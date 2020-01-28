Smishing. Because we still need a cute buzzword that tells us all how sewn we are. Smishing is a portfolio of SMS phishing. Phishing itself is a homophone of fish, so smishing is a neologism based on a portmanteau, which is itself based on a homophone. What? Too nasty? Sometimes I can’t help myself. English is cool.

But this article should not be about language hacks. Instead, it’s about how you should think about texts coming into your phone and how you can protect yourself.

In the context of this discussion, consider incoming texts as subdivided into three categories. The first category consists of texts that come from people you are actively talking to, with the message content so deeply relevant to your life that you know that those messages should be from the actual people you normally talk to.

This is not the traditional family member who is abroad. This is your wife, who you know on the way home and asks if you want ice cream. This is your buddy, with whom you have worked on a car, who asks you to run to the store for a spare part. In other words, truly indisputable relevant text from people with whom you make active contact.

At the other end of the spectrum there are messages that are clearly spam. These are the junk texts you get that are so ridiculous and so far from anything that you consider valid, that they are just annoyances.

But then there is the middle. These are usually texts of companies and services for which you have registered over time. Sometimes these are texts that are not necessarily from people you know, but from entities with which you do communicate.

For example, a minute ago an Instacart shopper sent me a text message about what type of papaya I wanted as part of a shopping run. Since I just ordered papaya and I am waiting for a full shopping order to be delivered, I know this is a valid message – even though the phone number is not in my contact list.

Another example would be a message that I recently received from an international shipper. I didn’t know the shipper’s company, but when they said my package from a specific Chinese 3D printer manufacturer would be delayed one day from Tuesday to Wednesday, that was credible, because I was in fact expecting a review printer from a Chinese vendor on Tuesday .

But sometimes you get a message like this:

This is probably a text from FedEx. I received this last week and apparently it is sent everywhere to telephones. I get a lot of packages from FedEx, and if it wasn’t full of red flags, I might have paid attention.

But it had several oddities. It is the existence of these oddities that I want you to pay attention to when you receive an incoming text message.

RULE 1: Do not respond to SMS calls to action

First, and the biggest warning flag, is that it had a call to action. It suggested that you click on a link. Others ask you to call or text a number. Some just want you to answer. It does not matter what the actual action is. When you see a call-to-action in a text, immediately start considering that it may be fraudulent.

This is not a black and white situation. At the moment I am writing this, my Instacart shopper is on my way with my grocery delivery and Instacart has sent me another text message. It gave me a link to the app and another link to the website so that I can check the driver’s status on the road.

Although I know (or at least am quite sure) that the text of Instacart is valid, I will not click on a link. In practice, I never click on links in text messages. Most services (FedEx or Instacart or Uber) allow web-based tracking, so if I want to know the status of my order, I log in to my account on the web and view it there. That is because I also do not know whether the telephone of the giant employee himself has been damaged.

RULE 2: Pay attention to everything that falls outside his character

The fraudulent FedEx smishing attempt I showed you above starts with “Hello friend.” Although I have a number of Australian business colleagues who greet me in exactly the same way, it is very unlikely that official communication from an American company to an American customer would begin with “Hello friend.”

It is out of character. Many phishing and smishing attempts can be noticed by this kind of characterless or even flagrant grammatical error. When you see something that is even somewhat incorrect or somewhat inappropriate for the circumstances, be on your guard.

RULE 3: Pay attention to the details of the call to action

In my case, the call-to-action asks me to click on a URL that starts in d5ncr.info. That is almost certainly not a FedEx related domain. Even if I was a current customer of and received a message from the 140-year-old NCR Corporation (formerly AT&T Global Information Solutions and before that National Cash Register), I would still not click on d5ncr.info.

I told you in Rule 1 not to respond to SMS calls to action. This rule is similar. This time, however, you spend a few extra minutes analyzing whether the message is sending out signals that it is probably fraudulent.

See, we all have pretty good bull #! T-detectors, so use that feeling to protect yourself.

RULE 4: Do your due diligence through legitimate channels

Although the message contains a characterless greeting and an unlikely URL, what if it is real? What if an important package that I actually expect is blocked because I did not respond to this message?

That is a legitimate question, especially since phishing and smishing are designed to hunt for “what if” fear. What if the IRS notification is real and you don’t respond? What if the FBI really investigates your neighbor and some sort of terrorist activity has taken place because you chose not to help? What if your PC would be so much faster if you only installed this free utility?

This is the essence of social engineering. Fraudsters use tricks designed to crawl under your skin, provoke your fears or worries, and encourage you to drop for a fraction of a second before your finger vibrates and taps the screen.

Viktor Frankl, noted author of the search for human meaning, said: “There is a space between stimulus and response. In that space lies our power to choose our response. In our response lies our growth and our freedom.”

This is deep, so pay attention to this. In the case of fraudulent messages, the message is the incentive. But you can breathe, create space and choose a different answer. If you are really worried about whether GB-6412-GH83, for example, is not supplied, go to the well-known FedEx site and search for it.

Even if you only have a phone, you can go directly to the company’s site without clicking on a link. Use your phone’s browser to visit the familiar, verifiable home page or call the well-known, verifiable 800 number of the company or agency you are concerned about.

It’s not difficult. In the screenshot above I have entered the tracking number. It was no surprise to me that it turned out to be fake:

If the trigger is an IRS complaint and you are rightly concerned about “what if”, it is fine to call or reach the IRS. Just do it through official channels and you are safe.

RULE 5: Blocking unwanted calls and texts

Although the effectiveness of these tricks varies based on provider and locale, here are two additional tricks that you can use to reduce annoyance. First, as I wrote last week, enable blocking of unknown senders on your phone to filter senders with numbers that are not in your contact book.

You can also use your supplier’s anti-spam service. I use the free junk blocker from Verizon, and it sometimes helps.

Good luck!

This is an arms race in which the bad guys try to get into your head and make sure you don’t think clearly before you do something you regret. Don’t give in to it. Be diligent. Be thoughtful. And be careful.

