Cyber criminals are looking to steal your money and personal data by launching SMS text messaging smishing attacks.
Smishing, like email phishing, is a form of social engineering – where criminals prey on your emotions (using words like ‘warning!’, ‘act now!’ or ‘good news!’) - to get you to act in a way that suits their scam.
Social engineering is a manipulation technique that exploits human error to gain private information, access to a device or valuables.
The fraudulent smishing text message is sent to someone’s mobile phone, asking them to call a phone number or click on a web link, with the aim of persuading them to share their personal /financial details or make a false payment. The current COVID-19 vaccination programme has provided the perfect lure for cyber criminals to undertake such activity as detailed in the example below.
COVID-19 vaccination scam
Police in NI are aware of a new smishing text that is circulating telling people that they are ‘eligible’ for the COVID-19 vaccination. The message reads "We have identified that you are eligible to apply for your vaccine" and links to a convincing, but fake, NHS page which then asks for bank details.
If you receive a text or email that asks you to click on a link or for you to provide information, such as your name, credit card or bank details, it's likely to be a scam. Scams can come in many forms and this one is just the latest attempt by fraudsters to exploit the pandemic for financial gain.
Keep yourself and your mobile safe with S.M.S.
Secure yourself and your mobile phone with our five practical steps
- Be wary of clicking on unknown or suspicious links
- Ask yourself if the offer seems too good to be true
- Don’t respond to unknown or suspicious mobile numbers
- Banks and reputable institutions won’t request personal info by text. If in doubt, call them and check
- Don’t forget: S.M.S.
- Secure your devices
- Maintain vigilance for smishing attacks
- Send suspicious texts to 7726
Keep your mobile phone secure
Taking time to safeguard the security of your mobile phone will help protect the private data stored and transmitted on it. It's important that you regularly review your devices data privacy and security settings.
Our Guide to Mobile Device Security is a PDF document that includes:
- Details of threats that could harm your device (like malware and ransomware)
- Eight ways to secure your mobile device
- Contact details for reporting cyber crime
Our Mobile Device Hub includes step by step advice on:
- Setting secure passwords
- How to save passwords in a browser
- Upgrading apps and software
How to back up your data
How to spot a smishing attempt
Sending out smishing text messages to millions of numbers takes little effort and can reap huge rewards – but unfortunately, many unsuspecting people are being tricked into parting with their personal and financial details.
Spotting smishing is becoming increasingly difficult, however, there are common tactics that cyber criminals use - look out for them:
- Authority The message may state that it is from a reputable source, such as HMRC, your local health trust, or your bank
- Urgency The message will state that you have a limited time to respond, you will lose out in some way, or have to pay a fine.
- Emotion The message may make you panic, fearful, hopeful or curious. Criminals often use threatening language, and these messages are worded in such a way to make you take action.
- Scarcity The message might offer something in short supply, like a new games console in the run-up to Christmas, concert tickets, money or a cure for medical conditions. These messages are deliberately worded to create a fear of missing out.
- Current events The message might try and exploit new and current events such as messages that appear to be from the NHS or your local health trust relating to COVID-19. Criminals often exploit current news stories, big events or specific times of year (like the end of the tax year) to make their scam seem more relevant to you.
- Grammar/spelling If you read a smishing text carefully you might notice spelling mistakes or poor grammar - these are tell-tale signs of a scam message.
What to do if you receive a SMS text message that raises your suspicion
It’s best not to respond immediately to SMS text messages received out of the blue and from unknown sources.
- Always check who that the text message or phone call is from a legitimate source. Cyber criminals can spoof (imitate) caller ID names on phone calls as well as on text messages.
- Never click on any links within text messages. Even if you were expecting a text message from a legitimate source, do not enter any personal details into a website if you did click a link within a text message. Always go to the company or bank’s website address that you know to be correct.
- Don’t send replies to suspicious text messages. This gives a cyber criminal a signal that you use this number, and you might be charged a fee just for replying.
- Never give out any personal information unless you made the call yourself to a phone number you have verified as correct.
- Never download any software if advised to in a text message.
- Always keep your software and operating systems up to date by enabling automatic updates.
- Install trusted anti-virus and firewall software for your devices, and keep these up to date.
- If you receive a text message advising you of a prize, ask yourself if you actually entered a competition. If it sounds too good to be true, it probably is.
- Regularly check your bank statements for any unusual transactions.
How to report a suspicious text
Suspicious text messages should be forwarded to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action if it is found to be malicious.
What to do if you’ve already responded to a text
If you've already responded to a suspicious message, don’t panic. These steps may help limit any damage or losses:
- If you’ve been tricked into providing your banking details, contact your bank and let them know.
- If you think an online account has been hacked, change your password immediately. Contact the website to let them know.
- If you received the message on a work laptop or phone, contact your IT department and let them know.
- If you opened a link on your computer, or followed instructions to install software, open your anti-virus software, make sure it is updated, and run a full scan.
- If you've given out your password, you should change the passwords on any of your accounts which use the same password.
If you have been scammed
If you have been a victim of smishing you can report it on the Action Fraud website or contact the PSNI on 101. By doing this, you'll be helping the battle against criminal activity, and in the process, prevent others from becoming victims of cyber crime.
If you or someone else is in immediate danger or risk of harm always dial 999.