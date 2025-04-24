As more workers access corporate data on their mobile phones, IT must adjust security training to address the threats that target these devices.

SMS phishing, or smishing, is a type of phishing attack that uses Short Message Service text messages instead of emails. Like email-based phishing attacks, the purpose of these messages is to trick recipients into revealing sensitive information or clicking on malicious links.

In recent years, smishing has become a major attack vector. One reason why this type of social engineering attack is attractive to cybercriminals is the lack of user awareness. Many organizations have invested heavily in teaching employees how to spot phishing attempts while largely ignoring the threat of smishing. To ensure enterprise security in today's threat landscape, IT teams must train users to stamp out smishing scams.

Why is smishing a threat to enterprise security? It might be tempting to think of a smishing attack as a cyberthreat that only affects an end user's smartphone. However, this kind of attack can have consequences for the enterprise, even if it's directed at a personal device. For example, hackers often design smishing attacks to steal users' credentials. If a user were to enter their work credentials in response to such an attempt, it could give the attacker access to the corporate network. Of course, there are many different types of smishing attacks, and they don't always focus on credential theft. Some attacks try to plant malware on users' mobile devices. If a user were to access the enterprise network from an infected device, the malware on the device could give the hackers a backdoor into the network. This is an especially concerning possibility for any organization that has a BYOD program. Smishing's edge over other phishing methods In addition to the lack of user awareness, smishing is a uniquely dangerous form of phishing for a few reasons. Smishing is likely more effective than email phishing, as SMS messages have a higher open rate than emails. Some users might think of text messages as being more credible than email messages. Spam emails are commonplace, so most users don't bother to interact with anything that looks slightly fake or unimportant. By contrast, since spam texts are less prevalent, users might be more willing to trust a questionable text message. Emails also tend to be longer than text messages, so there's more room for errors and other red flags users can find. Feasible protection measures are another issue. IT can't defend against smishing with traditional cybersecurity tools. Unlike an email message, smishing texts go directly from the sender to the recipient. They don't have to pass through the recipient's employer's network first. In other words, it's impossible for organizations to filter text messages sent to end users' personal devices. There are apps that can detect smishing attacks after the fact. With these tools, IT teams can identify any pattern of attacks targeting employees and act accordingly. Because smishing attacks often target employees within an organization, some IT departments also set up a dedicated phone number to which users can forward suspicious texts. This enables administrators to make users aware of current smishing campaigns. These tactics are helpful, but they can't provide more systematic prevention.