What Is Smishing? How Text Message Phishing Attacks Cost Victims Millions Every Year

Smishing–meaning SMS phishing–is a phishing attack conducted via text messages to scam victims. These scams target individuals or businesses to steal money, sensitive data, or a combination.

Smishing attempts have seen a rise in popularity. You’ve probably received a few smishing texts on your phone, and you’re not alone. The FTC fraud report found that texts are now used in 23% of fraud attempts, more than any other contact method. And it’s expensive: total losses from smishing attacks exceeded $130 million in 2021.

Smishing works because there aren't effective filters for SMS messages compared to email servers. Criminals can easily create and impersonate phone numbers using VoIP to text any number. And mobile carriers don't have robust spam filters, allowing malicious text messages to get delivered.

Learn how smishing works, examples of smishing, and what you can do to stop them.

How Smishing Attacks Work

Smishing is a type of phishing attack which begins with an attacker sending a text message to an individual. The message contains social engineering tactics to convince the person to click on a malicious link or send sensitive information to the attacker. Criminals use smishing attacks for purposes like:

  • Learn login credentials to accounts via credential phishing

  • Discover private data like social security numbers

  • Send money to the attacker

  • Install malware on a phone

  • Establish trust before using other forms of contact like phone calls or emails

Attackers may pose as trusted sources like a government organization, a person you know, or your bank. And messages often come with manufactured urgency and time-sensitive threats. This can make it more difficult for a victim to notice a scam.

Phone numbers are easy to spoof with VoIP texting, where users can create a virtual number to send and receive texts. If a certain phone number is flagged for spam, criminals can simply recycle it and use a new one.

Examples of Smishing

There are a few ways attackers use smishing to manipulate individuals, including these common tactics.

  • Account closure: Attackers send a message to a person claiming their account has been disabled, and they need to do a password reset. The messages will walk through the person on resetting their password, and the attacker will steal their online credentials during the process. These attacks often impersonate banks, well-known brands, and government agencies.

  • CEO fraud: Attackers impersonate a boss or manager and then send messages to employees asking for help to fulfill a request. The impersonator may ask an employee to buy gift cards for a company party, pay an invoice, or send sensitive data. Since the messages come from an authority figure, victims may ignore red flags and fulfill the request.

  • Unpaid taxes or fees: Victims receive a message that they owe taxes or unpaid fines, including a link or phone number. However, it's a malicious link designed to steal money.

  • Free offers: These smishing attacks tell victims they’ve qualified for a free gift, like a cruise, gift card, or consumer good. They just need to send over some data, enter their login information, or pay a small fee.

Common Signs of Smishing

Text messages are a common way for many people and organizations to reach out to us. For many, it's not an automatic red flag to receive SMS messages from their bank, places they shop, or acquaintances. People should learn the difference between a legitimate message and a fraudulent message. Here are a few signs to look out for when it comes to smishing attacks:

  • Poor spelling and grammar: Organizations care about spelling and grammar and are unlikely to send a message with errors in it. If you notice the text is wrong, don't engage with it.

  • Suspicious links: Unfortunately, it's common for even authentic messages to contain shortened URL links. This makes it difficult to identify the source before clicking on it. You'll want to verify the message source to avoid malicious links.

  • Sense of urgency: A common social engineering tactic is to make a time-sensitive request on short notice. This prevents the recipient from having time to think about their actions. If a message requires urgent action, it may be fraudulent.

Requests for sensitive information: While government entities, banks, and other organizations may reach out to you via text, they won’t ask for passwords or other sensitive information over text messages. If you get this type of request, ignore or report it.

Difference Between Smishing and Vishing

While smishing and vishing attackers both rely on a phone to conduct their scams, they do so in completely different ways. Smishing focuses on SMS messages while vishing happens over a phone call.

Vishing–derived from "voice phishing"–is a social engineering attack where a criminal impersonates a trusted source to manipulate the victim into sharing sensitive information like credit card numbers or online bank account passwords.

Both scams use similar false pretenses, but the delivery method is different.

Difference Between Phishing and Smishing

Smishing is a type of phishing attack. While smishing is done over text, phishing attacks can utilize phone calls, emails, or direct messages in social media apps.

Smishing and phishing share many similarities. They both rely on social engineering tactics to trick people into handing over private information, downloading malware, or sending money. They also are designed to look and feel like legitimate messages from trusted sources.

Preventing Smishing Threats

Unfortunately, it’s hard to prevent smishing texts from ending up on your phone. The open nature of SMS messaging means anyone can text any phone number. While it’s illegal to send scam text messages, criminals aren’t afraid of breaking the law.

Taking the time to think about the authenticity of a text message will go a long way in preventing a successful smishing attack. Here are a few ways to detect and prevent smishing threats.

  • Verify an identity: If you get a text from your boss or your bank, for example, make sure it's actually authentic before replying. Companies often use five or six-digit numbers when sending text messages which makes it more difficult to validate their authenticity. If you have concerns, contact the person or organization directly to discuss their message.

  • Train employees: Security awareness training helps ensure employees know how to spot and report suspicious texts. While email phishing is a significant problem, employees also need to learn about scams via text or phone calls.

  • Ignore it: Smishing text messages are often harmless if you don't click on any links or respond to them. You could also opt to block the phone number to stop receiving smishing attempts, although scammers usually cycle through random numbers.

  • Enable spam protection: Some phones have spam filter capabilities. It can divert messages from unknown senders or alert you if it believes a message is spam. Scammers thwart these filters by creating new phone numbers.

  • Report it: If you believe you received a smishing threat, you can forward the message to 7726 which will report it to your mobile carrier. This helps your phone provider develop better spam filters and other security measures. You can also report the smishing incident to the Federal Trade Commission (FTC).

Abnormal Security can stop socially engineered phishing attacks from putting your organization at risk. Schedule a demo to see how we do it.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo