Smishing is a phishing cybersecurity attack carried out over mobile text messaging, also known as SMS phishing. Hence: Sm-ishing :).

As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites. It occurs on many mobile text messaging platforms, including non-SMS channels like data-based mobile messaging apps. Our primary mobile phone provider is susceptible to these attacks since it is tough to stop these kinds of messages. Vigilance is key.

What is Smishing?

As the definition of smishing suggests, the term combines SMS (short message services, better known as texting) and phishing. Smishing seems like a type of social engineering. It tries to exploit human trust. However, it is not very technical.

Smishing is categorized as a social engineering attack that relies on exploiting human trust rather than technical exploits. The bad guys try to lure you into their trap to steal personal data so that they can use your data and bank details to commit fraud. Usually, it is just about stealing money or your company’s money.

Cybercriminals often use one of these two methods to steal data:

  1. Malware: The smishing URL link tricks you into downloading malware — malicious software — installing itself on your phone. It masquerades as a legitimate app, tricking you into filling in confidential information and sending this data to the cybercriminals.
  2. Malicious website: The link in the smishing message leads to a fake site that requests you to type sensitive personal information. Cybercriminals use custom-made malicious sites to mimic reputable ones, making it easier to steal your information.

Smishing text messages are often purporting to be from your bank, ITSME, or the government, asking you for personal or financial information such as your account name. Unfortunately, providing the information is equivalent to handing thieves the keys to your bank balance.

As more and more people use their personal smartphones for work (a trend called BYOD, or “bring your own device”), smishing is becoming a business threat and a consumer threat. So, it should come as no surprise that smishing has become the leading form of malicious text messages.

Types of smishing attacks:

  • COVID-19 attacks
  • Financial Services (you get money back, ITSME, speed fines)
  • Gift
  • Invoice/payment attacks


How to prevent smishing

You can protect yourself pretty well by… doing nothing at all. In essence, the attacks can only do damage if you take the bait.

Be mindful that text messaging is a legitimate means for many retailers and institutions to reach you. Not all messages should be ignored, but you should act safely regardless.

There are a few things to keep in mind that will help you protect yourself against these attacks.

  • Do not respond. Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation, but you can refuse to engage.
  • Slow down if a message is urgent. It would be best to approach critical account updates and limited time offers as caution signs of possible smishing. Remain sceptical and proceed carefully.
  • Call your bank or merchant directly if doubtful. Legitimate institutions don’t request account updates or login info via text. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.
  • Avoid using any links or contact info in the message. Also, avoid using links or contact info in messages that make you uncomfortable. Instead, go directly to official contact channels when you can.
  • Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their actual phone number.
  • Opt never to keep credit card numbers on your phone. The best way to keep financial information from being stolen from a digital wallet is never to put it there.
  • Use multi-factor authentication (MFA). An exposed password may still be useless to a smishing attacker if the breached account requires a second “key” for verification. MFA’s most common variant is two-factor authentication (2FA), which often uses a text message verification code. More robust variants include using a dedicated app for verification (like Google Authenticator) are available.
  • Never provide a password or account recovery code via text. Both passwords and text message two-factor authentication (2FA) recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
  • Report all SMS phishing attempts to your security team.