perhaps the days of smishing could be well and truly numbered.