by peter


Smishing Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5


  • Over sharing of information
  • Lack of awareness training

Smishing Overview

Smishing is an identity theft method that uses texts to impersonate a trusted sender and steal a victim’s information. Smishing—a type of phishing—is a growing threat to consumers, with more than 11 billion spam texts sent in March 2022 alone, according to anti-spam app Robokiller. In 2021, 87.8 billion smishing attacks resulted in $10 billion in estimated consumer losses—a 58% year-over-year increase in spam texts.

Scammers typically send out large text blasts to cast a wide net for potential victims, so it’s crucial to know what smishing looks like to avoid being deceived. Here’s what you need to know about smishing, how to protect yourself and what to do if you become a victim of fraud.

What you need to know about Smishing

Criminals carrying out smishing attacks attempt to deceive victims into freely giving up information or clicking on a malicious link. Receiving a sketchy text won’t, on its own, infect your device with malware or leak your data, so an effective way to avoid being victimised is by simply not engaging with scammers.

Here are some key tips for avoiding smishing attacks:

  • Pause before you act. Scammers turn up the emotional heat to pressure you to act quickly. They create urgency by insisting that time is running out, or by threatening you with severe consequences if you don’t act now. These are telltale signs of a scammer.
  • Don’t respond to a communication from unfamiliar senders. If you receive a message from a sender you don’t know, such as a company you don’t do business with or a strange phone number, don’t respond. Responding at all, even just to say “stop,” tips the scammer off that your number is live, which can lead to more spam. Instead, block unwanted messages without replying.
  • Don’t click any links. Smishing texts may include links that could infect your device with malware or lead you to enter your information into convincing website spoofs that masquerade as sites you trust. Don’t click on any links embedded in the suspicious text.
  • Contact trusted parties directly. If you receive a suspicious text claiming to be from a sender you believe has a legitimate reason to contact you, communicate with the organisation through a known, trusted channel, such as by navigating to their website or calling them directly.
  • Keep your devices secure. Keep your cellphone safe from hackers by keeping your software up to date. Phone operating systems such as Android and iOS regularly receive patches designed to close up security holes, so neglecting to install updates can leave you vulnerable to cyberattacks. Make sure all your apps are kept up to date as well.

How Smishing attacks happens

Smishing is when fraudsters use text messaging to impersonate a trusted organisation and steal your identifying information, such as your National Insurance number, account usernames and passwords, bank account information or credit card numbers.

Smishing texts often also include malicious links the victim is encouraged to open. When the victim clicks the link, malware may be downloaded to their device or they may be directed to a login or billing screen. The scammer can then capture the victim’s login credentials, financial information or personal data, which can ultimately be used for identity theft.

Smishing attacks are used with a variety of scams, but the ultimate goal remains the same: to steal your information. Like other types of phishing, these scams rely on creating excitement, urgency or fear to get victims to act quickly. They might promise prizes or warn of financial or legal trouble to coerce you to act, or they might attempt to confuse you by sending fake invoices for products you never ordered.

The most common type of smishing in 2021 was delivery scams, where the fraudster would impersonate Amazon, USPS or FedEx and lure victims with a seemingly legitimate link to track a package. COVID-19 scams, in which fraudsters offer tests in exchange for personal information, were the second most common smishing attack.


Attack Sources