Smishing is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information, or sending money. It combines the terms "SMS" (Short Message Service) and "phishing." Because mobile users often trust text messages more than emails, this method is highly effective for stealing credentials and financial data.
What is Smishing?
Smishing is a specific type of phishing where the medium is SMS or messaging apps rather than email. Attackers, known as "smishers," send deceptive messages that appear to come from trusted sources like banks, government agencies, or well known brands.
The goal is to manipulate the recipient into taking an immediate action. This typically involves clicking a malicious link that leads to a fake website or downloading an app that contains ransomware.
Why Smishing matters
Smishing has become a primary threat to both individuals and organizations due to the high engagement rates of mobile users.
- Higher engagement: Scammers prefer smishing because [SMS click-through rates hover between 8.9% and 14.5%] (Klaviyo).
- Wider reach: Most of the 3.5 billion smartphones worldwide can receive text messages from any number.
- Organizational risk: [75% of organizations experienced smishing attacks in 2023] (Proofpoint).
- Financial Impact: These attacks are increasingly costly, as [overall losses to text scams reached $470 million] (Federal Trade Commission).
- Better bypass: Advances in email spam filters have forced hackers to shift to mobile channels where filters are less restrictive.
- Trust factor: Users are often less aware of the risks of clicking links in text messages compared to emails, especially since they are used to receiving shortened URLs from legitimate brands.
How Smishing works
Most attacks follow a sequential process to deceive the target and extract value.
- Target Selection: Attackers choose targets randomly using broad lists of phone numbers or specifically using data from previous breaches.
- Crafting the Message: The scammer creates a message using pretexting (a fake story) to evoke urgency, fear, or curiosity.
- Delivery: The attacker sends the message using SMS gateways, burner phones, or software that sends texts via email to mask their origin.
- Interaction: The victim clicks a link, calls a specified number, or replies with personal details.
- Exploitation: The victim lands on a fraudulent site to input data, or they unknowingly download malware that snoops on smartphone data.
- Evasion: Attackers frequently change phone numbers and tactics to stay ahead of telecom filters and law enforcement.
Types of Smishing
Attackers use different pretexts depending on the information they want to steal.
| Type | Description |
|---|---|
| Bank Impersonation | Claims there is a problem with an account and provides a link to a fake login page. This is the most common scam, accounting for [10% of all smishing messages] (FTC). |
| Government/Tax Scams | Scammers pretend to be the IRS, FBI, or toll agencies claiming the victim owes a fine or is eligible for a benefit. |
| Shipping Scams | Pretends to be FedEx, UPS, or USPS claiming a package delivery failed and requires a "delivery fee" or address correction. |
| MFA Fraud | Attackers try to steal a one-time password or verification code to gain access to a victim's already compromised account. |
| Wrong Number Scams | A "mistaken" text leads to a long term conversation designed to build trust for future investment or romance scams. |
| Business Text Compromise | Hackers pose as a boss or colleague needing urgent help with an payment or task. |
Best practices
To defend against smishing, organizations and individuals should implement multi layered security habits.
- Verify independently: If a text claims to be from a bank or service provider, call the official number from the company website instead of using the contact details in the text.
- Use Multifactor Authentication (MFA): Set up MFA for all sensitive accounts so that stolen credentials alone are not enough for a hacker to sign in.
- Enable SMS filtering: Use built-in mobile OS features or third party apps to identify and block suspicious numbers.
- Report suspicious texts: Forward scam messages to your telecom provider (often via the number 7726) to help them investigate and block attackers.
- Check the URL: Look closely at links before clicking. Scammers often use URLs that look similar to official brands but use different domain extensions like .info instead of .com.
Common mistakes
- Mistake: Replying to a suspicious text to tell the "wrong number" they have the wrong person. Fix: Do not respond at all. Replying confirms your phone number is active, which can lead to more spam.
- Mistake: Trusting a message because it uses your name or location. Fix: Remember that scammers get this information from public online tools and data breaches.
- Mistake: Storing sensitive banking or login information directly on a smartphone. Fix: Use dedicated, encrypted password managers or secure apps to prevent malware from accessing that data.
- Mistake: Clicking a link because you are actually expecting a package. Fix: Use the official app or website of the carrier to track your package instead of clicking SMS links.
Smishing vs Phishing vs Vishing
While all three use social engineering, they differ primarily by the communication channel used.
| Feature | Smishing | Phishing | Vishing |
|---|---|---|---|
| Medium | SMS / Messaging Apps | Email / Malicious Websites | Voice Calls / VoIP |
| Key Tactic | Malicious links in texts | Malicious attachments/links | Voice manipulation/Impression |
| Advantage | Extremely high click rates | Large scale automation | Direct personal pressure |
| Common Goal | Credential theft/Malware | Account takeover/Data theft | Immediate money transfers |
FAQ
What should I do if I click a link in a smishing text? If you clicked a link but did not enter data, scan your phone for malware using a security app. If you entered login information, change your passwords immediately for that service and any other accounts using the same credentials. Monitor your bank statements for unauthorized charges.
How can scammers send texts from an email address? Many attackers use software or SMS gateways that allow them to send messages from a computer to a mobile network. This allows them to automate thousands of messages at once and hides their actual phone number.
Does the STIR/SHAKEN protocol stop smishing? No. STIR/SHAKEN was designed to authenticate phone calls and reduce spoofing for voice communication. While it helps identify "spam likely" calls, it does not currently have the same impact on text messages, which is one reason scammers have shifted toward smishing.
Can I get a virus just by opening a text message? Generally, simply opening a text message will not infect your phone. You usually need to take an action, such as clicking a link, downloading a file, or installing a malicious app, for the payload to execute.
Why do smishing messages always sound so urgent? Scammers use urgency to trigger an emotional response, like fear or panic. This makes the victim less likely to pause and check for red flags, such as typos or suspicious sender numbers.
