Smishing - SMS phishing

Relevant to: faculty, staff, and students

This article contains information considered accurate at the time of publishing. Technology updates, changes in University security practices, policies and procedures may affect the information in this article - updates to articles are scheduled on a periodic basis and will address any required changes.

What is Smishing?

Smishing is a type of phishing attack that uses SMS (text messages) instead of email. Cybercriminals impersonate trusted individuals to trick recipients into revealing personal information, clicking on malicious links, or completing financial transactions such as purchasing gift cards.

Common examples include messages appearing to come from banks, delivery services, or university leadership, creating urgency to override the recipient's critical thinking.

How to Identify a Smishing Text

  • Be cautious of urgent or unusual requests, even from familiar names.
  • Do not respond to suspicious messages—replying confirms your number is active.
  • Verify unknown or odd phone numbers through your contact list.
  • Contact the person directly using a known phone number or email.
  • Never share passwords or MFA codes via text.
  • Report the incident to your Service Desk and notify any impersonated individuals.

How to Report a Smishing Text

On iPhone or Android:

If you have NOT opened the message:

  1. Open the Messages app.
  2. Swipe left on the message and tap the trash icon.
  3. Select "Delete and Report Junk."

If you HAVE opened the message:

  1. Open the Messages app.
  2. Tap the "Report Junk" link at the bottom of the message.
  3. Select "Delete and Report Junk."

To report a suspicious email in Outlook mobile:

  1. Select the email you want to report.
  2. Tap the three-dot (…) icon at the top of the screen.
  3. Select "Report Junk" then choose "Phishing."

If You Are a Victim of Smishing

If you clicked a malicious link or shared sensitive info:

  • Report the incident to your institution and the appropriate IT team.
  • Change passwords and account PINs immediately.
  • Freeze financial accounts to prevent fraud.
  • Monitor financial and online accounts for suspicious activity.

Signs Your Account May Be Compromised

  • Unable to log in due to changed credentials.
  • Blocked from sending external emails.
  • Missing or bounced emails.
  • Suspicious forwarding or deletion rules in email settings.
  • Unknown messages in your Sent folder.

If your account is compromised: Stop all actions, leave your device on, and contact the IT Service Desk at help.sunyempire.edu or 888-435-7009.

How to Protect Yourself

  • Education: Understanding threats helps you avoid them.
  • Spam blockers: Email and text spam filters block most phishing attempts.
  • Reporting systems: Reporting attacks helps IT act quickly and notify others.
Print Article