Smishing: This is how you protect yourself from the phishing scam via SMS

Cybercriminals want to lure you into a trap with SMS messages like “Your package will be returned to sender today” or “Last chance to pick up your package.” Because the so-called smishing contains dangerous links, but can also be recognized quite easily. I have summarized the most important tips for you.

It’s the year 2021: Everyone has a mobile phone and everyone orders packages in bulk on the Internet! Therefore, it is logical that cybercriminals jump on the bandwagon and exploit the situation of people to carry out attacks. In Germany, the Federal Office for Information Security warns of a new wave of SMS fraud.


Phishing checklist

The most important phishing warning signs at a glance
✘Incorrect grammar/spelling
✘ Request for personal information
✘ Responding to something you didn’t do (No package ordered → Package notification)
✘ Check links or senders

The so-called “smishing” is a portmanteau of “SMS” and “phishing”. It describes short messages that contain dangerous links and usually encourage you in some way to visit the phishing sites. In the spring of 2021, the novelties may be the following:

  • Your package will be returned to the sender today. last chance to pick it up
  • Hello [Name], The courier took the package. tracks: [Link]
  • [Nummer] You have an unresolved problem with your package: [Link]

Phishing SMS don’t always have to be so-called packages. During my internship I reported a lot about phishing and learned some tips and tricks that I would love to share with you later. In addition to smishing, phishing emails in particular are an often underestimated danger.

How do I distinguish smishing and phishing from real messages?

Be mindful of spelling and grammar

In most cases, phishing or smishing messages can be identified by their grammar and spelling. Companies like Amazon, DHL or your Sparkasse are unlikely to make mistakes in the news. Incorrect capitalization like in the first example above is also a good clue.

Banks never ask for data entry

Also, almost all banks, including direct banks like N26 or the DKB, point out that they will never ask you to enter personal information via email or SMS. Instead, they would prefer to ask you to log into your online banking account through the browser or check a message in your online mailbox.

It is especially important to pay attention to the address bar of the browser

Does an SMS from your bank contain a link and does the message seem trustworthy? You can then long press the link on your smartphone and copy it. Now insert it into a document or briefly into a message window and see if the link text actually leads to the page it promises you.

Most of the links are cryptic or lead to completely different sites. In these cases, you can be 100 percent sure that the email or SMS is trying to trick you.

For emails: check the sender

While with smishing it’s not as easy to see if the number really belongs to your bank or a trusted provider, this is different with email phishing. Find the detailed sender information in your email app and take a closer look at the email address.

Is it smishing and can it disappear? What to do with received messages?

Unlike viruses, Trojans, or malware, the mere receipt of a smishing message is initially harmless. Basically you can ignore the message and nothing else will happen. However, I recommend that you delete the messages, because you no longer need them.

Of course, you can take a screenshot of the fake message beforehand and contact your banking advisor or the support of the service that was used as a decoy. This way you help to investigate and act against cybercriminals. On the Internet, the customer service center is also a good contact point for phishing and fake news.

Still not sure if there is a problem with your bank account? Then go to the online banking page through your browser or contact your bank advisor. This way you will be informed about possible problems.

Did you click on a link and enter data?

Did you discover this text about smishing too late and have already clicked on a link or even entered your data on a website? In the case of bank phishing, immediately contact your banking advisor and inform him about it. As a precautionary measure, your bank or credit card will likely be blocked and you will usually receive a new card that includes a new PIN free of charge.

If you entered your email address or address instead, it’s a lot less dangerous, a lot more annoying. Because a good source of income on the Internet is selling “real” email addresses or addresses to advertising companies. You will probably receive more phishing and spam emails after entering your details.

If the affected service offers it, you will also need to activate two-factor authentication. This protects your account even if an attacker was able to guess the password. Basically, it is advisable to activate “2FA” in each service that offers it.

The Federal Office for Information Security ultimately advises filing criminal charges. Reset your smartphone to factory settings, you can find detailed instructions via the link, it may be a helpful step. Because if the malware landed on your cell phone by clicking on the link, it will be removed when you restart it.

Share your smishing and phishing messages with the community

If you have memorized all the tips in this article, you should be able to recognize most smishing and phishing attacks. If you’re unsure or have seen a particularly sneaky fraud attempt, post it on our forum. I created a new thread for this:

You can of course also post questions or your experiences on the topic in the comments. If you have any other tips and tricks for this article, I’d love to include them! Last but not least: stay skeptical and above all safe!