How to Identify and Protect Yourself From Smishing Attacks

Share to Facebook
Share to LinkedIn
Share to Twitter
Share to Email
Share to Pinterest
Share to Email

Smishing is emerging as one of the most effective and widespread forms of phishing in 2022 – partly because most people don’t know what it is. In fact, only 30% of online users in an international survey were able to correctly identify smishing.

What’s smishing?

Phishing is an umbrella term for when a sneaky actor attempts to obtain sensitive information through a fraudulent email or alternate form of communication. Thus, smishing is when a hacker sends you an SMS text message urging you to click a link, call a number, or give out your personal information. Smishing is becoming more prevalent as more people use – and respond to – texts for day-to-day needs.

Here’s an example of a scam text:

Sarah, your Apple ID account has been locked due to unauthorized login attempts. Please login and verify your information at

The end goal is to steal your personal information, such as your Social Security number, driver’s license number, or credit card information. Sometimes, the link you click may contain malware (malicious software) that will infiltrate your device, or it may send you to a phishing website that is masquerading as a site you use regularly. The website will then attempt to obtain as much personal information as it can from you.

How do you tell the difference between smishing and regular alerts?

It can be tricky to know if your text is a smishing attempt or a valid notification. Typical examples of smishing attacks can include account issue notifications, multifactor authentication (MFA) code texts, order confirmation or package tracking texts, or bank-related alerts.

If you normally receive SMS alerts from your bank, you may not think it strange if you suddenly get an alert about suspicious activity. The message will likely instruct you to click a link to confirm your identity and address the issue. It’s tempting to just go directly to the link. But instead of using the link, you can go to your bank’s app or website to reply. Once you know what you’re looking for, avoiding smishing attacks gets much easier.

Here’s what to do if you’re unsure.

  1. Avoid using links sent via text message.Make this a general rule you follow for smart data protection. Even if you don’t input any information, you don’t want to accidentally invite malware onto your device.
  2. Don’t share your personal information over text. Hackers have gotten good at creating a sense of urgency in their messages, but avoid sharing any sensitive information over the phone or email. Remember that legitimate institutions, including your bank, won’t ask you for your account password, authentication code, or other private information.
  3. Go directly to the source. If you get a message about suspicious activity or identity confirmation, confirm the authenticity. Call your bank, use the mobile app, or open a new browser tab and log in securely to your account on the web.
  4. Use multifactor authentication. This one is key if a hacker does manage to obtain your login information. MFA requires at least two types of identity authentication. Even if the hacker knows your login information, they won’t be able to get past the second barrier, and your information will remain protected until you can update your username and password.
  5. Don’t respond. Don’t take the bait. Trust your gut – if something seems fishy, follow the above four steps. Smishing is a crime, so along with ignoring the message, you can also report it to the Federal Trade Commission (FTC) to help combat more data attacks.

What can you do if you fall victim to a scam?

Unfortunately, scams can be very convincing. If you’ve accidentally clicked a fake link, provided personal information, or been scammed in any way, you’ll want to take immediate action.

Report the scam.

Make sure you report the crime to the FTC. You may also file an identity theft report. The FTC will provide advice on what you should do next. You’ll also want to report the scam to one of the three credit bureaus and place a free one-year fraud alert: Experian, Equifax, and Transunion. That company will notify the other two. You’ll be able to have your identity verified before a business issues new credit in your name. You can renew the alert after one year.

Secure your information.

Make sure to update your login information to any compromised accounts, as well as install MFA if you haven’t already. If your finances have been compromised, contact your bank to report the scam. Call any companies where you found that fraud occurred. You’ll be able to dispute any transactions or close compromised accounts.

Safeguard your devices.

You can check your credit reports every week for free through December 2023 at to look out for any suspicious activity. If you’ve clicked a suspicious link, you will want to update your security software. Call your provider for next steps.

Stay Vigilant

Follow these five steps, and you’ll be well equipped to deal with any future smishing attacks headed your way. For more information and tips on how to protect yourself online, visit the Axos Bank Security Center.

How to Identify and Protect Yourself From Smishing Attacks

This blog post was published by Axos Bank on February 1, 2023, and last updated on February 1, 2023.

Get Axos Digest
Sign up to receive insightful content every two weeks.