What Is Smishing?

Smishing is a type of telecommunications fraud where cybercriminals use text messages to trick victims into clicking a link. That link may install malware on the individual’s phone or direct the victim to a fake website where they enter their personal details, believing that the site is genuine. Obtaining that personal information is the fraudsters’ goal.

The word “smishing” comes from combining “SMS” and “phishing”, as smishing is the text message form of phishing (just as vishing is the voice call and voice message form of phishing).

Smishing is a rapidly growing form of fraud. SMS recipients open 98% of the text messages that they receive, compared to email recipients opening just 20% of their emails. This high open rate for text messages means that smishing holds plenty of attractions for fraudsters – as do the potential returns. According to the Communications Fraud Control Association, some $39.89 billion was lost to fraud by the global telecom industry in 2021.

How Does Smishing Work? 

Smishing works by using text messages to trick a victim into clicking a link. Fraudsters often use scare tactics and time pressure to push the message recipient into clicking the link quickly, before they have had time to consider whether it might be genuine or not.

Clicking the link is the first step in the process. It can result in a couple of things happening, neither of them good.

Malware installationMost people are aware of the need for robust security on their computers, but fewer tend to think about it when it comes to their phones. Yet SMS malware is a serious threat. All fraudsters need is for the victim to click a link to install it. Once clicked, the malware can pose as an app from a genuine business. The victim enters their details into the app, which then sends the information to the cybercriminals.
Fake websiteSome smishing attempts take the target to a fake website. This is designed to look like a genuine company’s site, which gives the victim the belief that they are entering their details into a secure, legitimate site. However, the site is actually sending the victim’s data to the fraudsters instead.

How Do Smishing Scams Operate?

The reason that smishing scams operate so effectively is that they put the target under pressure to act fast. They also often involve an approach that it is likely to panic the victim, such as the fraudster posing as a bank or credit card company and sending a message about an unpaid bill or a payment problem. This combination of scare tactics and pressure to act fast can often trigger the victim into taking action, such as clicking a link and entering personal details, without thinking the situation through fully.

Smishing scam operators have evolved their approach rapidly in recent years. They have embraced the potential of automation, using software to check that target numbers are for mobiles, rather than landlines. Some have also created auto-shops through which to sell the details they have stolen through smishing. Others provide hosting services (for phishing sites or marketplaces), while some also sell smishing as part of a fraud as a service offering.

Identify Who’s Behind the Number

Test our reverse phone number lookup tool and find out the identity of the caller contacting your business.

Try Our Tool

Examples of Smishing 

There are many examples of smishing, all designed to trick victims into sharing their details. Some of the most common are detailed below.

Bank and Credit Card Smishing 

This smishing example relies on the target’s desire to resolve any banking matter as swiftly as possible. The fraudster sends a text purporting to be from a bank or credit card company and stating that there is an urgent problem that the victim needs to resolve – the first step of which involves clicking the link in the text message.

Delivery Texts

Emails alleging to be from delivery companies are a well-known form of phishing. Fraudsters also use this ruse for smishing. They send text messages about a delayed or missed delivery, with a link that looks like it is from a genuine parcel company.

IT Services 

Another common smishing scam is where fraudsters send messages claiming that the target’s password for a particular website has been compromised and needs to be reset. If the fraudsters have the victim’s email address as well, they can use this and the victim’s phone number to trick the victim into handing over their password and the two-factor authentication code needed for a password reset.

COVID-19 Smishing 

Fraudsters were quick to embrace the potential that the pandemic provided for them. This led to some posing as healthcare agencies or government departments, with messages relating to vaccinations, financial relief, and other pandemic-related matters. This form of smishing added individuals’ fears about their health or their finances (or both) into the mix.

CEO Fraud 

Smishing can also be used as part of a spear-phishing attempt. This is where the fraudster targets a company employee by impersonating the CEO and texting the employee about an urgent matter that needs to be resolved. The goal is to trick the employee into revealing sensitive company data by applying scare tactics and time pressure – as well as playing on the individual’s respect for their CEO’s authority.

There are plenty of other examples of smishing scams, from fake prize wins to taxation scams. All of them use these kinds of pressure to try to make the victim act fast.

How Does Smishing Spread? 

Smishing has spread from SMS text services to other messaging services, as these have proliferated in recent years with increasing smartphone use (DataReportal states that, as of January 2023, there are now 5.44 billion mobile phone users in the world). The sophistication of fraudsters’ smishing operations, combined with its effectiveness as a form of fraud, has meant that the use of smishing has spread far and wide.

To try to prevent the spread of smishing, many countries have implemented reporting procedures, many of them automated so that companies can quickly and easily report numbers that send smishing texts. Reporting smishing attempts can help to slow the spread of this form of fraud. 

How to Protect Against Smishing 

Protecting against smishing begins with raising awareness. According to Proofpoint, less than 35% of the US population knows what smishing is, let alone how to guard against it. Among those aged 55 and above, that figure drops to 23%. As such, businesses need to include details of what smishing is and how to spot it as part of their cybersecurity awareness training.

Key to protecting against smishing is to verify the number that any text message comes from. Someone receiving a message purporting to be from a credit card company, for example, can quickly verify if the message is genuine by calling the company to check. And until the message has been confirmed as genuine, the recipient should under no circumstances click any links in it.

Mobile-friendly anti-virus and web protection apps can also help to protect against smishing, as many include protection against malware.

Related Terms

Related Articles


Contact Us for a Demo

Feel free to reach out to us for a demo!