Every day, cybercriminals create new, deceptive methods of obtaining private financial information from unsuspecting individuals, and Smishing has become a common practice used by fraudsters. Smishing, a form of phishing using short message service (SMS) or text messaging, can be used by scammers to access your bank account, lead to identity theft, or even extortion.

Scammers use Smishing to prompt victims to click on internet links or send classified or personal information through text messaging. Cyberattackers attempt Smishing through text messages or other messaging apps via mobile devices, so it is imperative to take precautions to understand the types of methods used so you have the information necessary to protect yourself. 

Cybercriminals often use a tactic called spoofing, where they impersonate a known sender or transmit a message from a legitimate number. This means, even if you know the sender, it is still important to verify that the message is legitimate before responding, opening an attachment, or clicking on a link that could potentially compromise your device.

Attacks Are Getting More Sophisticated

Cybercriminals share stolen credentials and personal information more readily now and work in gangs, which ultimately amplifies the threat. This a big reason that Smishing is on the rise. Through social engineering of your publicly available information – often gleaned from social media – and private data they have procured through illicit means, scammers are able to craft text messages that are specifically targeted to lower your defenses. This means, communication may look like it’s being sent from a known person or number, possibly making reference to shared knowledge. With that tactic, fraudsters may apply a sense of urgency or other scare tactic that prompt you to react quickly instead of taking the time to be thorough about a request.

Additionally, artificial intelligence (AI) platforms, such as generative AI have made it easier for scammers to develop Smishing attempts that closely mirror human language and conversation. As more data and information is collected, the capabilities of generative AI tools quickly improve, making it simpler and more affordable for scammers to distribute cyberattacks to a large audience. That means additional layers of scrutiny are needed to protect potential victims.

“As Generative AI advances, users are not able to distinguish Smishing texts or phishing emails as easily anymore,” says Raina Kanakis, a security specialist with PNC’s Global Security Fusion Center. “There are fewer grammatical or spelling mistakes. Texts and emails are relatively more concise, whereas previous Smishing and phishing messages often didn’t make sense. Generative AI makes the messages much easier to create and much harder to identify.”

The bottom line is: Don’t assume legitimacy of a request by text without verifying first.

Simple Precautions Can Mitigate Risk

Vigilance is the key to combatting Smishing since especially as attacks are becoming more sophisticated and look like legitimate communications. A key to this vigilance is verifying sender. To do this, PNC has established a new short codes resource to enable customers to verify the legitimacy of text messages.

How does it work? Customers can navigate to the PNC Short Codes page and cross-reference it to help determine if the text message sent to them, claiming to be from PNC, originated from a short code we use for that purpose. Specific codes are used to send messages regarding payment alerts, card activity, loan inquiries, and more. By using this verification method, customers are better able to check validity of these communications and help detect and avoid possible impersonation fraud.

There are other best practices that can be employed, as well, that can help thwart attackers’ attempts to compromise your accounts, information or devices via text message.

  1. If you are not expecting the message, proceed with caution.
  2. Do not immediately respond to the message.
  3. Do not click on any links within the message. PNC will never include links in text messages.
  4. If the message appears to come from a familiar company, contact them on a different channel to confirm legitimacy.
  5. If you get a text and a subsequent phone call, this does not increase legitimacy. Hang up and call the company or financial institution directly using a known telephone number.
  6. Screenshot and send any suspicious messages appearing to come from PNC Bank to abuse@pnc.com.
  7. To report Smishing to all mobile telecom carriers, screenshot and send the message to 7726. For added protection, you can also use the “Report Junk” feature on your mobile carrier’s system.
  8. Familiarize yourself with PNC’s list of short codes.
  9. Visit the FCC website for more information on how to avoid Smishing scams.1

For more ways to combat Smishing, visit How to Spot and Avoid Phishing. If you are a victim of identity theft, it's important for you to report fraud immediately.