Smishing Or SMS Phishing And Its Growing Concern

Smishing, or SMS phishing, is a growing concern as more people use smartphones to stay connected.

Smishing, or SMS phishing, is a growing concern as more people use smartphones to stay connected. GSMA estimates that 5.2 billion people globally use mobile services, and their data indicates that 65% are smartphone users. In the U.S., Pew Research reports that 96% of Americans have cell phones of some kind (81% being smartphones). With this in mind, National Cybersecurity Awareness Month (NCSAM) seems like a great time to cover this topic.

We’re becoming increasingly reliant on these mobile devices. People use smartphones for everything from email communications and ordering food to doing online banking and paying bills. This increasing connectivity means that we, as users, are becoming easier for cybercriminals to reach (and scam). In fact, Proofpoint’s 2020 State of the Phish report indicates that smishing is a global issue. This is why we wanted to write an article that talks about SMS-based text message scams, or what is known as smishing.

But what is a phishing text message? To ensure that we’ve adequately covered this topic, I’ve enlisted some help from both my colleagues at The SSL Store as well as other industry experts. We’ll break down what smishing is, what some common characteristics text scams share, what makes them so dangerous to businesses and consumers. And just to add icing to the cake, we’ve got loads of examples of real SMS phishing messages that you can view (both in English and Dutch languages!).

Let’s hash it out.

Smishing Definition: What Is Smishing? (What Does Smishing Mean?)

We’ve got you covered. Read on to learn all about smishing, see almost two dozen examples of real SMS phishing text messages, and learn how to protect yourself and your organization against it.
Smishing = SMS text phishing. That’s because the term smishing is a portmanteau of “SMS text messages” and “phishing.” So, this means that smishing is a type of phishing that takes place via short message service (SMS) messages — otherwise known as the text messages that you receive on your phone through your cellular carrier. (SMS is a two-way paging system that carriers use to transmit messages.) The goal of smishing here is to scam or otherwise manipulate consumers or an organization’s employees.

These types of messages generally involve some type of content that will prompt you to click on a link. If you do press the link, it’ll take you to a website that tries to get you to provide your login details or other information. The goal here is to get you to provide information that the cybercriminal can use to:

  • Access your personal or work-related accounts,
  • Commit identity fraud, or
  • Engage in some other type of malicious activities.
  • Wait, Smishing Sounds a Lot Like Phishing…

Yes, it does, and for good reason. That’s because smishing is phishing — or, more specifically, it’s one form of it. It’s kind of like how a cherry pie is just one of many types of pies that you can buy at the store.

Phishing itself is a pretty broad term that describes fraudulent activities and cybercrimes against people and businesses alike. In addition to SMS phishing text messages, phishing is something that can be carried out via through various channels, including:

Email (think: spear phishing, whaling, CEO fraud, payroll fraud, business email compromise… the list goes on and on),
Phone calls (vishing, or voice phishing), and
Social media messages (such as LinkedIn, Facebook, Twitter and Instagram).

Where Did Smishing Originate?

Just as a little fun fact. Macmillan Dictionary says that “smishing” is a phrase that was coined by David Rayhawk in a McAfee blog back in 2006. Since then, people within the industry often refer to the cybercriminals who use SMS phishing attacks as “smishermen” (much like they refer to those who use phishing as phishermen).

While I could keep talking about smishing on my own — after all, there’s a lot to cover — I thought this would be a great opportunity to reach out to experts within the industry to get their thoughts on smishing. We’ll share their insights throughout the article.

Common Types of SMS Phishing Scams

Wondering what some of the most common smishing text scams are? Don’t worry, we’ll show you many real examples of smishing text messages shortly. But just to give you a quick idea, here are a few of the common types of SMS phishing scams cybercriminals use nowadays:

Texts from banks, investment firms and other financial institutions stating there’s an issue with your account.
Messages promising free money, products or services.
Text messages from companies & service providers stating that there’s an issue and you need to update your payment account information.
Messages from various “authorities about COVID-19 contact tracing updates and various pandemic-related resources.

How Smishing Works: An Overview of the SMS Phishing Process

A basic smishing attack isn’t something that’s all that complex. It involves a cybercriminal having a target in mind (or no target at all in some cases) and a few technologies at hand. More targeted attacks involve the use of social engineering tactics.

