
- Government entities like the IRS or HUD never use SMS text messages for communications. All official and legitimate communications always come through the United States Postal Service.
- Any SMS text message that asks you to reply to a form or asks for sensitive information is probably fake. Why would a trusted person or company ask you for your full name, address, or any other personally identifiable information, in bulk, through a text message? This is the setup for a scam.
- If the responses to your skepticism are met with any hostility, it is probably SMiShing. Commonly, threat actors will reply with “Why don’t you trust me?” or “Your friends have had success with me, why would you pass this up?” Real companies and friends do not follow this patterned behavior.
- Real businesses that use SMS text messaging for actual business typically ask for replies in simple terms. Like, reply “Y” to confirm your doctor’s appointment or “STOP” to terminate the text messages. SMiShing typically will use longer replies to conduct the attack, but be mindful – an attack may use the word “STOP” in the first message just to validate that someone is actually on the other side of the phone and willing to answer.
- If the SMS message has links that you do not recognize or solicits the installation of new applications, do not click on the link; especially on Android mobile devices. This is a way to potentially install malware or exploit a vulnerability and compromise the device.