Six Ways to Protect Yourself From SMS phishing

You suddenly get a message that your Netflix subscription payment didn’t go through.

You click the link and enter your credit card details again. Good news! Now your subscription is active again.

Wrong. Netflix doesn’t ask for your phone number and it can’t send SMS texts. You just fell into a scammer’s smishing trap.

Smishing, or SMS phishing, has increased dramatically since the beginning of the COVID-19 pandemic. Scammers have completely hijacked COVID-related woes, leaving the classic PayPal, Netflix, and banking smishing behind.

Could you be among the 4,200 people who received phishing emails last year?

Read on to find out how you can protect yourself from smishing. PS: read until the end to learn more about key scam indicators.

The Rundown on SMS Phishing

Standard email phishing is a social engineering attack where cybercriminals impersonate companies or people you trust. They plan to trick you into revealing personal information like your passwords, credit card information, social security number, or other valuable information.

Smishing scams operate on the same idea, but with shorter texts. This makes it more difficult to realize you’re dealing with a scammer, because they leave little room for error.

You’re also more likely to trust SMS messages. Even if you frequently see random people sliding into your DMs on social media, you don’t give your phone to just anyone.

That’s why smishing tends to be more efficient. You don’t really expect scams on SMS texts.

Scammers pose as legitimate companies like PayPal, UPS, or major financial institutions. That way, they don’t raise suspicions since you’ve probably entered your phone number in your relevant account details. Cybercriminals get your attention using an alarmist tone. Something like “your account has been hacked” or “your latest payment didn’t go through”.

The SMS will also include a link for you to take immediate action. Once you click the link, you’ll see a dummy page. Cybercriminals record everything you enter on this page, like login details and financial information.

Once the smisher has access to your information, they can do a lot of damage, from stealing your money to outright stealing your identity.

COVID-19 Smishing

Smishing thrived during the COVID-19 pandemic. Scammers mimicked legitimate aid programs designed by government, healthcare, and financial organizations.

These scams aren’t different from your typical smishing attacks, except that they all feature the pandemic as the alarmist message.

Staffordshire Police warns against a fake COVID vaccine booking scam that asks people to pay for immunization.  

Authorities noticed 4 main schemes:

  1. Contact tracing
  2. Tax-based financial relief
  3. Cures, vaccines, and other protective measures
  4. Requests to complete the population census

Let’s have a look at what each scheme entails.

1. Fake Contact Tracing

Contact tracing was a new concept for most of us before the pandemic hit.

Now, we’re used to getting a notification that we’ve met someone who has tested positive for COVID-19. You could also get further instructions, like going into quarantine or monitoring your symptoms.

A fake contact tracer, though, will ask you for personal details like your social security number, credit card details, bank statement, or immigration status.

A fake contact tracing message with a phishing linkSource: BBC – Coronavirus app scam warning ahead of national roll-out  

Since scammers are impersonating health care professionals, you might feel inclined to do your part and fill in your personal details.

Remember that this information isn’t relevant to the current health crisis. Call your doctor if you’re unsure where you can check or report your symptoms.

2. Fake Stimulus Checks

Lockdown affected many businesses, and many people sadly lost their jobs. In turn, many governments provided some form of financial relief.

Scammers got wind of the popularity of relief payments. It wasn’t long before counterfeit stimuli became the next lucrative business.

In June 2020, the Federal Trade Commission (FTC) started issuing warnings on these counterfeits after authorities discovered that the owner of a nationwide automotive marketing and sales firm was sending emails with fake stimulus checks. This person tried to persuade people to buy used cars under the pretense that they would receive a check worth $3,334.

Fake stimulus document provided as evidence by a US District Court in the Eastern District of LouisianaSource: US District Court, Eastern District of Louisiana  

After the news made headlines, scammers tried recreating fake stimulus checks through SMS. Basically, you’d get a text message from someone claiming to be from the government. You’d just have to click on the link, enter your banking details, and you’d get your relief funds.

Fake stimulus offer sent through SMS messageSource: Australia’s Scam Watch  

By now, law enforcement estimates that American citizens lost more than $97 million to stimulus check scams.

3. Phony Cures

With the start of the pandemic, scammers posed as healthcare workers and government officials. That way, they could promote fake cures and bogus information for a sum.

Scammers targeted high-risk people and communities, claiming to have some “inside source” to help with COVID-related woes. Such scams not only undermined medical professionals’ authority but also promoted fake and borderline dangerous information while making a lot of money for the perpetrators.

For example, scammers sold a cocktail of amphetamines, cocaine, and nicotine on the dark web for US$300 as a COVID vaccine long before Pfizer BioNTech released theirs. This is a recipe for cardiac arrest.

Other scammers sold methylene chloride as a potent disinfectant not yet released to the public. Methylene chloride is in fact a paint stripper and causes lung scarring without proper protection.

In May 2021, US authorities seized over 30,000 ‘Virus Shut Out’ pendants worth over half a million dollars. The necklaces, laced with chlorine dioxide, can cause breathing problems.

Scammers can’t advertise these fake cures publicly, because they’d be shut down within hours. They instead rely on contacting potential buyers individually by SMS.

Scammers selling COVID vaccines through text messagesSource: Trend Micro  

These unregulated vaccines can be very detrimental to your health.

As with any medicine, always consult your doctor, and purchase from a pharmacy or a reputable vendor.

4. Fake Census Surveys

Some countries, like the UK, often legally mandate filling out census questionnaires. If you missed the memo, you’d find a census field officer at your door.

