Smishing: Understanding SMS-based Phishing Threats

Howard Poston
Nov 08, 2023
Smishing: Understanding SMS-based Phishing Threats

SMS phishing or smishing is a social engineering attack that uses SMS to send phishing messages to a user. Often, these messages are designed to induce a user to click on a link that takes them to a phishing site.

The growth of smishing attacks has been driven by the growing use of mobile devices. Companies increasingly use text messages for customer service and bring-your-own-device (BYOD) programs normalize mobile device usage in the workplace. As a result, smishing has become a major threat to businesses and individuals alike.

User education is essential to managing the phishing threat. This article explores how phishing attacks work, how they differ from related threats and best practices for managing the risk that they pose both personally and professionally.

Smishing Meaning

The word smishing comes from combining the words SMS and phishing. This combination highlights the fact that this attack uses SMS text messages to deliver phishing content to a user.

Historically, the word phishing has been associated with email because most early phishing attacks used email. However, phishing can be performed using any messaging platform, including email, social media, and text messages.

Smishing attacks use many of the same techniques as traditional email-based phishing. For example, impersonation is common in all phishing attacks as the attacker pretends to be a known, trusted entity to make the pretext more believable. Like email-based phishing attacks, smishing messages are typically designed to trick a user into clicking on a link to a malicious site that is designed to steal their login credentials or convince them to install malware on their devices.

Smishing vs. Phishing vs. Vishing

Phishing, smishing, and vishing are all social engineering attacks that use deception, coercion, and psychological manipulation to get the target to do what the attacker wants. In general, these threats are designed to trick a user into handing over sensitive information (credentials, payment card data, etc.), sending the attacker money, or installing malware on their machine.

The primary difference between these threats is the medium used to deliver the socially engineered content. Often, phishing is associated with email, and smishing is an SMS-based version of a phishing attack. These two threats use similar tactics such as links to malicious pages.

Vishing is performed over the phone, which means it uses similar but distinct tactics from the other two. A vishing attack uses the same deception and coercion as phishing or smishing but is often focused on tricking the target into sharing sensitive information with the attacker.

Anatomy of a Smishing Attack

A smishing attack begins with a text message. Often, this SMS is designed to appear to originate from a trusted party. For example, a user might get a text from their bank claiming that there was an issue with their account or an unusual transaction that required approval.

The SMS message will contain a link claiming to lead to the alleged sender’s website. Often, this will use a link-shortening tool, which conceals the actual URL.

If a user taps the link, they will be taken to a phishing site that is designed to look like the login page on the real site. However, entering credentials into this page will send them to the attacker, granting them access to the user’s account.

Recent Examples, Use Cases, and Targeted Sectors

Often, smishing attackers use recent data breaches to build lists of targets and realistic pretexts. For example, UPS suffered a data breach in 2023, and the attackers used the information collected from it to send smishing texts to people expecting packages.

Smishing attacks also are used to target companies and gain access to their systems. For example, Zendesk reported a breach in October 2022 where smishers tricked employees into handing over their account credentials. Using these credentials, the attacker was able to access log information stored on the company’s servers.

Smishing is a common attack technique that targets individuals and businesses across all sectors. These attacks take advantage of the fact that companies are increasingly using text messages to communicate, that users are often on their devices, and that detecting phishing links is much more difficult on a mobile device.

Types of Smishing Attacks and How Smishing Attacks Work

Smishing attacks are simply phishing attacks delivered via a different medium (SMS messages). Some of the common components of a phishing attack include:

  • Impersonation: Smishing messages will claim to be from a person or organization that the user knows and trusts. For example, service providers like Netflix, Microsoft, and Amazon as well as financial institutions are commonly impersonated brands.
  • Manipulation: Social engineering attacks are designed to trick the target into doing something. Often, this is accomplished by creating a sense of urgency by claiming that something has gone wrong that requires immediate attention.
  • URL Shortening: Smishing attacks are typically designed to trick a user into clicking a link that takes them to a phishing site. Many brands use link shortening in their text messages due to the limited character count. Smishers take advantage of this fact to make their texts look authentic and conceal the actual, malicious URL.

