What is Smishing? SMS phishing explained

October 30, 2020  |  Ericka Chickowski

This blog was written by a third party author.

What is SMS phishing?

SMS phishing, or “Smishing,” is a mobile phishing attack that targets victims via the SMS messaging channel rather than through email. A natural evolution of the phishing phenomenon, smishing attacks attempt to dupe mobile users with phony text messages containing links to legitimate looking, but fraudulent, sites. These smishing sites try to steal credentials, propagate mobile malware, or perpetrate fraud.

Though smishing has crept into users' text messaging streams for over a decade now, the technique has long flown under the radar with relatively small global attack volumes over the years. However, that's changing as cybercriminals seek to profit off of today's mobility and remote work trends.

Approximately 81% of organizations say their users faced at least some level of smishing attacks in 2019. Right before COVID-19 hit, smishing volume was already on the uptick. Between the last quarter of 2019 and the first quarter of 2020, mobile phishing attacks—including smishing—rose by 37%. As the lockdown era spurs on a wave of remote work and increased reliance on mobile devices, smishing numbers continue to climb. One study reported a 29% growth in smishing between March and July 2020.

"On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before," says IDC's Phil Hochmuth. "In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”

Common types of Smishing attacks

The allure of smishing to the cybercriminal community has obviously grown stronger due to a greater prevalence of text messaging in mobile users' lives in recent years.  However, the bad guys are arguably even more drawn to smishing due to the differences in how users interact with SMS messaging compared to email.

The sense of urgency is higher for text messages and their open rates are considerably higher than email. According to MobileMarketer.com, while email recipients only open about 20% of their messages, SMS recipients open 98% of their texts.

Consequently, big brands are increasingly using text messages rather than email for things like marketing messages, shipping verification, and account notifications. Added to the mix is the preference for SMS as a channel for multi-factor authentication, meaning that many mobile users have been habituated to interact with text messages in some way or other during the login process of many of their cloud, retail, and banking accounts.

All of this creates a prime breeding ground for smishing attackers to perpetrate their fraud, as users are highly engaged with and very likely to act quickly on most text messages that come their way. The bad guys take advantage of that sense of immediacy and tailor the attacks to mimic the various ways that brands regularly interact with customers via SMS.

Cybersecurity IQ Training

Measure and improve the cybersecurity awareness of your organization and address compliance requirements.

Learn more

Listing common SMS phishing tactics

Some very common types of smishing messages include:

  • Fake shipping notifications
  • Tech support impersonation
  • Phony bank account balance warnings
  • Counterfeit customer service notices
  • Prize notifications for made-up rewards
  • Bogus Covid-19 contact tracing messages

These messages are used to trick the user into either downloading a fraudulent app or opening a link to password stealing or fraud-inducing mobile sites. Further aiding the smishing attacker is the fact that shortened links are commonplace for the SMS communication channel. Big brands use them all the time.

This helps with the deception, as many smishing texts use tiny URLs to hide the actual fraudulent domain from unsuspecting users. Attackers also sometimes use a technique called URL padding, which obscures the real destination of the link with a series of hyphens. Padding puts a legitimate URL first, then hyphens, then the malicious domain, so that only the legit part of the domain is visible in the small address bar on the mobile device.

Smishers also use screen overlays that pop up when certain apps are opened—such as banking apps—to simulate login verification and help bypass two-factor authentication processes commonly used by big brands.  When users receive their legitimate login codes from a brand, they enter them into the overlay rather than the app itself.

The importance of security awareness

While smishing is not a new attack, it is still relatively unknown and unexpected by users.  A recent study shows that while 61% of corporate users are aware of what phishing is, only 30% know about smishing techniques. This is because most organizations still do not teach their users about the dangers of smishing. While phishing simulations have increasingly become a regular part of security awareness training, the study showed only about a quarter of awareness programs include smishing simulations in the mix.

Whether smishing occurs on a corporate-owned or a personal device that has access to corporate data, it puts business information and assets at risk. Not only can attackers target corporate cloud accounts through their smishing schemes, but many of them also aim to take over device functionality through remote access tools and other malware. These compromised devices connected to corporate networks then stand as a risk exposure to the entire organization.

Employees should be educated about how smishing works and be trained to identify common types of mobile phishing messages. Awareness programs may also want to emphasize that one way to users can guard against unsolicited messages is to be careful about where they distribute or publicize their wireless phone numbers.  As users become savvier to smishing, they should also be encouraged to report suspected attempts to their wireless provider. The wireless industry has come up with a universal short code number to do so—users can forward offending messages to 7726 (SPAM) to report a potential smishing attempt.

What can businesses do to protect against Smishing attacks?

Mobile platforms don't come with anti-phishing technology baked into their SMS messaging applications. And traditional endpoint defenses that identify and block email phishing are not built with smishing in mind. As such, business must put in place specialized mobile security protections that are purpose-built to protect mobile devices against threat vectors such as smishing and other device, application, mobile network, and social engineering attacks. Ideally the solution should be integrated with the rest of its endpoint management and protection software, with centralized management and automated remediation to ease the burden for the IT or security teams.

Share this with others


Featured resources



2024 Futures Report