Smishing: What is it and how does it affect me?

Smishing (SMS phishing) and mobile-borne cyber-attacks, increased by 500% during 2022.  Smishing attempts have risen dramatically with fraudsters taking advantage of world events, (such as the Covid-19 pandemic) to further trick their victims.

Find out about more, including what you can do about it, below.

What is Smishing?

SMS phishing or smishing is conceptually similar to email phishing, except attackers use mobile/cell phone text (SMS) messages to deliver the “bait”. 

Smishing attacks typically require the user to click a link, call a phone number, or contact an email address provided by the attacker in the text message. 

The victim is then prompted to provide their private data and, often, credentials to other websites or services which the attacker will then use for their financial gain.

Furthermore, due to the nature of mobile browsers, URLs may not be fully displayed which makes it more difficult to identify an illegitimate logon page or web site.

What the attackers want

Like most attackers they are out to steal your personal data, which they can then use to steal money, usually yours but sometimes your company’s too. 

These “bad actors” typically use two methods to steal this data. They try to trick you into downloading malware that installs itself on your phone. This malware might masquerade as a legitimate app tricking you into entering confidential information which then is sent back to the cybercriminals. 

Another method might be to use a  link in the smishing message taking you to a fake site where you’re asked to type sensitive information that the cybercriminals can use against you further.

As more and more people use smartphones for work (a trend called BYOD, or “bring your own device”), smishing is becoming a business threat as well as a consumer threat. 

It should come as no surprise that smishing has become the leading form of malicious text message.

Protect yourself

We introduced the world’s first fully customisable simulated smishing-as-a-service feature which is a great way to educate and train your work-force in the dangers of smishing.  To complement that service we have provided some tips below on how to become safer against this rising threat vector. Several of these principles apply to all forms of phishing, and not just smishing.

Be suspicious of "urgent" messages

You should regard any message that seems to be urgent with susicion. This is a common method used by attackers to ensure you reply quickly and without more regard.

Your bank won't be asking you by text message.

No financial institution will send you a text message asking you to update your account information or confirm your ATM/cashpoint PIN. If you get a message that seems to be from your bank or a merchant you do business with and it asks you to click on something in the message, it's most likely a fraud. Call your bank or merchant directly if you are in any doubt.

If you think it's a trick, don't click.

Never click a reply link or phone number in a message you're not sure about. It's always best to directly verify with the organisation directly instead of following "helpful" links within the message.

Refuse to take the bait.

The attackers can't steal your information if you don't respond or reply, so refuse to take the bait and simply don't reply!

We recommend all readers educate themselves on the dangers of smishing. With well managed Security Awareness Training the threat posed by today’s advanced smishing techniques can be significantly reduced. Take back control, today.


Start Phishing & Security
Awareness Training Today

 (no credit card required)

You have Successfully Subscribed!