Beware of SMS spoofing and smishing!

Beware of SMS spoofing and smishing!

Scammers and fraudsters have always found ways to dupe people into providing personal and financial information. While emails and social platforms are abundant with scammers, in recent times, SMS and text messages have become a popular tool for phishing. Scammers use social engineering to scam people into providing information by creating a sense of urgency and a false pretext of legitimacy to trick people into providing personal information. The majority of people are aware of how links sent via emails can contain malicious software that can hijack a device. However, most people are inclined to believe in text messages and the link shared through them. It is why people fall victim to SMS spoofing and phishing quite easily. According to a report, most people don’t expect SMS to contain malicious messages from unknown sources. In addition to this, SMS phishing attacks are difficult to track compared with other phishing attempts.

What are smishing and SMS spoofing?

People often use phishing and spoofing as terms referring to the same thing. However, there is a subtle difference between smishing and SMS spoofing. Smishing involves the use of deceptive texts to lure unsuspecting people into providing personal, private, and financial information. It includes information such as credit card numbers, social security numbers, passwords, PINs, and other sensitive information. Scammers pose as government agencies, law enforcement agencies, banks, and aid efforts to trick people in to provide personal information. On the other hand, a fraudster used spoofing to provide inaccurate sender information such as phone number, organization’s name, etc. In other words, spoofing refers to what a scammer does, while smishing refers to accessing data from the victim.

Shortcodes are used by businesses and organizations to send out broadcast messages and to create brand awareness. These are used by shipping information, verification, sending account details, flight information, and other purposes. Typically, in the US, shortcodes are six digits long. In smishing, scammers use shortcodes to send text messages. Often, scammers may hack shortcodes by real companies to add legitimacy to their agenda. It can happen in the case the business has poor cybersecurity precautions in place. SMS spoofing involves impersonating an entity to create a false identity and using it to obtain information.

How does a smishing campaign look like?

There are various ways that fraudsters seek personal information. They can obtain money by posing as collecting money for philanthropic pursuits. These may include asking people to donate money to a foundation by replying to a number with a specific code. In other cases, they may create urgency by telling a person that they are guilty of a crime and that they need to respond to the text or call immediately. Sometimes, fraudsters may take extreme action and blackmail a person by saying that “they will release something embarrassing” from a person’s past. Such threats are meant to play with the human psyche and distort the truth by providing false information. However, it is in the best interest of a person to avoid such threats by thinking with a straight head.

Messages sent via experienced scammers are very hard to identify as a fraud. Such smishing attempts may ask the user to provide personal information such as credit card numbers, passwords, and other information. A scammer can use this information to take over the victim’s bank account, steal their identity, and use it for illegal purposes.

The reason why such scams are prevalent is that they are very tough to detect. Various SMS spoofing websites send out text messages pretending to be the victim’s bank or any other genuine entity.

How to avoid becoming a victim?

Scammers and fraudsters have created various ways to phish. By exercising caution, one can avoid becoming a victim of such attacks. Here are some tips:

  • Do not provide personal information, especially passwords, or PIN through a text.
  • Do not open links through text messages and SMS.
  • Avoid calling a suspicious number back. Do not call back even to tell the scammer from sending you any more texts.
  • Avoid giving away your phone number to organizations or people who are unknown to you.
  • Do not install apps that come from text messages. Instead, install apps from the app store.
  • Check the authenticity of the shortcode from the US short code directory, which provides a list of shortcodes corresponding to different legitimate businesses and organizations.
  • Use a trusted mobile security app.
  • Report threats to the relevant authorities.          
  • You can also prevent receiving messages sent via the internet by enabling the “block text from internet” feature.


In the digital world, it is easy to become a victim of phishing. However, always be wary of unknown callers and messages. Use common sense and take necessary precautions to avoid becoming a victim of such attacks.