Let’s break down how a smishing attack actually plays out:

A cybercriminal sends an SMS text message to you from a spoofed number. The content and number that the text originated from may make it seem like it came from the legitimate business. If they did their homework, they may even make the message more specific by pretending to be from a company or service that you actually use (such as a video streaming service or a bank).
You receive the message on your phone that elicits some type of response. The message may contain a tempting offer, or it could be something potentially worrisome that aims to spur you to action.
What you do next is the determining factor of how things play out. If you just ignore the message or report it, that’s basically the end of it. But if you click on the link, you’ll be directed to a website that appears legit (but isn’t). Either you’ll be prompted to provide info or to download something (such as a device or browser update) before you can proceed.
You’ll be prompted to provide info you otherwise wouldn’t give away. On this website, you’ll be asked to log in or to provide some other type sensitive details. This could be personally identifiable information (PII), a credit or debit card number, or even your work login info.
You’ll find yourself downloading something that contains malicious software. By getting you to download malware, you’ve now given them access to your device. They can use their access to spy on you, steal sensitive information, or to access your accounts.

What SMS Phishing Campaigns Tend to Have in Common

Although smishing text messages vary, there are some commonalities that some of the most “successful” (i.e., dangerous) types of smishing tend to share.

Smishing Texts Try to Appear Realistic or Legitimate
In reality, SMS phishing campaigns can span the gamut in terms of realism. In some cases, they’re as obviously bogus as a flashing neon sign that screams “This is a scam!” But in other situations, they’re actually highly targeted or specialized, which makes it harder for recipients to discern them from legitimate messages.

The success of a successful smishing campaign often boils down to how realistic the messages appear. If a cybercriminal can make their text messages seem legitimate, then their targets are going to be more likely to engage with them.

Smishing Text Messages Typically Contain Website Links
As with other types of phishing, the goal of an SMS phishing text is to get people to engage with it. Often times, the goal is to get them to click on a link that will take them to a phishing or malicious website. The goal may be to get them to input sensitive information such as their login credentials, or to visit a site that installs malicious software onto their device. Either way, the end results spell bad news.

One quick note to mention is that in many cases, smishing messages typically use URL shorteners. These tools are useful for legitimate organizations that want to minimize the size of messages. However, they’re a go-to tool for cybercriminals because shorteners enable them to disguise malicious URLs. Some good news is that there are tools you can use to expand some shortened URLs, but they don’t work in all cases.

Smishing Text Messages Convey Urgency & Prey Upon Their Targets’ Emotions
So, how exactly do cybercriminals get users to click on SMS phishing message links? Often times, it’s the same as with other types of phishing messages: by conveying a sense of urgency or eliciting other emotional responses. VanIperen touched on this in his example about the suspected fraudulent bank transaction. If a message seems important — like a text from your utility company saying that your power will be shut off for non-payment — people are less likely to simply ignore it.

Smishing Frequently Uses Phone Number Spoofing
We’ve talked in the past about email spoofing, but as you now understand, spoofing isn’t limited to just email phishing. Spoofing is also a tool for phone call scams and SMS text messages. (Yeah, there’s nothing like being in the middle of a virtual meeting when working from home when, all of the sudden, it appears that your own phone number is calling or texting you…)

Spoofing is a useful tool for scammers because it allows them to operate in anonymity. Using mobile apps and other online tools, smishers can send their nasty SMS phishing text messages to people while making it look like it comes from someone else’s phone number.

In the main part of this article, I’ll share with you 20 examples of smishing texts. Something you’ll notice about them is that I’ve edited out the phone numbers that the messages were sent from. The reason for that is that because scammers typically use spoofing, I’d hate to actually display what could be someone’s potentially legitimate phone number that was used in the scam.

What Makes Smishing So Dangerous
Verizon’s Mobile Security Index 2020 report shares that 17% of phishing occurs via messaging. In fact, they shared an example from a Lookout customer that was alarming to say the least. Basically, a global food distributor decided to test the cybersecurity prowess of their executives. They sent the execs an SMS text message that appeared to come from a hotel that they were going to be staying at. You can imagine their disappointment when more than half (54%) ended up clicking on the link.

What You Can Do to Protect Yourself & Your Organization from Smishing Attacks
You can see what kind of a threat smishing is, but what can you do to protect yourself or your organization from it?

