What Is Smishing?

Smishing — short for “SMS phishing” — is a type of phishing attack delivered via text message. These messages aim to trick recipients into installing malicious software, sending money or revealing sensitive information such as login credentials or financial details.

While similar to email phishing, smishing occurs over SMS or messaging apps like WhatsApp, iMessage and Facebook Messenger.

RelatedWhen and How to Run a Phishing Simulation

Types of Smishing Attacks

Like email phishing, smishing attacks come in many forms. They can be grouped into two main categories: the attacker’s intended outcome and the message’s style.

These are common smishing strategies, but the examples below are not exhaustive.

Intended Action of the Smishing Attack

The intended action of the attack can fall into three subcategories: revealing sensitive information, downloading malware and sending the attacker money.

1. Revealing Sensitive Information

In this style of attack, the attacker attempts to trick their target into revealing sensitive information, such as login credentials, bank account information, social security numbers, etc.

2. Downloading Malware

In this instance, the attacker tries to talk their target into downloading seemingly legitimate software that’s actually malware, usually in the form of a mobile application.

3. Sending the Attacker Money

This is when the attacker aims to manipulate their target into sending money to an account the criminal can access.

Style of Smishing Message

There’s a variety of ways a criminal can word an SMS message to take advantage of someone.

1. Fake Prize or Gift Messages

These are messages claiming you won a prize and need to perform an action, like clicking a link, in order to get it.

2. Financial Messages

This is when a criminal sends messages pretending to be from a financial institution, such as a bank or the IRS, in an attempt to deceive the target into giving up financial information.

3. Tech Support Messages

These are messages where the attacker pretends to be a tech support engineer to get their target to divulge login credentials or install malware disguised as security. This can also include messages claiming you’re going to be locked out of an account or have your subscription service canceled.

4. Invoice or Delivery Messages

Criminals send fake messages about recent purchases, bills or deliveries, often including a malicious link meant to steal personal information or install malware.

5. Fake Charity Messages

In this case, the attacker claims to be from a charity or participating in some form of donation drive and attempts to trick the target into sending money to a fake cause.

6. Government Agency Messages

This is when the attacker pretends to be from a government agency, such as the IRS or FBI, and threatens some form of punitive action against the victim unless they do what the attacker says.

Smishing Examples

2020 Tokyo Olympics Smishing

In 2020 there was a smishing campaign targeting fans of the Olympics that pretended to offer free or discounted tickets to the 2020 Tokyo Olympics if the users clicked on a link. This link would then either attempt to download malware or ask the user to input personal details, such as bank account information.

Annual IRS Dirty Dozen List

Every year, the IRS posts what it calls its Dirty Dozen list, a list of common scams the IRS has seen used against taxpayers.

The list includes smishing scams in which attackers pose as tax professionals offering filing assistance or claiming to help victims receive large refunds, as well as attempting to scare the victim by claiming they’re at risk of being audited. 

These smishing attempts often involve either the victim divulging sensitive financial information or paying large sums of money.

Related What Is Cyber Insurance? Why Do Tech Companies Need It?

How to Protect Against a Smishing Attack

The primary way to prevent falling for a smishing attack is to be cautious and avoid clicking links that either look suspicious or are from individuals you don’t know.

1. Verify the Sender

If you receive a message from a sender that claims to be an organization or friend/family member but looks suspicious, verify them. Most organizations include a help line you can call to gain confirmation of contact attempts. 

Do not ask the sender to provide you this number. Instead, look on the organization’s website yourself. If the sender claims to be a friend or family member, message them via alternative means and ask for confirmation.

2. Don’t Click on Suspicious Links

Attackers may disguise malicious links using URL shorteners or spoofed domains that closely resemble legitimate websites.

If you receive a message that just consists of a link or the message contains a link that looks odd, do not click on it. 

3. Guard Your Personal Information

Legitimate organizations and institutions will not request your sensitive or personal information via text message.

Never share sensitive details such as your Social Security number, account credentials or security codes in response to a text, even if it appears to come from a trusted source.”

If you receive a message asking you to reply with details such as your credit card number or banking information, do not hand that information over. In addition, until you have verified the recipient’s identity, do not send personal information of any type.

4. Update Your Mobile Phone

Keep software, including your mobile operating system, up to date to help defend against the latest known threats.

5. Stay Educated

Keep informed about common smishing tactics and threats, and share this information with friends and family to help keep them safe as well.

Frequently Asked Questions