An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Feb. 1, 2022

CID Lookout: Smishing: Short Message Service Phishing

The U.S. Army Criminal Investigation Division’s Cyber Directorate is warning the Army community about cellphone text cyber threats and offering tips to avoid this fast growing scam.

Similar to email messaging scams, cybercriminals use Short Message Service (SMS) or text messaging to try and trick consumers into clicking links in the message.

“Smishing is very similar to phishing via email except the message is received on a smartphone as a SMS message, also known as a text,” said Edward LaBarge, assistant director of CID’s Cyber Directorate. “Cybercriminals are combining the two social engineering tactics to place malware on your device or to obtain personal information from the user.”

With roughly 290 million smartphone users in the United States, cybercriminals have a target-rich environment. Cellular phone users, and even those with a hardline, have likely received or is familiar with robocalls and vishing attacks, which are voice phishing to obtain personal information such as financial or credit card information. The recommended course of action for these types of calls has been to ignore or hang up and register the receiving phone number with the National Do Not Call Registry through the Federal Trade Commission or block the robocall or vishing number via the receiving cell phone.

A similar tactic increasing in popularity among cybercriminals, is smishing. CID officials said the message in this scam may include a link or will request a reply with the cybercriminal goal to compromise the recipient’s personal or financial accounts or obtain personal information to commit fraud in the recipient’s name. The number of smishing messages and scam topics cybercriminals come up with is endless, similar to the number of phone numbers they may use.

Common Smishing Attacks
• Fraudulent Account Activity or Account Locked – The recipient receives a message indicating their credit card or financial account was fraudulently used or is locked. The message, which includes a link to a site that looks like the real web address to their financial institution, leads to a mimicked website requesting the recipient’s personal or financial information.
• Prize Winner – Everyone likes to win a prize. Text messages indicating the recipient has won a prize, even when the recipient has not signed up for a contest, can be convincing. The cybercriminal’s text includes a link to a legitimate looking prize website or asks the recipient to reply with personal information to collect their prize.
• Purchase or Package Delivery Update – A smartphone user, whether a frequent online shopper or not, receives a text with a purchase or package delivery update. The message includes a somewhat suspicious link containing the legitimate name of an online retailer or shipping company. Clicking on the link downloads malware to the smartphone, possibly compromising the device, or leads to a mimicked website requesting specific information from the message recipient.
• IRS Scam Messages –Now until April, people will be filing their 2021 taxes. Cybercriminals know this and will send out IRS themed messages about recalculating tax refunds, needing financial and other personal information to process a refund, requesting information to avoiding prosecution by the IRS, requesting information to avoid having the message recipient’s social security number canceled, and a multitude of other tax themed messages to get people to respond.

Cybercriminals and scammers continue to find new ways to compromise users. Army CID’s Cyber Directorate said remaining vigilant and aware of the threats being used in today’s technology is the best way to avoid becoming a victim.

Smishing Protection Tips
• Verify texts from your financial institution, play it safe and call the financial institution on the phone number indicated on the financial institution’s website. It is not uncommon for financial institutions and credit card companies to send legitimate text messages to inform their customers about fraudulent activity or to verify purchase requests.
• Do not send your credit card or financial information in a text or input in a website from a link provided in an SMS message without verifying sender first. • Do not send your full name, date of birth, social security number, other personal information, or the information of your family members to unknown or trusted persons.
• Keep your smartphone operating system and the applications on cellular phones up to date.
• Do not click on links received in text messages or reply to a text message if the sender is unknown or the message looks questionable. • Avoid responding to unknown phone numbers.
• Avoid text messages offering quick and easy money, random coupon text messages, and text messages stating prize winnings.
• Most smartphones offer a way to block phone numbers. Block the number and delete the message when scam message is received. • Report the scam number to cell phone service provider.
• The IRS does not text taxpayers. The IRS contacts taxpayers through the U.S. Postal Service unless under special circumstances, which would result in a phone call.

For more information about computer security, other computer-related scams, and to review previous cybercrime alert notices and cyber-crime prevention flyers visit the Army CID Cyber Directorate at To report a crime to Army CID, visit