What is smishing (SMS phishing)?

Smishing is an increasingly popular form of cybercrime. According to Proofpoint’s 2024 State of the Phish report, 75% of organizations experienced smishing attacks in 2023.¹

Several factors have contributed to a rise in smishing. For one, the hackers perpetrating these attacks, sometimes called “smishers,” know that victims are likelier to click text messages than other links. At the same time, advances in spam filters have made it harder for other forms of phishing, like emails and phone calls, to reach their targets. 

The increase of bring your own device (BYOD) and remote work arrangements have also led to more people using their mobile devices at work, making it easier for cybercriminals to access company networks through employees’ cell phones.

Smishing attacks are similar to other types of phishing attacks, in which scammers use phony messages and malicious links to fool people into compromising their mobile phones, bank accounts or personal data. The main difference is the medium. In smishing attacks, scammers use SMS or messaging apps to conduct their cybercrimes rather than emails or phone calls.

Scammers choose smishing over other types of phishing attacks for various reasons. Research shows that people are likelier to click links in text messages. Klaviyo reports that SMS click-through rates hover between 8.9% and 14.5%.² By comparison, emails have an average click rate of 2%, according to Constant Contact.³

In addition, scammers can mask the origins of smishing messages by using tactics such as spoofing phone numbers with burner phones or using software to send texts by email.

It's also harder to spot dangerous links on cell phones. On a computer, users can hover over a link to see where it leads. On smartphones, they don't have that option. People are also used to banks and brands contacting them over SMS and receiving shortened URLs in text messages.

In 2020, the Federal Communications Commission (FCC) mandated that telecom companies adopt the STIR/SHAKEN protocol. STIR/SHAKEN authenticates phone calls and is the reason why some mobile phones now display "scam likely" or "spam likely" messages when suspicious numbers call.

While this rule made scam calls easier to spot, it did not have the same effect on text messages, leading many scammers to shift their focus to smishing attacks.

Like other forms of social engineering, most types of smishing attacks rely on pretexting, which involves using fake stories to manipulate victims’ emotions and trick them into doing a scammer’s bidding.

Scammers might pose as the victim’s bank alerting them to a problem with their account, often through a fake notification. If the victim clicks the link, it brings them to a fake website or app that steals sensitive financial information like PINs, login credentials, passwords and bank account or credit card information.

According to the Federal Trade Commission (FTC), bank impersonation is the most common text message scam, accounting for 10% of all smishing messages.⁴

Scammers might pretend to be police officers, IRS representatives or other government agency officials. These smishing texts often claim the victim owes a fine or must act to claim a government benefit.

For example, in April 2024, the Federal Bureau of Investigation (FBI) issued a warning about a smishing scam targeting US drivers.⁵ The scammers send text messages pretending to come from toll collection agencies and claiming the target owes unpaid road tolls. The messages contain a link to a fake site that steals victims’ money and information.

Attackers pose as customer support agents at trusted brands and retailers like Amazon, Microsoft or even the victim’s wireless service provider. They usually say that there is a problem with the victim’s account or an unclaimed reward or refund. Typically, these texts send the victim to a fake website that steals their credit card numbers or banking information.

These smishing messages claim to come from a shipping company such as FedEx, UPS or the US Postal Service. They tell the victim there was a problem delivering a package and ask them to pay a “package delivery fee” or sign in to their account to correct the issue. Then, the scammers take the money or account information and run. These scams are common around the holidays when many people wait for packages.

In business text compromise (similar to business email compromise, except by SMS message), hackers pretend to be a boss, coworker or colleague, vendor or attorney who needs help with an urgent task. These scams often request immediate action and end with the victim sending money to the hackers.

Scammers send a text that appears to be intended for someone other than the victim. When the victim corrects the scammer’s “mistake,” the scammer strikes up a conversation with the victim.

These wrong number scams tend to be long-term, with the scammer trying to earn the victim’s friendship and trust through repeated contact over months or even years. The scammer might even pretend to develop romantic feelings for the victim. The goal is to steal the victim’s money through a fake investment opportunity, a request for a loan or a similar story.

In this scam, called multifactor authentication (MFA) fraud, a hacker who already has a victim's username and password tries to steal the verification code or one-time password required to access the victim's account.

The hacker might pose as one of the victim’s friends, claim to have been locked out of their Instagram or Facebook account, and ask the victim to receive a code for them. The victim gets an MFA code—which is actually for their own account—and gives it to the hacker.

Some smishing scams trick victims into downloading seemingly legitimate apps—for example, file managers, digital payment apps, even antivirus apps—that are in fact malware or ransomware.

Phishing is a broad term for cyberattacks that use social engineering to trick victims into paying money, handing over sensitive information or downloading malware. Smishing and vishing are just two kinds of phishing attacks that hackers can use on their victims.

The main difference between the different types of phishing attacks is the medium used to carry out the attacks. In smishing attacks, hackers target their victims using text messages or SMS. In vishing attacks (short for “voice phishing”), hackers use voice communication like phone calls and voicemails to pose as legitimate organizations and manipulate victims.

To help combat smishing scams, the FCC adopted a new rule that requires wireless providers to block likely spam texts from suspicious numbers, including unused or invalid phone numbers.⁶

However, no spam filter is perfect, and cybercriminals are always working on ways to get around these measures. Individuals and organizations can take additional steps to strengthen their defenses against smishing attacks, including:

Android and iOS operating systems have built-in protections and functions, like blocking unapproved apps and filtering suspicious texts to a spam folder.

At the organizational level, companies can use unified endpoint management (UEM) solutions and fraud detection tools to set mobile security controls, enforce security policies and intercept malicious activity.

Organizations can stop more scams by training employees to recognize the warning signs of cyberattacks and smishing attempts, such as unusual phone numbers, unknown senders, unexpected URLs and a heightened sense of urgency.

Many organizations use smishing simulations to help employees practice new cybersecurity skills. These simulations can also help security teams uncover vulnerabilities in computer systems and organizational policies that expose the business to scams.

Organizations can remediate these vulnerabilities by combining threat detection tools with policies for handling sensitive data, authorizing payments and verifying requests before acting on them.