Skip to Content

    Recognizing, Resisting, and Reporting “Smishing”

    6/11/2025
    3 min 47 sec
    Text message scams, called “smishing,” can be tricky to spot, and they’re happening more and more often. So how can you protect yourself?

    You’re in a rush, you grab your phone, and there it is—a text message from a familiar company, like your financial institution, asking you to provide personal info or to click on a link. Maybe it even looks like a fraud alert or a message asking you to confirm a charge. But something is off. You didn’t contact the company, and it seems strange that they would contact you out of the blue. You have received a “smishing” scam.

    “Smishing,” a combination of “SMS” and “Phishing,” describes a phishing scam delivered by text message, or through popular apps like WhatsApp or Facebook Messenger. The fraudsters pose as a company you may do business with to trick you into sharing sensitive details like usernames, passwords, or banking or credit card information. Details can also include things like your social security number, your birth date, or other ID numbers. Sometimes the text message asks for the information directly, and other times it asks you to click on a link, often to “verify” your information. Once you’ve provided the information, you’ve opened the door for the fraudsters.

    What do Smishing scams looks like?

    Scammers are getting better at appearing legitimate, but many common scams look like one of these situations:

    Scenario 1: Phishing Text

    1. You get a text or phone call reporting fraud on your account, or referencing other high-stakes scenarios that make a situation seem urgent.
    2. The fraudster asks for your username, password, one-time codes, PIN, account details or even recent transactions on your account. Their goal is to make you act before you think by putting pressure on you.
    3. The fraudster may suggest that sharing this information will help remediate the situation quickly to pressure you into providing it. They are really using it to access your account and steal your hard-earned money.

    How to protect yourself

    Never give out your username, password, codes or account information to anyone who contacts you—even if they are from a trusted entity, like Credit Human. Instead, reach out to the company directly using a known number or secured channel, such as digital banking. Don’t call them back on the number they provided. Instead, go to the company’s website or business listing to locate a safe number.

    Please note that Credit Human will never ask you for your personal login credentials. Sharing this information—even with one of our trusted employees—undermines the security measures we’ve put in place to protect you from fraud.

    Scenario 2: Phishing Website Links

    1. The text message contains a link to click on. It is not a link to the company’s real website, but instead to a “Phishing Website,” a duplicate that exists only to trick you into putting in your credentials as if you were logging into your account.
    2. It looks like (or enough like) the website you’re used to seeing, so you attempt to log in.
    3. Your username and password are shared with the fraudsters, and they can now access your account.

    How to protect yourself from phishing links

    Don’t click on log in links sent to you via text message. Instead, log in using your normal method, either by visiting the site directly or using your usual trusted mobile app.

    Enable multi-factor authentication (MFA) on your account. If you have MFA enabled on your account and a site doesn’t prompt you to authenticate, that’s a red flag indicating the site may not be legit.

    Check the URL and login page. Do they look right? If they are suspicious, like a URL that is misspelled or different than your normal login page, close the window and get there a different way.

    Scenario 3: Malware Links

    While a Smishing message often links to a false website, some links contain malicious apps and code that download to your device, whether a computer, tablet, or smartphone. Sometimes this occurs even without your knowledge. These apps and code are designed to collect sensitive information from your device.

    How to protect yourself from Malware Links

    Whenever a link is provided via an unexpected text or email, it’s best not to click on it. If you do, and realize it may be phishing or malware, close the window or tab, close your browser, and run malware software on your device. Do not download apps from links provided in text messages or emails unless you first initiated the request.

    Conclusion

    Smishing can lead to identity theft and financial loss, so it is essential that you recognize, resist, and report suspicious messages to your bank or any other entities being impersonated by scammers. Credit Human advises our members to keep aware of the following red flags:

    • Messages from suspicious or unknown numbers
    • Unusual message formatting
    • Pressure or a heightened sense of urgency
    • Requests for money
    • Reward notifications
    • Any message where someone contacts you and asks for sensitive information

    We always recommend keeping your device’s operating system updated to benefit from the latest security features. Additionally, use your messaging app’s “report junk” option to alert your wireless carrier. If you fall victim to fraud, contact your bank and other affected service providers immediately—we can often assist with identity theft and fraud resolution services.