What is smishing? How phishing via text message works

Smishing definition

Smishing is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.

Smishing is a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. But people are often less watchful for suspicious messages on their phones than on their computers: they’re more likely to open a potentially suspicious text message than an email message, and their personal devices generally lack the type of security available on corporate PCs. This pernicious new take on an old trick is becoming increasingly widespread.

Phishing vs. smishing vs. vishing: What’s the difference?

Before we dive in the details, let’s take a moment to understand the terminology of these related attack techniques. Phishing is the granddaddy of them all, and CSO has a complete explainer with all the details, but in essence it involves sending targeted email messages to trick recipients. “Phish” is pronounced just like it’s spelled, which is to say like the word “fish” — the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.

Smishing is, essentially, phishing via text messages. The word is a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services. Because of this etymology, you’ll sometime see the word written as “SMiShing,” though that’s increasingly rare; people also include scam attempts via non-SMS text services, like WeChat or Apple’s iMessage, under the smishing umbrella. The term has been around since at least the late ’00s, though the omnipresence of smartphones in the modern era has made it a more tempting attack vector for hackers.

“Vishing” is a similar type of attack that uses voice calls instead of emails or texts; the word is a portmanteau of “voice” and “phishing.”

Smishing attack examples

So far we’ve been talking in somewhat theoretical terms. But what are some specific examples of how smishing works in practice? In other words: What should you be on the lookout for?

We can break down smishing attacks into three broad categories.

Attempts to trick you into revealing credentials. Smishers may try to convince you into giving up a username/password combo or other confidential info that they can use to log into one of your online accounts. And because banks are, in the legendary phrase attributed to bank robber Willie Sutton, “where the money is,” bank smishing is one of the most lucrative and common types of this category of attack.

The UK tech site Which? has a good breakdown of what a typical bank smishing attack looks like. One of the paradoxes of this kind of attack is that the smishers play on your fears of hacking in order to hack your account. They’ll send you text messages claiming to be from your bank, “warning” you about a large transfer or a new payee added, and giving you a number to call or a link to click on to block this potentially unauthorized access to your account. In reality, of course, the transfer or new payee doesn’t exist; the link sends you to a spoofed website that looks like your bank’s and asks for your username and password, and the phone number connects you to the scam artists, who will try to wheedle the same sort of information out of you. Once they’re armed with those credentials, they can log into your bank account and plunder it.

Bank smishing is often successful for a couple of reasons. One is that many banks really do have services that text you about suspicious activity on your account. An important thing to keep in mind is that legitimate messages should contain information proving that the bank already knows who you are: they might include the last few digits of your credit card or bank account number, for instance. Vague references to “your account” without any details should be viewed with suspicion. They also will generally not include a direct link to a bank website. Orange County’s Credit Union has a good guide to what you should see in a legitimate text message from a bank. If you aren’t sure about a message like this, you should log in to your account via your browser or app without following any link sent to you in a text message.

Another factor that can lull a victim into complacency: many smishers use SMS spoofing techniques that disguise the phone number or short code that a text message appears to come from. It’s relatively easy to send a text message that appears to come from another number, and in fact there are plenty of legitimate reasons to do so — if you’ve ever used iMessage or a similar tool to send a text from your laptop, you’ve engaged in SMS spoofing yourself. But if an attacker uses SMS spoofing to make their smishing texts appear that they’re coming from your bank, your phone will automatically group them with any real texts you’ve already received from that institution, making them seem more legitimate.

Attempts to trick you into downloading malware. This sort of attack parallels one of the primary end games for email phishing, though the techniques are adapted for mobile users and mobile technology. For instance, a smishing scam that ran wild in the Czech Republic convinced users to download an app purporting to be from that nation’s postal service; in reality, it was a Trojan that could harvest credit card info entered into other apps on the phone.

In general, these kinds of attacks are rarer when conducted via text than they are over email because smartphones make it more difficult to install apps, with iPhones and many Android phones only allowing signed and verified apps from app stores to operate. But it’s still possible to sideload apps, especially on Android, so you should be extremely suspicious of anyone who tries to get you to install an app via text message.

Attempts to trick you into sending someone money. This version of smishing is more the domain of the con artist than the tech wizard, but it’s still something that’s a real concern—particularly when it comes to less tech-savvy people who don’t use email much and have never become immune to the emailed pleas of Nigerian princes trying to get access to money stashed in overseas bank accounts. Smishers will do some work to figure out ways to get you to trust them; in one attack, a woman in Tennessee received texts she thought were from personal friends (the names had probably been harvested from Facebook) telling her about a government grant she qualified for. In reality, this was a classic “advance fee” scam: the victim was told she had to pay a few hundred dollars up front for “taxes” to get the money.

While those scams play on the victim’s desperation or greed, some take the opposite approach, exploiting their generosity. One set of scammers sent texts to victims in Louisiana, pretending to be a clergyman at a local church, collecting money for charity; in reality, they simply pocketed the cash.

Effects of smishing:

These examples should give you a sense of the effects of smishing: Attackers can plunder your bank account, install malware on your phone that gains access to your finances or your location information, or trick you into spending money needlessly. In a larger sense, these smishing attacks make it more difficult for financial institutions or others to have trusted communications with customers via text messaging, which is one of the most universal communications platforms in use today.

Smishing statistics

There’s one stat that doesn’t pertain to smishing specifically, but does explain why attackers are putting so much work into developing these scams: 98% of text messages are read and 45% are responded to, while the equivalent numbers for email are 20% and 6%, respectively. As users grow more overwhelmed by constant emails and suspicious of spam, text messages have become a more attractive attack vector, exploiting the more intimate relationships we have with our phones.

While smishing isn’t everywhere yet, it’s definitely more than a novelty at this point: according to Verizon’s 2020 mobile security index, 15% of enterprise users encountered a smishing link in Q3 2019. Proofpoint’s 2020 State of the Phish report indicates that 84% of surveyed organizations faced smishing attacks.  And 30% of Proofpoint’s respondents were aware of the term “smishing” — which may not sound like much, but is up from 25% just the previous year.

How to prevent smishing

There’s one more stat from Proofpoint’s report that we want to discuss, and it gets to the heart of how enterprises can help foil smishing attacks: only 25% of surveyed organizations (and only 17% in the United States) run smishing or vishing simulations to help train staff to recognize and react appropriately to these attacks. At the organizations that do run these simulations, the failure rate is 6% — not disastrous, but not great, either.

These types of simulations are one of the best ways for enterprises to train their employees on how to avoid being smished. They should form part of your ongoing security awareness training regimen, along with phishing and vishing simulations. Simulated smishing attacks can help you target your training efforts, making it clear whether additional training is needed and which users are particularly vulnerable.

But if your employer doesn’t run simulations or hold training programs, you can still educate yourself to resist smishing attacks. Zipwhip has some common-sense advice:

  • Be wary of texts using unnatural or ungrammatical language
  • Offers that seem too good to be true usually are
  • Don’t click embedded links or download apps directly from a text message
  • The IRS and Social Security Administration don’t communicate via text

CSO also has advice on avoiding phishing scams, most of which applies to smishing as well.

Smishing and the FTC

The United States Federal Trade Commission has resources to help fight smishing. The FTC has a page with advice for avoiding these scams. If you think you’ve been victimized by such a scam, you can use the agency’s complaint assistant site to file a complaint and help catch the perpetrators. But hopefully the advice on this page will help you stay one step ahead of the smishers.