What is smishing?

What is smishing?

Smishing, or SMS phishing, is the use of text messages to trick people into revealing sensitive or personal information. Smishing scammers use manipulative social engineering methods to collect data from their victims.

Mobile phones and smartphones tend to accept SMS messages from any source. This gives scammers the ability to send deceptive text messages to almost anyone in the world. Smishing scammers often pretend to be someone the victim knows or trusts to fool them. They may also use personal details, threats, or other tactics to convince the victim of a message's legitimacy.

The goal of smishing is to get the victim to give up some of their personal information. Victims may do this by entering their username and password in a fake webpage, sending their identification information to the scammer, or talking with the scammer on the phone. The scammer can either use the information they collect to take over the victim's accounts and identity, or they can sell it to the highest bidder on underground markets.

Smishing vs. phishing

Smishing is one of several kinds of phishing. Phishing is the name for any attempt to manipulate or defraud people into revealing personal or confidential information. Phishing is most common over email, but it has spread to other channels as well: text messages (smishing), phone calls (vishing), QR codes (quishing), and social media messages.

The widespread availability of generative AI (GenAI) services like large language models (LLMs) has given scammers additional tools for making their phishing messages sound realistic. Large-scale social media adoption and data aggregation makes it easier for attackers to personalize their attacks for their targets. As such, phishing continues to be a popular, and profitable, way for scammers to steal confidential data, even though many people today are more wary of turning over their data to a stranger.

How smishing works: The steps in a smishing campaign

Smishing targets mobile phones — especially smartphones, which allow users to easily open hyperlinks. Smishing attacks mainly follow these steps:

1. Choosing a target: Attackers can build lists of active phone numbers in a number of ways, from purchasing lists on the underground market to using bots to aggregate contact information. Some smishing campaigns cast a wide net and send text messages to as many live phone numbers as they can. Other attacks are highly targeted and personalized, and attackers conduct a little more research about the recipients of their texts.
2. Setting up infrastructure: Some smishing texts require the victim to tap a link, and in those cases the scammer sets up fake websites or apps that collect victims' data. Sending the messages requires the use of fake phone numbers, SMS gateways, or compromised mobile phones so that attackers can disguise the source of the texts and quickly switch phone numbers if theirs is blocked.
3. Writing the message: A smishing message can be short or long, formal or personal; each campaign is different. Smishing texts that seem to come from a trusted brand will likely be formal-sounding, while smishing texts purportedly from someone the victim knows may sound more informal. Many of the most effective smishing messages are direct and to the point, such as "Alert! Your work schedule has been updated, tap link to view the changes" (an actual example from a 2022 smishing attack). Depending on the tactics used, some smishing messages are heavily personalized for the victim. Others are meant to appeal to as many people as possible. LLM services can help attackers craft believable messages.
4. Interacting with the target: Sometimes the interaction with the intended victim is as simple as sending the text message and hoping the victim clicks a link or replies with the desired information. Other times there may be an extended conversation over text or over the phone with the victim.
5. Gathering data: The scammer may try to get victims to enter their data in a fake login page or form, or through a malicious app. They can also gather data through conversations with the victim.
6. Malware installation: This only occurs in some smishing attacks. A malware download can be triggered after the user loads the attacker's webpage or by inducing the user to download a malicious app directly. Installing malware can allow attackers to gather further data from the victim, spread malware to other sources, or simply use the infected smartphone in a botnet.
7. Using or selling the collected personal data: Attackers might do either, or both, with the data they collect.

Types of smishing

Smishing texts can take a lot of forms:

• Account verification: In this smishing scam, the victim receives a text message pretending to be from an email service, social media app, or streaming service that they use. The message prompts the victim to "verify their account" by clicking a link and entering their username and password — in a fake login page controlled by the scammer.
• Bank fraud: Scammers pose as the victim's bank, claim their accounts have seen suspicious activity, and include a link for "verifying" their identity, similar to other account verification scams.
• Tech support: The smishing text claims there is a problem with the device or with some other service the victim is known to use. Employees of a targeted organization might receive texts that they have been locked out of their accounts, with the attackers pretending to be from the organization's IT team.
• Reward scams: The smishing text tells the recipient they have won a reward or a lottery or a sweepstakes, and that they can claim their prize by following the included link, where they are prompted to enter personal information.
• Service cancellation: The text tries to scare the recipient by claiming that their subscription to a service is about to be canceled.
• Delivery notification: These smishing texts pretend to be from a delivery service. They may say that a package is on its way and provide a "tracking link" that leads to a fake webpage that harvests data, or they may say that an important package could not be delivered.
• Tax refund: Smishing texts may say that the recipient owes money to a tax collecting government agency; or, conversely, that they need to claim their tax refund.
• Message from an executive: Smishing scammers may impersonate the CEO or some other executive at the recipient's place of employment. These attacks might be somewhat personalized (addressing the recipient by name, including their real place of employment, and using other basic personal information that can be found online).
• Over-the-top fake messages: Many smishing texts are obviously fake to the majority of the people receiving them (e.g., "I am a foreign prince and my accounts are frozen, if you send me $200 I will repay you by sending you $100,000 when I can"). While some small percentage of people might fall for such messages, scammers can also use them to sort their lists of contact information between the gullible and the less gullible.
• Unsigned messages: Some smishing messages contain almost no details at all, and are worded as if they come from someone the recipient knows (e.g., "Are you in town?" or "Do you still work at the same place?"). The idea is that the recipient might think they know the sender but have lost their number, and reply. Such messages may seek to draw the victim into a longer conversation that ends with a request for data. Or, attackers might only be trying to assess their list of contacts — to confirm if the victim's phone number is active, and if the recipient is likely to reply to texts from unknown numbers. Then they follow up later with more convincing schemes from different numbers. It is not wise to reply, even in a joking way, to such messages.

