What is Smishing?


Smishing is a cyber crime that uses manipulative text messages to steal people's confidential personal and corporate information, similar to phishing emails.

Cyber criminals send carefully-worded text messages to the victim, urging the victim to respond or to take further action. The text message might ask the victim to confirm delivery of an Amazon order or ask the recipient to click a link to finish registering in a new government program.

The ultimate goal of any smishing tactic is the same – to compromise people by stealing confidential information.

Smishing relies on social engineering to get victims to respond and take action.

Using urgent language, the text message may threaten the victim with severe consequences if they don’t take action or convince the victim that they’re helping the sender by providing the requested information.

How Common is Smishing?

Despite being a somewhat unheralded manifestation of phishing and social engineering, smishing is causing millions of dollars in losses for organizations worldwide.

According to the FBI’s Internet Crime Complaint Center (IC3), smishing was part of the top crime category by victim count, with over 240,000 individual incidents reported. This spike in smishing activity reportedly results in over $50 million in losses for American organizations alone – a figure that’s expected to rise substantially in the coming years.

From a consumer point of view, four times as many SMS messages than emails are sent from personal cell phones every day. Couple this with the fact that smartphone sales continue to grow exponentially year-over-year and you have a cyber threat that will only increase in importance over the next decade.


Smishing risk can only be reduced by focusing on your end users

As unprecedented digital transformation impacts many industries worldwide, all organizations must bolster their phishing awareness training through current, multifaceted phishing simulation and security awareness training initiatives.

For more information on the most recent global phishing benchmarks obtained through the Gone Phishing Tournament, as well as expert tips on how to minimize smishing and phishing risks, download your free copy of the full report.


What is social engineering?

Social engineering is a technique used by cyber criminals to trick people into giving up confidential information. Social engineering relies on the basic human instinct of trust to steal personal and corporate information that can be used to commit further cyber crimes.

How Does Smishing Happen?


Smishing happens when the cyber criminal can capitalize on the human tendencies of trust and wanting to help others. The cyber criminal knows that people are motivated by persuasive language such as “Act Now,” “Urgent!” or “Don’t Miss Out!”.

People are naturally curious and want to know more about the promised reward, the unexpected Amazon delivery, or the new government subsidy program. Typically, smishing victims respond instantly without giving the text message a careful read, missing out on telltale signs that the text message is a scam.

People tend to read and respond to text messages wherever they are and regardless of what they’re doing. Cyber criminals prey on this level of distraction to catch people off-guard.

What Are The Different Smishing Tactics?

1. Fake Link Tactic

The text message sender pretends to represent a valid organization or company and includes a link similar to the actual URL for the organization or company. The sender asks the recipient to click the link and take action, such as updating their personal information, confirming the delivery of a package, or entering a draw for a free prize.

2. Convincing Phone Call

The text message tells the victim to call the sender back. The text message often appears to come from a government or city organization and uses urgent language to convince the victim to call immediately to protect themselves from severe consequences. When the victim calls the number, they speak to a person who sounds legitimate, is very helpful, and reassuring – the victim believes they’re doing the right thing by providing the information the person needs.

3. Malware Attack

The text message includes a link to an executable that installs malware on the victim’s mobile device. Typically, the cyber criminal installs Trojan Horse software that captures and records the victim’s keystrokes, making it easy to steal passwords, contact lists, banking information, etc.

4. Spear Smishing

This type of smishing takes more work and research on behalf of the cyber criminal. Using background information on the victim collected from social media sites such as Facebook and LinkedIn, the cyber criminal can send a targeted and specific smishing attack that appears to be legitimate. Due to the personal nature of the smishing message, the victim trusts the sender and doesn’t hesitate to respond.

How To Prevent Smishing Attacks

1. Educate your employees on the risks that can arrive in text messages. Use security awareness training and simulations to educate employees with real-world scenarios.

2. Remind employees to never respond to or click links in text messages from senders and phone numbers they do not recognize. Employees should block the text message and delete them from their devices.

3. Use security awareness campaigns to alert employees to social engineering and how cyber criminals send convincing, urgent text messages.

4. Ask your security leaders and internal cyber heroes to regularly monitor employee awareness of smishing. Highlight to employees that they need to read every text message carefully and, if in doubt, never respond.

5. Use security awareness training and simulations to raise awareness of the risks of clicking links and downloading attachments in text messages. Take advantage of training that uses gamification and micro- and nanolearning modules to keep training interactive and engaging.

6. Install malware protection and anti-virus software on all employee mobile devices. This is particularly important for companies that have a bring your own device (BYOD) policy.

7. Provide regular and ongoing communication and awareness campaigns about smishing, social engineering, and cyber security. Reinforce to employees that they should never click links or respond to an unknown sender.


What Not To Do With A Smishing Text

  • Do NOT Reply To A Smishing Text
  • Do NOT Call The Sender Phone Number
  • Do NOT Click Any Links
  • Do NOT Send A STOP Text Message

What Is a Phishing Simulation?


Phishing simulation is the best way to raise awareness of smishing and phishing risks. Remember that smishing is a type of phishing, and often, cyber criminals use multiple phishing and smishing attacks at once.

Phishing simulations help you identify which employees are at risk of cyber crimes that come through text messages and emails. Real-time phishing simulations are vital for any successful security awareness training program.

Security awareness training and phishing simulations help raise alertness levels to cyber security threats. Phishing simulations give people first-hand experiences with smishing, so they know the signs and what to look for.

How Can Phishing Simulations Help Prevent Smishing Attacks?

Phishing simulations help you show employees how cyber criminals use text messages to steal and commit cyber crimes.

1. Increases alertness levels to how cyber criminals use manipulative language in text messages.
2. Changes human behavior to eliminate the automatic trust response.
3. Creates awareness to reduce the cyber threat level.
4. Measures and monitors the level of corporate and employee vulnerability.
5. Deploys targeted ant-smishing solutions.

6. Assesses the effectiveness of cyber security awareness training.
7. Keeps employee alertness levels to smishing threat high at all times.
8. Protects sensitive corporate and personal information.
9. Instills a cyber security culture and helps transform end users into cyber heroes.
10. Meets industry security training compliance obligations.

The Cyber Security Hub

Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.