HerbeinLogo--white
HerbeinLogo--white

Don’t Click That Link! Smishing Scams and How to Avoid Them

May 6, 2025

In this episode of The Herbein Conversation’s Fraud Fighters series, Debbi Fetter, Partner and Managing Director, and Jeff Johns, Partner, take a deep dive into smishing, the phishing scam that hits your phone. Learn how to identify scam messages, verify sources, and educate your team before fraud strikes.

Debbi S. Fetter: Hello everyone and welcome to another episode of The Herbein Conversation podcast series where we dive into some of the most pressing issues in the modern workplace.

I'm Debbi Fetter, Partner and Managing Director of our firm's Risk Management practice and host of the Herbein Fraud Fighters podcast series, your go-to podcast for the latest in fraud and cybersecurity tips and trends.

Today, we're diving into the world of smishing scams. Joining me is our IT risk guru, and fellow Partner in our firm's Risk Management practice, Jeff Johns. Thanks for being here again, Jeff.

Jeff J. Johns: Thanks for having me again. I'm excited to share some insights on smishing and how our listeners can protect themselves.

Debbi S. Fetter: Then let's get started with the basics. What exactly is smishing?

Jeff J. Johns: Smishing is a type of phishing scam that uses what's called short message service, or SMS messaging, or more commonly known as text messaging, as a method to send a short message to someone’s phone using a cellular network in hopes gaining some sort of information. Ultimately, it looks like it's coming from a legitimate source like a bank, delivery service or even a friend.

Debbi S. Fetter: So then Smishing is a type of phishing scam, correct? Can you remind our audience on what the term phishing means?

Jeff J. Johns: Yes so smishing is a type of phishing attack. It's a cyber-attack that scammers use to trick an individual into revealing sensitive information or personal details. Often, making it look like it's a trustworthy entity in some sort of electronic communication - so emails, text message, voice mails or even QR codes.

Debbi S. Fetter: Awesome. So, the term smishing is a blend of the words “short message service” and “phishing”. That's a creative term for a pretty sneaky fraud scam. How do these scams typically occur?

Jeff J. Johns: So smishing scams usually occur by sending text messages that creates a sense of urgency or fear as most of the phishing attempts do. So, for example you might receive a text chain or a text message claiming there's suspicious activity on your bank account, or you need to verify your information immediately. The message might include a link or a phone number. If you click the link or call the number, you typically automatically get directed to a fake website to divulge some information, or you can be connected to the scammer via an SMS message to start a communication chain.

Debbi S. Fetter: That's an alarming technique. I know I'm usually looking at my text messages pretty quickly and not paying as much attention to them as I would an e-mail. It’s easier to click on a text link without thinking and starting to provide the information. With that, what are some of the most common smishing scams people should be aware of?

Jeff J. Johns: So one of the most prevalent ones that we've seen of late, especially in the last several months, is a EZ Pass toll scam or any other toll scam. I've seen them and I've actually personally gotten them from multiple states.

The scam is there basically, it's a text claiming that you have a toll invoice and if you don't pay and enter the payment information, your account's going to be suspended, or you're going to get late penalties, or higher fees associated with that scam. And at the end of the day, it is ultimately there to get you to enter some financial information at small dollar amounts. But again, those all multiply up.

Debbi S. Fetter: Well, that scam certainly hits home. I know I've received numerous texts from EZ Pass. And you'd be proud of me, I didn't click, and I simply deleted.

What should our audience members do if they receive one?

Jeff J. Johns: So, as with any phishing attempt, with the smishing one it involves being vigilant. You know, taking proactive steps no different than you would in a regular phishing attempt. Don't click on the link that's typically included, or if there is one included within the text message or SMS message that you get, go directly out to the website. Go directly to ezpass.com. Or if you do it through a specific website like the PA Turnpike, go directly out to their site and log in that way.

Verify who the sender is no different than emails. You can look at who the sender is, and if it's coming from a bunch of random characters or letters @icloud.com, it's probably not a legitimate source.

There are some services out there. They differentiate between every cell provider, but some of the services and cell providers do offer spam services that can wean through some of the message so they don't even get to you, almost like a spam e-mail blocker for your traditional e-mail. You can also sometimes report those to your cell phone provider so that way you can be proactive in helping others as they try to block those threats that are coming in.

Debbi S. Fetter: That's great advice, Jeff.