Smishing tactics

Smishing uses many of the same tactics as other types of phishing. The process of gathering contact information and sending out messages is a bit different compared to email phishing, but otherwise, most smishing campaigns include:

• Social engineering: Attackers manipulate their victims by appealing to emotions such as fear or greed. Manipulation tactics include creating a sense of urgency, impersonating trusted people or brands, and pretending to be someone in authority.
• Imitation webpages and apps: Smishing attackers set up fake, but convincing, login pages and applications that collect personal information from their victims.
• Personalization: People are more likely to respond to text messages that address them by name. Smishing attackers can use personal information obtained from public sources, purchased on the underground market, or collected in previous smishing and phishing campaigns to make their messages more convincing.
• Disguising the source: Smishing attackers can send their messages from a range of phone numbers they control. They can use SMS gateways to send messages directly from computers instead of relying on phones. Sending messages and disguising their true source can be mostly automated.
• Following up on multiple channels: Smishing may be part of a larger campaign across other messaging channels such as email or social media.

What should you do if you get a possible smishing text?

Do not click any links: This applies to any links in text messages from an unknown number or an unexpected source. Such links may go to pages or apps that harvest data or host malware. Instead, go to the source's official website separately and load the page that way; for example, if a text comes with a notice about service cancellation, go to the service provider's website separately and use that login page, instead of clicking the link in the text.

Do not reply: Often attackers are only checking to see if a number is active or if their personal information about the recipient is correct. Replying, even if one does not reveal any personal information, still reveals too much. Attackers are likely to direct more resources to people who read and reply to their messages, just as a salesperson is likely to follow up many times with someone who displays passing interest in a product.

Report the phone number: Mobile carriers typically block numbers if enough people report them, although smishing scammers can simply switch or disguise their numbers.

Report to IT or security: Security teams need as much visibility as possible into attacks targeting employees. Smishing attacks can be part of a larger threat campaign that aims to get access into a company's network.

Check with the source separately: Contact the brand or service provider directly, using official contact information from a known source, to check on the information in the text. Let them know, if the text turns out to be smishing, that someone is conducting a smishing campaign against their customers.

Delete the message and block the number: This leaves no possibility of falling for the scam or accidentally tapping on the link.

Do not reply and do not click any links: It bears repeating!

Turn off read receipts: Some SMS messaging services send a notice to the other party when a text has been opened and read. In smishing attacks, a read receipt lets an attacker know that the intended victim is at least reading the texts, even if they are not falling for the scams or clicking any links. Turning off read receipts by default makes it harder for attackers to gain this information.

Smishing as part of larger attack campaigns

Instead of simply targeting individuals, advanced persistent threats (APTs) may use a multi-step campaign to compromise a larger organization. They can use smishing to take over the account of a known employee or contractor, then leapfrog to other accounts or systems. Once they have this access, they can compromise sensitive data, spy on an organization's activities, infect the organization with ransomware, or otherwise damage their business operations. Smishing is therefore a crucial attack vector for large organizations to defend against.

How organizations can defend against smishing campaigns

• Hard keys for two-factor authentication (2FA): One of the strongest defenses against smishing attacks is to use 2FA, so that a set of login credentials alone is not enough to gain access to an account. Specifically, the use of FIDO2-compliant hard keys — hardware-based tokens that plug into USB ports or use Bluetooth — drop the likelihood of a successful smishing attack to practically zero. (Soft tokens can be intercepted.)
• User training: Employees and contractors should be taught how to recognize phishing and smishing messages. Reporting such messages should be instant and easy.
• Zero trust security: This is a type of security model that assumes threats may be present inside secured networks, and that even known users and devices could be compromised. A zero trust architecture helps to restrict the damage if a smishing attack is successful, by using microsegmentation to prevent lateral movement and privilege escalation. 2FA is also a core component of zero trust security. Learn how Cloudflare mitigated a sophisticated smishing campaign with 2FA and zero trust security.

 

FAQs

What does smishing mean?

Smishing is a form of cyber attack that uses text messages to trick people into giving up personal or confidential information. The name is a combination of SMS and phishing. Attackers often pretend to be a trusted person or organization in order to manipulate victims into revealing their information.

What are some common types of smishing scams?

Smishing scams can take many forms, including messages that claim to be from a bank about suspicious activity, a delivery service with a tracking link, or an email service requiring account verification. Other types include texts promising rewards, threatening service cancellation, or impersonating an executive from a victim's workplace. Some scammers even send generic greetings or questions like 'Hi, how are you?' to see if a phone number is active and if the recipient will reply.

What's the difference between smishing and phishing?

Smishing is a specific type of phishing attack that occurs over text messages (SMS). Phishing is a broader term for any attempt to manipulate or defraud people into revealing personal or confidential information. Phishing is most common via email, but it can also happen through phone calls, QR codes, social media messages, and text messages.

How can I protect myself from a smishing attack?

If you receive a text you suspect is a smishing attack, do not click on any links. You should not reply to the message either, as this confirms to the attacker that your number is active. You should delete the message, block the number, and turn off read receipts to prevent attackers from knowing you have opened the text. You may also want to report the attack to your employer's security team to give them visibility into attacks targeting employees.

How can an organization defend against smishing campaigns?

Organizations can defend against smishing by training employees and contractors to recognize and report these messages. Using hard keys for two-factor authentication (2FA) is also a strong defense, as it makes it nearly impossible for an attacker to gain access to an account with just stolen login credentials. Adopting a zero trust security model can also help, as it assumes that threats may already be inside the network and limits the damage a successful attack can cause.