What Is Smishing?

Smishing is when an attacker uses text messages to trick victims into giving up money, personal information or installing malware. Here’s how you can protect yourself.

Written by Zak Edwards
Published on May. 02, 2024
A close-up of a person’s hand holding a phone made out of construction paper with a blank figure with a question mark over them and a speech bubble saying, “Please send your OTP.”
Image: Shutterstock / Built In
Brand Studio Logo

Smishing, or SMS phishing, is an attack that uses text messages to trick individuals into installing software, giving away money or divulging sensitive information, such as login credentials, bank account details or credit card numbers.

Smishing is similar to email phishing, but the attacker sends text or SMS messages to their victim instead of emails.

What is smishing? How phishing via text message works | TECHtalk

How Does Smishing Work?

Smishing involves the use of social engineering and psychological tactics by criminals to deceive a victim into believing that phony texts or SMS messages are legitimate. Criminals craft these messages to earn their victim’s trust or appeal to their emotions, manipulating them into taking certain actions.

More on PhishingWhen and How to Run a Phishing Simulation

 

Types of Smishing Attacks

Just as with email phishing, there are all kinds of smishing attacks. You can break down these attacks into two primary categories: the intended action of the attack and the style of messaging. 

Please note that there are a plethora of ways an attacker can try to trick someone via smishing, and the lists below should not be considered exhaustive.

Intended Action of the Attack

The intended action of the attack can fall into three subcategories: revealing sensitive information, downloading malware and sending the attacker money.

1. Revealing Sensitive Information

In this style of attack, the attacker attempts to trick their target into revealing sensitive information, such as login credentials, bank account information, social security numbers, etc.

2. Downloading Malware

In this instance, the attacker tries to talk their target into downloading seemingly legitimate software that’s actually malware, usually in the form of a mobile application.

3. Sending the Attacker Money

This is when the attacker aims to manipulate their target into sending money to an account the criminal can access.

Style of Smishing Message

There’s a variety of ways a criminal can word an SMS message to take advantage of someone.

1. Fake Prize or Gift Messages

These are messages claiming you won a prize and need to perform an action, like clicking a link, in order to get it.

2. Financial Messages

This is when a criminal sends messages pretending to be from a financial institution, such as a bank or the IRS, in an attempt to deceive the target into giving up financial information.

3. Tech Support Messages

These are messages where the attacker pretends to be a tech support engineer to get their target to divulge login credentials or install malware disguised as security. This can also include messages claiming you’re going to be locked out of an account or have your subscription service canceled.

4. Invoice or Delivery Messages

Criminals send these messages to trick their target with fake information about a recent purchase, bill or delivery and often include a malicious link the attacker wants the target to click.

5. Fake Charity Messages

In this case, the attacker claims to be from a charity or participating in some form of donation drive and attempts to trick the target into sending money to a fake cause.

6. Government Agency Messages

This is when the attacker pretends to be from a government agency, such as the IRS or FBI, and threatens some form of punitive action against the victim unless they do what the attacker says.

 

Smishing Examples

2020 Tokyo Olympics Smishing

In 2020 there was a smishing campaign targeting fans of the Olympics that pretended to offer free or discounted tickets to the 2020 Tokyo Olympics if the users clicked on a link. This link would then either attempt to download malware or ask the user to input personal details, such as bank account information.

Annual IRS Dirty Dozen List

Every year, the IRS posts what it calls its Dirty Dozen list, a list of common scams the IRS has seen used against taxpayers.

Included in this list are smishing attacks where the attacker claims to be able to assist the victim in doing their taxes and/or getting them a big discount, as well as attempting to scare the victim by claiming they’re at risk of being audited. 

These smishing attempts often involve either the victim divulging sensitive financial information or paying large sums of money.

More on Cybersecurity What Is Cyber Insurance? Why Do Tech Companies Need It?

 

How to Protect Against a Smishing Attack

The primary way to prevent falling for a smishing attack is to be cautious and avoid clicking links that either look suspicious or are from individuals you don’t know.

1. Verify the Sender

If you receive a message from a sender that claims to be an organization or friend/family member but looks suspicious, verify them. Most organizations include a help line you can call to gain confirmation of contact attempts. 

Do not ask the sender to provide you this number. Instead, look on the organization’s website yourself. If the sender claims to be a friend or family member, message them via alternative means and ask for confirmation.

2. Don’t Click on Suspicious Links

If you receive a message that just consists of a link or the message contains a link that looks odd, do not click on it.

3. Guard Your Personal Information

Legitimate organizations and institutions will not request your sensitive or personal information via text message.

If you receive a message asking you to reply with details such as your credit card number or banking information, do not hand that information over. In addition, until you have verified the recipient’s identity, do not send personal information of any type.

4. Update Your Phone

Keep software, including your mobile operating system, up to date to help defend against the latest known threats.

5. Stay Educated

Keep informed about common smishing tactics and threats, and share this information with friends and family to help keep them safe as well.

Explore Job Matches.