What to Do if You Become a Victim of Smishing

Smishing attacks are generally geared toward stealing sensitive data or installing malware on a device. Some steps to take if you’re the victim of a smishing attack include:

  • Change Affected Passwords: Smishing attacks commonly attempt to steal passwords. Be sure to change passwords on any sites whose credentials might have been entered into phishing sites.
  • Enable MFA: Multi-factor authentication (MFA) requires access to multiple authentication factors to log into a user’s account. Enabling MFA makes it more difficult for an attacker to use their stolen credentials.
  • Freeze Accounts: Smishers may use stolen information to perform identity theft. Freezing accounts can help to protect against this threat.
  • Run Mobile Antivirus: Smishing attacks can also be used to install mobile malware on a device. Install and run a reputable mobile antivirus to identify and remove malicious apps on your mobile device.

Smishing Prevention and Mitigation

Smishing attacks use many of the same tactics as traditional, email-based phishing attacks. The attacker will send an unsolicited message with malicious links that lead users to a phishing site. These messages are often designed to evoke a sense of urgency and take advantage of users’ “always on” mentality for mobile devices and the ability of link-shortening services to conceal URLs.

Some best practices for preventing and mitigating phishing attacks include:

  • Enable Spam Protection: Some mobile providers and device manufacturers offer automated spam blocking for SMS. Enabling this will stop known spam or phishing messages from reaching the inbox.
  • Don’t Trust SMS Links: It’s difficult to determine the target of a link in a text message, especially if link shortening is used. Browse to a site directly rather than clicking and trusting a link.
  • Use Strong Authentication: Enable MFA with strong authentication factors to reduce attackers’ ability to use stolen credentials.
  • Install a Mobile Antivirus: Mobile devices can be just as vulnerable to malware as traditional computers. Install and perform regular scans with a mobile antivirus to identify and eradicate malicious apps.
  • Confirm Out-of-Band: Unsolicited messages aren’t always malicious, but they do have a higher probability of being phishing content. Verifying a message using official channels can help you avoid falling for a smishing attack.

Industry Responses to Smishing Threats, Statistics, and Trends

Smishing has become a major threat to personal and professional security. In 2022, 76% of organizations reported being the victim of a smishing attack. As a result, mobile providers, cybersecurity companies, and regulators are taking action to combat the threat.

Mobile providers’ primary focus is on preventing malicious SMS messages from reaching their intended targets. These organizations commonly offer built-in spam filtering services to block known threats and the ability for users to report phone numbers sending out spam and smishing messages

Cybersecurity companies provide user education and tools designed to reduce smishing threats and impacts. For example, cybersecurity companies offer enhanced authentication solutions to reduce the risk of credential theft, identity monitoring services, and endpoint security tools to manage the risk of malware being installed on a user’s device.

Regulators are taking steps to target smishers and incentivize organizations to properly protect customer data. Convicted smishers may face legal penalties, and data protection regulations such as GDPR and CCPA may enable regulators to issue penalties for companies that are not implementing security best practices for smishing prevention.

Legal and Regulatory Implications>

The smishing threat also has potential legal and regulatory impacts for the attackers. For example, some jurisdictions are working to put laws in place that establish fines and potential imprisonment for convicted smishers.


Companies may also need to consider the legal and regulatory impacts of smishing attacks if their customers are impacted. For example, a smishing attacker may be able to gain access to a user’s account and access sensitive data and functionality using it. Companies may face regulatory scrutiny and potential penalties if they haven’t taken adequate measures to manage these risks to customers and to identify and block suspected fraudulent activity on their platforms.


Smishing is a form of phishing attack that uses SMS messages to deliver malicious content. Like email phishing, it commonly uses social engineering to trick users into visiting malicious sites that steal their passwords or install malware on their devices.

As a social engineering attack, user education is one of the best defenses against smishing. Training users to recognize and respond properly to these attacks reduces their smishing risk both personally and professionally.

One way that organizations can help protect their users and customers against smishing is to adopt strong, phishing-resistant multi-factor authentication. 

At Kelvin Zero, we are doing exactly that, building next-gen authentication and trust solutions to protect organizations against credential-based attacks like smishing. 

Book a demo today to learn more about Multi-Pass and we are helping enterprises replace workforce and customer passwords with phishing-resistant, passwordless MFA.

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant.