IT Security Outsourced IT


What is Smishing?

Smishing, also known as SMS phishing, is a type of phishing attack that is carried out through mobile text messaging. In smishing attacks, cyberattackers use social engineering techniques over short messages services (SMS) to steal your personal data and then use that information to commit financially incentivized crimes. Smishing is completed in three steps:

  1. The cyberattacker sends the victim a text with a malicious link or instructions to call a number to rectify an urgent issue;
  2. The victim clicks on the link or calls the phone number and provides personal information;
  3. The cyberattackers uses the victim’s information to commit fraud or to make a profit.

Smishing messages are often masquerading as messages from your bank, or from some other entity that you are more likely to trust. Smishing attacks are effective social engineering techniques that rely on the following elements:

Trusted source. SMS texts that appear to be coming from trusted sources entreat the victim to lower their skepticism against potential threats and to follow the call to action.

Personalization. By creating messages that feel personalized and relevant, victims are more likely to heed the call to action without second-guessing.

Emotions. SMS messages from trusted sources with urgent calls to action prompt victims to react swiftly without thinking critically about the potential threats.

Types of smishing attacks include:

Financial services smishing. Cyberattackers pose as banks or other financial institutions and may ask to urgently address situations such as unlocking accounts, verifying accounts, and more.

COVID-19 smishing. Cyberattackers pose as representatives of pandemic-related programs and services to gain personal information. Examples include stimulus checks, U.S. Census data, public health updates, and contact tracing.

Gift smishing. Cyberattackers pose as reputable companies offering shopping rewards, contests, and other free offers.

Customer support smishing. Cyberattackers pose as trusted organizations offering to help resolve account issues.

Order confirmation or invoice smishing. Cyberattackers send false billing invoices or order confirmations.

In order to protect yourself from smishing attacks, consider the following tips1:

  • Banks, government agencies, and other legitimate companies will never as for personal or financial information via SMS.
  • Do not hastily follow urgent calls to action via SMS.
  • Do not call phone numbers provided via unsolicited SMS.
  • Do not respond to smishing messages, even to ask the sender to stop contacting you. Responding to the message verifies that your phone number is active.
  • Be careful about providing your phone number, particularly in response to ads and offers for “free trials.”
  • Use the same security practices on SMS that you use on your computer.

1 Office of Minnesota Attorney General, 2023, “Text Message Phishing – or ‘Smishing’ – Scams”