How Individuals Can Protect Their Devices and Information

Don’t open text messages from unknown users. If you get a text from an unknown number — particularly one that contains a link — don’t open or otherwise engage with it.
If you do open a text, don’t click on any links. Okay, so you’ve opened a text from someone you don’t know and it contains a link that looks like it’s from your bank. Now what? If you aren’t sure whether a message is legitimate, don’t click on it. However, you can always open your web browser and type in your bank’s website address there.
If you do click on the link, don’t provide any information. This should go without saying but bears repeating since people seem to do this anyway. Never give away any sensitive information via text messages (PII, financial info, work or personal credentials, etc.). If you’re asked to provide info and are directed to a website, go to that website directly in your browser and verify the website is legit by looking at the website’s security certificate information in your browser.
If you do click on a link and provide info, take action. Okay, you really need to take this time to try to protect yourself. Depending on the type of information you provide, this may involve changing your account security information (passwords in particular), contacting your bank or financial service to report suspected fraud or to cancel your debit/credit card information, filing a report with the major credit bureaus, etc.
See if your phone has a block or filter feature. Although not all devices may have these options, check to see if yours does. For example, here’s how it looks on my Samsung phone:

This screenshot is a spam text message that I received (yeah, I know, my name’s not Judy and this isn’t technically an example of a smishing message, but I’m just trying to show you something here). In it, you can see that my phone has the ability to block unwanted messages and phone calls from individual phone numbers.
Digital Trends has an article that walks you through how to block texts on Android and iOS devices. If this doesn’t work for you, then…

Contact your cell provider to see if they have a tool or service that’ll do it. Some phone companies may offer such a tool or service to their customers to help you block SMS text messages from known (and/or unknown) numbers.
How Organizations Can Protect Their Customers, IT Systems and Data
Of course, many of the talking points on the list above are also applicable to businesses through employee training. But here are a few other things that businesses and organizations can do:

  • Provide cyber awareness training to all employees. The first step to fighting any type of cyber fraud issues is to educate your users about the different types of dangers that exist. This includes educating about phishing, smishing, vishing, and other types of cyber threats. Many of the things we covered in the last section are things you can cover in your training.
  • Implement a BYOD policy. If you’re one of the many organizations that allows (or requires) your employees to use their personal devices for work, then this is for you. Create a policy that outlines rules that your employees need to follow when using personal devices and how your IT team will support those devices. This can help you mitigate security risks by controlling how your employees use those devices.
  • Use access controls to limit access to only those who need it. You and I know that not everyone within your organization needs access to everything. This is why you should limit access to websites, databases, networks and other essential systems to only those who need access to do their jobs. By limiting access, you’re reducing your potential exposure in the event that someone’s account becomes compromised through smishing or other social engineering efforts.
  • Provide a way for customers to notify you about potential scams. In our digital world, it’s always a good idea as an organization to give customers a way to report suspicious messages or suspected fraud.
  • Notify customers about potential SMS phishing scams. If you receive word that someone is impersonating your organization, be sure to inform your customers as soon as possible via email. Be sure to reiterate that your organization would never ask customers to verify account information through text messages, social channels, or email.
  • How to Report SMS Phishing Attacks and Text-Based Fraud
  • Well, if you’re in the U.K., there’s a new SMS SenderID Protection Registry that’s trying to crack down on SMS phishing text messages for you. So, that’s good news. According to the Mobile Ecosystem Forum (MEF), so far in 2020, “there are more than 50 bank and Government brands being protected by the Registry, with over 14 banks and Government agencies participating.”

Now, if you’re in the U.S. and receive a message that you suspect is an SMS phishing text message, you should report it to the Federal Communications Commission (FCC), and the FBI’s Internet Crime Complaint Center (IC3). (’s Online Safety site says that they’ll be able to forward your complaint on to the appropriate local, state, federal or international law enforcement agency.) Of course, you can also report these types of messages to your mobile carriers as well:

Report smishing and spam text messages to AT&T
Report suspicious calls, texts or emails claiming to be Sprint
Report suspicious and spam texts to T-Mobile
Final Thoughts on Smishing
Smishing text message scams aren’t new, but they’re also not going anywhere any time soon. Smishing is definitely one of the areas that every organization should cover in their cyber awareness trainings. This is particularly the case as more individuals use personal and company-issued mobile devices to handle business-related functions.

Cybercriminals are always looking for new ways to target potential victims, or to put new spins on old tricks. I hope this article has provided you with what you need to ensure that you and your employees don’t become the next victims of SMS phishing scams.

Originally published at SB

Leave a Reply