Smishing

What is Smishing: SMS Phishing Attacks & Training

Smishing – also known as SMS phishing - is a cyber-security attack carried out via mobile text messages. With the rise of smartphones and the popularity of text messaging, smishing scam attempts have increased dramatically in recent years. Now, more than ever, it’s important to learn how to protect yourself and your business from smishing attacks. Find out more about smishing, including how you can help prevent successful text attacks, in the article below.

smishing attack illustration

What are smishing scams?

Smishing scams are very similar to email phishing attacks. The aim is the same: steal private data from their victims by tricking the target into clicking a malicious link or calling a suspicious phone number. The victim is then prompted to provide their personal data or login details, which the scammer will use for financial gain.

The difference is that, instead of emails, smishing attacks use texts (SMS messages) to deliver the “bait”.

It should come as no surprise smishing has become the leading form of phishing, with attacks increasing by 500% in 2022. And it’s not just private individuals who are under threat. As more and more people use smartphones for work, businesses are also being put at risk.

What is a smishing text?

Like most phishing attacks, smishing texts are an attempt to steal your (or your company’s) private data by impersonating a legitimate source – like your bank or your boss.

Be wary of texts messages that induce panic or ask you to click a link. Smishing attacks rely on your fear and emotion, using psychological phishing techniques to make you act immediately.

For instance, some popular smishing scam texts include:

  • Your bank account has been compromised.
  • Insufficient funds to pay your bill.
  • You missed a parcel delivery.

It’s also important to note that smishing scams can be delivered through secure data-messaging services like WhatsApp – not just via traditional SMS texts.

smishing attacker on a laptop

How to prevent smishing

Thankfully, the devastating effects of a smishing attack can be prevented by learning how to recognise a scam text and simply refusing to take the bait.

We have introduced the world’s first customisable simulated smishing-as-a-service feature, which is a great way to educate and train your workforce in the dangers of smishing.

As an introduction, we have provided some tips below on how to become safer against the rising threat of smishing attacks. Several of these principles apply to all forms of phishing, and not just smishing.

Be suspicious of "urgent" messages

Text messages that appear to be urgent should always be treated with suspicion. This is a common method attackers use to ensure you reply quickly and carelessly. Stay calm and take a moment to think clearly before acting.

Review the privacy settings on your social media accounts

Text messages that appear to be urgent should always be treated with suspicion. This is a common method attackers use to ensure you reply quickly and carelessly. Stay calm and take a moment to think clearly before acting.

Your bank won't be asking you by text message

Text messages that seem to be from your bank and ask you to click on a link are almost certainly fraud. If you’re unsure, call your bank directly on the phone number from their official website.

If you think it's a trick, don't click

Never click a reply link or phone number in a message you're not sure about. It's always best to directly verify with the organisation directly, instead of following "helpful" links within the message.

Refuse to take the bait.

Smishing scams don’t work if you don’t react or respond. So, refuse to take the bait and simply don't reply!

We recommend all readers educate themselves on the dangers of smishing attacks. With well managed Security Awareness Training, the threat posed by today’s advanced smishing techniques can be significantly reduced. Take back control, today.

How smishing works

Like most phishing attacks, smishing texts use trust, emotion and context to try and manipulate the target into revealing crucial personal data. Cyber criminals will then use that information to commit fraud or financial crimes.

There are two main smishing methods:

  • Malware: Scammers will try to trick you into clicking a malicious link that installs malware on your phone. This malware might masquerade as a legitimate app, convincing you to enter confidential information which then is sent back to the attacker.
  • Fake website: Another method manipulates you into clicking a link in the smishing text that takes you to a fake website where you’re asked to type sensitive information that the cyber criminals can use against you further.

It can be hard to spot a smishing scam as, due to the nature of mobile browsers, URLs may not display fully. This makes it more difficult to identify a false login page or scam website. There are also apps available that can “spoof” a phone number and make it seem like the text has been sent from a legitimate source.

How to report smishing texts

If you suspect you may have received a smishing text, you should report it to your phone provider. Most mobile phone companies encourage customers to report smishing attacks for free by forwarding the suspicious text message to 7726. This allows your provider to investigate the sender and take action to prevent further smishing attempts.

Reporting a smishing text is free, easy and very important. By reporting the scam, you can help reduce the amount of scam texts you receive and protect yourself and others from further attacks.