Always verify the contact information from a trusted source too, like a website. I know when I received my first EZ Pass text message, I logged into my EZ Pass account to look at my account history without clicking on any links in the text message. I was able to see I had a full balance and no payments due.

Can you share another real-life smishing scam?

Jeff J. Johns: So, there's many others - ones that that you've all probably also have gotten, and I've seen them personally as the fake bank account scheme where scammers will text you, claiming that there's been suspicious activity on your account. They'll direct you to a fake website to try and get your login information, or to claim some other sort of information that they can obtain from you.

Again, with those, some of those texts may include a phone number to call to verify your social security number, no transaction detail. But you have to make sure that it's coming from a legitimate source. If you have text messaging already set up or text message alerts coming from your bank and you see one coming in from a different 6-digit number or random number, it’s probably not from the same legitimate source.

So, the best practice is to always go out and log in, whether it's through the app that you have or going out directly to your bank's website and logging in that way. And again, if you're still unsure it’s going out, flip over the backside of your debit card and go to the website of your institution and call them directly.

Debbi S. Fetter: That's a scary scam. We're all sensitive to alerts from our banks and we want to act on them quickly, but using some of those techniques really will help us stay safe and keep our money where it should be.

What about delivery scams? I know I get a lot of text messages related to that.

Jeff J. Johns: Delivery scams again are another one of the more prominent ones. You'll see them where they'll pretend to be from FedEx, UPS, Amazon. You'll get a message that pretty much states your package is delayed, click here to update your delivery details.

Often times, those are there to lure you into a fake site, harvest your personal information or your credit card information. And it's even sometimes to see what you ordered to try and get you to divulge some of that to the people out there taking packages right off the doorstep.

So there's different types that are out there, and they're commonly evolving because the SMS message or text message is a common message that we all get nowadays, whether they're for appointment reminders, regular billing, or delivery notifications that are legitimate. Even public safety announcements that come out.

Debbi S. Fetter: That's good information and all of those really hit home. I know as somebody who supports the economy and often orders online, I receive a lot of text messages, legit ones related to my orders, as well as some that aren't legit.

I know I try hard just to delete and report it as junk and then check my known orders.
You know my thought process is if I can go into my e-mail where I have the original order, I can click on the tracking information there, and I know that's the one that I actually implemented.

This has been really great and timely advice, Jeff. It's about staying alert and being cautious. Any thoughts for our listeners?

Jeff J. Johns: As with anything, just remember to be cautious. If something feels too good to be true, it probably is. If you didn't order anything or you're not expecting a delivery, for example, it's probably not a legitimate item. Look at who the message is coming from. Stay alert, stay present to what it is and continue to educate others.

All of us on here listening probably gets some of the SMS messages. Even my kids who just have an iPad receive them as well. So, they're coming from everywhere out there. They're spraying the attack, so stay vigilant.

Always go out to the site, or reach out to somebody else, or to the legitimate source that you know it should be coming from. And don't click on the links when in doubt.

Debbi S. Fetter: Well said. I couldn't agree with you more. Thanks again Jeff for all this information and thank you to our listeners for tuning in to this episode of Herbein Fraud Fighters. We hope we've given you some beneficial tools for your fraud toolboxes.

Stay informed, stay vigilant and let's work together to combat cyber fraud.
Should you need assistance implementing some of the detection strategies we discussed today or just want to talk through some of your fraud concerns, please reach out to our Risk Management team.

If you enjoyed this episode, I'd like to encourage our audience to listen to our Herbein Conversation series, Fraud Fighters, which is available on our website, herbein.com, or Spotify or Apple podcasts.

Stay tuned for future topics where we dive deeper into elder fraud, construction fraud, and ACH fraud. Thank you again for tuning in and remember - keep up the fight and see you next time fraud fighters.

 

If you or your organization are concerned about smishing or other cybersecurity threats, now is the time to act. Connect with Herbein’s Risk Management team to better understand your digital vulnerabilities, enhance your defenses, and empower your team with the knowledge to stay safe.

 

Popular Posts

How Trump’s Win Will Affect Your Taxes

Reminder: 2024 Taxable Fringe Benefits Reporting

Federal Income Tax Benefits for Individuals with Disabilities

Earned Income Credit (EIC) Notification Deadline: What Employers Need to Know

Corporate Transparency Act Challenges

 View All Blog Posts