SMS messages that ask you to fill out the census questionnaire are suspicious. These questionnaires can include personal information, like religious or sexual orientation, so no one will ever send them through unsecured channels.

If you receive an SMS message that a field officer will pay you a visit, be on the lookout for anything suspicious.

Remember that a government-sanctioned field officer will only ask for your name and phone number and never for your credit card details or bank statements. You also won’t find any field officers asking for your passport or payslip.

Call your local authorities and notify them immediately if anyone asks for money or personal documentation.

Action Fraud warns against scam texts that threaten fines for not completing the Census.  

That’s why you should always verify the SMS’s source, especially when it’s related to COVID-19. Scammers, spammers, and fake news accounts have pretty much hijacked searches, social media posts, email, and SMS messages.

Protect Yourself from Smishing

Smishing scams threaten your private data.

You need to be proactive and protect yourself from these attacks. Check out these 6 ways to protect yourself against SMS phishing.

1. Don’t Click on the Link Included in the SMS

Scammers try to get you to click on the phishing links by any means. They use alarmist language and tone to get you to take immediate action without thinking it through. They write things like “your account has been hacked”, “your latest payment was declined”, or “your account has been suspended”.

Lisa_BooTea comments on a PayPal scam SMS screenshot.  

It’s harder to recognize a scammy link, because you can’t hover over it in an SMS text.

Even if you’re tempted to, don’t click on the link. You can check the link by manually inputting it into an online URL checker, like or Then, if it’s legit, freak out!

2. Don’t Call or Text Back the Number

Scammers generally try texting random numbers, but they rarely can guarantee that their text reaches someone relevant. You might feel tempted to check if the sender is real or fake by calling the number, but that’s the worst thing you could do. That’ll only assure the scammers that your number is in use. By calling them back, you’re allowing them to shower you with more texts and maybe even calls.

That’s why it’s best not to call or text the number back.

3. Don’t Give Your Information to Unknown and Unverified Numbers

SMS phishing attacks can urge you to send your details back through SMS. That’s just as secure as flaunting your wallet in a large crowd.

The sender could pose as your bank asking you to update your private information. That’s when you should be suspicious because it’s illegal for banks to ask for your personal details through SMS or phone calls. Reputable companies, including your bank or payment processor, will never discuss sensitive information over an unsecured channel. They’re more likely to ask you to visit them.

You also might receive an SMS about your social media accounts or other online services. Still, it’s more convenient for these channels to use their secure proprietary apps to notify you if something’s wrong with your account.

That’s why you shouldn’t send your details to unknown or unverified numbers.

4. Check the Authenticity of the Message You Received

If you get an SMS whose sender claims to be your bank or PayPal, it might be worth playing detective. You should investigate if:

          • The number belongs to the company.
          • The person contacting you is a company representative.
          • The problem mentioned in the message exists.

You could contact them using different means like checking the company’s official website for contact links or phone numbers. You could then call that number and verify if the SMS contents are correct.

You can also get in touch through social media channels to verify the text message’s authenticity. Still, giving out personal information through social media is never a good idea.

5. Consider Blocking the Number That Texted You

Let’s say that you’re pretty much convinced that the weird SMS you got is a smishing attempt. You’d better block that number to make sure you never interact with it, even by mistake.

Most phone manufacturers, like Apple, Samsung, and LG, give you the option to manually add a phone number to a ‘blocked’ list. You can contact your phone carrier and a representative will help you block any annoying callers. That’s the best solution if fraudsters are also targeting your business or family members.

If you change phone numbers frequently, you’re better off asking your phone carrier to block numbers for you. Otherwise you’ll have to manually do it yourself every time.

6. Delete All Suspicious Texts

You might never delete or clean old text messages from your phone. That’s fine under normal circumstances, but if you have a smishing text in your inbox, it could be a ticking time bomb.

You risk accidentally opening fishy links in the message, or you could call the number by mistake. That would convince fraudsters to target you with more smishing texts.

Even if you plan to report a smishing campaign, you can take screenshots instead of keeping the messages on your phone.

Stay Vigilant

According to the University of Maryland, about 2,244 malicious attacks happen daily. You’re justified in protecting your digital identity and private information.

Check out our top 10 online safety tips.

When it comes to SMS, always remember these 5 scam indicators:

  1. They contain grammatical mistakes and a lot of typos
  2. They mention offers that seem too good to be true
  3. They use an alarmist tone
  4. They include inconsistent email addresses, URLs, and domain names
  5. They urge you to confirm personal information or send money through SMS

By remaining vigilant, you can avoid falling victim to SMS phishing scams.

If you suspect you’re dealing with a scam, contact your local authorities.


UK – Action Fraud:

Australia – Scamwatch:

European Union – Europol:


Can replying to a text message expose me to scams?

Yes. You’re signaling to the scammers that your phone number is in use. What’s worse, you’re also allowing them to send you back fishy links, attach malware, or trick you to click on IP trackers. If you replied by mistake, consider blocking the number.

What can I do about SMS scams?

You should never click any links or open any attachments. Don’t call the number or forward the message to anyone else.

The best thing to do is to report them to your local authorities. If you engage with the scammers by mistake, make sure to notify the relevant party that you’ve been a victim of an SMS phishing attack.

You then can take steps to improve your online security, especially on your iPhone and Android devices.

Can opening a text message infect my phone with a virus?

Yes. Cybercriminals use SMS to spread different malware types, like viruses and ransomware. That’s why it’s important not to click on any suspicious links or download any shady attachments. To protect your devices from malware, contact our 24/7 customer support team to set up CyberGhost VPN’s antivirus.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*