Smishing. Because we need another cutesy buzzword telling us all how screwed we are. Smishing is a portmanteau of SMS phishing. Phishing itself is a homophone of fishing, which makes smishing a neologism based on a portmanteau, which itself is based on a homophone. What? Too nerdy? Sometimes I can’t help myself. English is cool.
But this article isn’t supposed to be about geeking out on linguistic hacks. Instead, it’s about how to think about texts that come into your phone and how to protect yourself.
For the purpose of this discussion, think of incoming texts as falling into three categories. The first category consists of texts that come from people you are in active conversation with, with the message content so deeply relevant to your life that you know those messages have to be from the actual people you’re normally conversing with.
This is not the classic relative stuck in a foreign country thing. This is your wife, who you know is on the way home, asking if you want ice cream. This is your buddy, who you’ve been working on a car with, asking you to run to the store for a spare part. In other words, really indisputably relevant text from people you’re actively connecting with.
At the other end of the spectrum are the messages that are clearly spam. These are the junk texts you get that are so ludicrous and so far from anything you’d consider valid that they’re mere annoyances.
But then there’s the middle ground. These are generally texts from businesses and services you’ve opted into over time. Sometimes, these are texts that are not necessarily from people you know, but are from entities you do communicate with.
For example, a minute ago an Instacart shopper sent me a text about which type of papaya I wanted as part of a shopping run. Since I just ordered papaya and I’m waiting on a full grocery order to be delivered, I know this is a valid message — even though the phone number is one that’s not in my contacts list.
Another example would be a message I recently got from an international shipper. I wasn’t familiar with the shipper’s company, but when they said my package from a specific Chinese 3D printer manufacturer was going to be delayed by a day from Tuesday to Wednesday, that was credible, because I was in fact expecting a review printer on Tuesday from a Chinese vendor.
But sometimes you get a message like this:
This is a text purportedly from FedEx. I got this one last week and apparently it’s being spammed to phones all over. I get a lot of packages from FedEx, and if it otherwise wasn’t chock full of red flags, I might have paid attention to it.
But it had multiple oddities. It’s the existence of these oddities that I want you to be on the lookout for when you get an incoming text message.
RULE 1: Don’t respond to SMS calls to action
First, and the biggest warning flag, is that it had a call to action. It suggested you click a link. Others ask you to call or text a number. Some just want you to reply. It doesn’t matter what the actual action is. When you see a call to action in a text, immediately begin to consider that it could be fraudulent.
This is not a black and white situation. At the moment I’m writing this, my Instacart shopper is on the way with my grocery delivery, and Instacart sent me another text. It gave me a link to its app and a another link to its website so I can check the status of the driver on the road.
Even though I know (or at least, am pretty sure) that the text from Instacart is valid, I’m not going to click on a link. As a matter of practice, I never ever click on links in text messages. Most services (whether FedEx or Instacart or Uber) allow for web-based tracking, so if I want to know the status of my order, I’ll log into my account on the web and check it from there. That’s because I also don’t know if the gig worker’s phone itself might have been compromised.
RULE 2: Pay attention to anything that’s out of character
The fraudulent FedEx smishing attempt I showed you above begins with “Hello mate.” Although I have a number of Australian business colleagues that greet me in that exact same way, it’s highly unlikely that an official communication from an American company to an American customer would begin with “Hello mate.”
It’s out of character. Many phishing and smishing attempts can be spotted by these sorts of out of character or even blatant grammatical mistakes. Whenever you see something that’s even slightly not right or slightly inappropriate for the circumstances, be wary.
RULE 3: Pay attention to the details of the call to action
In my case, the call to action asks me to click on a URL beginning in d5ncr.info. That’s almost definitely not a FedEx-related domain. Even if I was a current customer of, and got a message from, the 140-year-old NCR Corporation (which used to be AT&T Global Information Solutions and before that National Cash Register), I still wouldn’t click d5ncr.info.
I told you in Rule 1 not to respond to SMS calls to action. This rule is similar. This time, however, you’re spending a few extra minutes analyzing whether the message is giving off signals that it’s probably fraudulent.
Look, we all have pretty good bull$#!t detectors, so use that spidey sense to protect yourself.
RULE 4: Do your due diligence via legitimate channels
Even though the message contained an out of character greeting and an unlikely-to-be-legit URL, what if it’s real? What if an all-important package I’m actually expecting is blocked because I didn’t respond to this message?
That’s a legitimate question, especially since phishing and smishing scams are designed to prey on that “what if” fear. What if that notice from the IRS is real and you don’t respond? What if the FBI really is investigating your neighbor and some kind of terrorist activity took place because you chose not to help? What if your PC could be oh-so-much faster if you only installed this free utility?
This is the essence of social engineering. Scammers use tricks designed to get under your skin, trigger your fears or concerns, and induce you to let your guard down for just the fraction of a second it takes for your finger to twitch and tap the screen.
Viktor Frankl, noted author of Man’s Search for Meaning said, “Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom.”
This is deep, so pay attention to it. In the case of fraudulent messages, the message is the stimulus. But you can take a breath, create space, and choose a different response. If you’re truly concerned about whether, for example, GB-6412-GH83 won’t be delivered, go to FedEx’s known site and look it up.
Even if you only have a phone, you can go directly to the company’s site without clicking a link. Use your phone’s browser to visit the known, verifiable home page or call the known, verifiable 800-number of the company or agency you’re concerned about.
It’s not hard. In the above screenshot, I entered the tracking number. It was no surprise to me that it turned out to be fake:
If the trigger is an IRS complaint and you’re legitimately concerned about “what if,” it’s okay to call or reach out to the IRS. Just do it through official channels and you’ll be safe.
RULE 5: Block junk calls and texts
Although the effectiveness of these tricks varies based on carrier and locale, here are two additional tricks you can use to reduce the annoyance. First, as I wrote about last week, flip the Block Unknown Senders switch on your phone to filter senders with numbers not in your contact book.
You can also use your vendor’s anti-spam service. I use Verizon’s free junk blocker, and it sometimes helps.
This is an arms race, with the bad guys trying to get into your head and keep you from thinking clearly before you do something you’ll regret. Don’t give into it. Be diligent. Be thoughtful. And be careful.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.