smishing (SMS phishing)

What is smishing?

Smishing -- or SMS (Short Message Service) phishing -- is a social engineering tactic cybercriminals use to trick people into divulging sensitive information over text messages.

A type of phishing attack, smishing often involves sending bogus text messages that appear to come from a legitimate source, such as a bank or a social media site. Most messages have a sense of urgency and request the recipient click on a link or reply with personal information.

How does smishing work?

Smishing attacks can range in sophistication, making some of them harder to spot than others. These attacks can be delivered through both conventional text messaging and non-SMS messaging apps, such as WhatsApp, Viber or Snapchat.

Typically, smishing attacks work in the following way:

  1. The attacker sends a victim a smishing text message that seems to come from a legitimate source, such as a government agency, bank or well-known business.
  2. The message delivers a sense of urgency and compels the victim to take immediate action, such as clicking on a link or calling a phone number.
  3. Once the victim opens and clicks on the link or dials the phone number listed in the message, they're taken to a fraudulent website or a mobile phone line that's designed to resemble a legitimate source.
  4. The victim might be asked to enter sensitive information, such as login credentials, social security numbers, credit card information or personal identification numbers (PINs). Once the victim's sensitive information is divulged, the attacker might steal it to commit fraud for personal gain or to compromise the victim's device by installing malware on it.
  5. In some instances, the victim is directed to call a phone number where they're prompted to provide personal details or banking information or respond to automated prompts.
How a smishing attack works.
A hacker generally follows these three steps to commit a smishing attack.

Why attackers run smishing scams

Scammers use smishing attacks as a reasonably quick and efficient way to obtain sensitive data or deploy malware.

The following are some common reasons why attackers use smishing attacks:

  • Steal personal information. Smishing gives attackers a chance to collect a victim's sensitive information, such as usernames, passwords, credit card numbers and other personal data. The attacker then uses this information to commit identity theft or other types of phishing attacks.
  • Install malware. Smishing messages can contain malicious links to websites or downloads that install malware on a victim's device. This lets the hacker obtain confidential data, keep tabs on a victim's activities or use a victim's device to launch other attacks.
  • Easy to accomplish. While emails can contain random letters or special characters, phone numbers follow set patterns. For example, the U.S. uses a three-three-four 10-digit pattern and attackers can attempt different combinations or send out blasts to a specific region. Phone numbers are also frequently tied to social media accounts, making them easier to identify while also supplying attackers with a store of information to customize smishing attempts.
  • Grab users' attention. People are often less cautious when sending text messages than emails or having phone conversations, potentially exposing them to smishing attacks. Users are more likely to trust their smartphones or glance over a message than to read it thoroughly when they're busy or otherwise preoccupied.
  • Gateway to other attacks. Smishing attacks can be a stepping stone to more sophisticated cyber attacks, such as spear phishing, or targeted malware attacks.

Types of smishing attacks

The following are some common types of smishing attacks:

  • Urgent message scams. These smishing attacks might warn a victim that their account is in jeopardy or delivery will be canceled to get them to respond hastily without thinking.
  • Fake survey scams. These messages encourage people to complete a survey in exchange for a prize, but they're intended to steal personal information.
  • Tax season scam. Some smishing attacks try to convince people they owe money after filing their taxes and take them to a fraudulent website where they can pay the required amount. Another popular strategy is to convince a victim they're entitled to a substantial refund and ask them to click on a link to recover their money. Once the link is clicked, spyware is typically installed on a victim's cell phone.
  • Fake message scams. These smishing messages might appear to be from a reputable source, such as a bank or social networking site, but they're false messages designed to dupe victims into disclosing vital information.
  • Gift card scams. These messages claim a victim has won a gift card or prize and encourage them to click a link to claim it. In reality, it's a ploy to trick people into sharing sensitive information.
  • Malware-embedded communications. These messages contain a link to a phony or malware-laden website, which if clicked, can install malicious software on the victim's device.
  • Fake delivery scams. Shipping companies such as FedEx and UPS urge customers to be on the lookout for scams involving messages about the attempted delivery of a package. These messages frequently start by saying a delivery attempt was made but the recipient wasn't home. The text might redirect the recipient to a website to reschedule their delivery. Once the victim logs in, the seemingly legitimate website might ask for more personal information, including credit card numbers, birthdates or even Social Security numbers.

How to defend against smishing attacks

Smishing and other mobile threats are on the rise as more people use mobile devices for online activities. Therefore, it's important to exercise caution and verify the authenticity of any unusual messages.

The following measures can mitigate smishing and other types of cyber attacks:

  • Never click on links, respond to text messages or call numbers that aren't recognizable.
  • Avoid answering a message, especially if it instructs you to "text STOP" to end the message.
  • Delete any questionable text messages.
  • Ensure the smart device's operating system and security apps are up to date.
  • Consider installing antimalware software on the device for added security.
  • If a message displays a sense of urgency, slow down and proceed cautiously. Urgent account upgrades and limited-time offers are indicators of imminent smishing.
  • When in doubt regarding a notification, a user should contact their bank immediately, since legitimate institutions don't send text messages requesting account changes or login information.
  • Examine any unusual phone numbers, such as four-digit ones, as they may indicate the use of email-to-text services. This is one method a scammer might use to conceal their real phone number.
  • Change passwords regularly. This applies to both device passwords, as well as passwords used to log into bank accounts and other personal services.
  • Use multifactor authentication (MFA). If the account being compromised requires a second key for verification, a revealed password might still be useless for a smishing attacker.
  • Set up spam filters on mobile devices to block spam calls and text messages from being received on the devices.
Four steps to take against cyber attacks.
A user can implement these steps to help prevent a smishing attack from occurring.

Actions to take if you are a victim of a smishing attack

Prevention is key when it comes to cybersecurity and smishing attacks. If a smishing attack happens even after implementing the above protections, a victim can take the following steps to mitigate the damage:

  1. Inform your wireless carrier and any financial institutions that can assist with the suspected attack.
  2. Put a hold with the credit card company on the card in question to prevent future or ongoing identity theft.
  3. Reset all passwords and bank account PINs as often as feasible.
  4. Monitor finances, credit and internet accounts for strange login locations and bizarre activities.
  5. Educate and read up on how to detect and respond to smishing to prevent future attacks.
  6. Scan the system for viruses and malware.
  7. Set up a fraud alert. Most major institutions, such as Experian, Equifax and TransUnion, offer a free 90-day fraud alert that's placed on a person's credit report. Setting up a fraud alert makes it difficult for attackers to create an account in a victim's name.
  8. Send suspicious or spam messages to 7726, which spells SPAM. This service is available to subscribers of carriers such as Verizon, AT&T and T-Mobile.

Smishing, or text-based phishing, is a growing concern for individuals and organizations. Discover the dangers of mobile phishing and explore ways to mitigate it.

This was last updated in April 2023

Continue Reading About smishing (SMS phishing)

Dig Deeper on Mobile security

Unified Communications