With an emphatic scroll and quick click, a text message was opened, considering it came from someone familiar or at least who sounded “vaguely” familiar. They wanted some quick action from you, and they needed it yesterday, but why are they reaching out via text?
Does this sound familiar? Enter into the above equation a text message from one of your online services (i.e., Netflix, Hulu, FedEx, bank apps, etc.), and, after further review, it is not anyone/any organization that you know.
In today's digital landscape, the rise of smishing, a form of phishing, poses a significant challenge to individuals and organizations worldwide. With the widespread adoption of mobile devices and the ubiquity of text or in-application messaging as a communication tool, smishing has emerged as a potent vector for cybercriminals seeking to exploit unsuspecting users. As our reliance on mobile technology grows and cyberthreats become increasingly sophisticated, understanding the dangers of smishing is paramount to mitigating the risks posed by this pervasive form of cybercrime.
What Is Smishing?
Smishing is the combination of texting and phishing. Over 400 million spam text messages are sent out every day.1 Victims are intentionally deceived into giving sensitive information to a disguised attacker. This attack vector can occur not only on cell phones via SMS but also on any of the application-based messaging platforms (e.g., WhatsApp, Snapchat, Facebook Messenger, GroupMe, etc.). Cybercriminals target victims through text messages by enticing them to click a link that can give private information to the cybercriminals, download malicious programs to the victims’ smartphones or prompt further communication. Many users already know the dangers of clicking a link in email messages, but more people need to be aware of the risks of clicking links in text messages or messaging apps. Table 1 provides details on how smishing works.
Types of Smishing Attacks:
- Financial: Text messages from financial institutions (FIs), banks or insurance companies saying there is an issue with your account that needs to be solved quickly
- “Your bank account has been locked for suspicious activity. Please log in here and verify your account.”
- Never respond to suspicious text messages.
- “Your bank account has been locked for suspicious activity. Please log in here and verify your account.”
- Prize/Gift: Messages with a note that you have won a big prize, lottery ticket, or discounts are offered
- “Congratulations! You’ve won a $500 gift card to Target. Click here to claim your reward.”
- Never respond to suspicious text messages.
- “Congratulations! You’ve won a $500 gift card to Target. Click here to claim your reward.”
- Verification: Text messages from online organizations asking you to verify your payment methods
- “[Name], your Verizon billing statement is ready. Please review your charges and send full payment by [date] to avoid late fees.”
- Never respond to suspicious text messages.
- “[Name], your Verizon billing statement is ready. Please review your charges and send full payment by [date] to avoid late fees.”
- Charity: Messages from different charities for donation
- “Midnight deadline: Give to PETA right now and your gift toward our $100,000 goal will have 10 times the impact for animals! Click here to donate.”
- Never respond to suspicious text messages.
- “Midnight deadline: Give to PETA right now and your gift toward our $100,000 goal will have 10 times the impact for animals! Click here to donate.”
- Social Issue: Text message from authorities to know details about the pandemic
- “You’ve received a new message regarding COVID-19 symptoms and when to get tested in your geographical area. Visit the site here.”
- Never respond to suspicious text messages.
- “You’ve received a new message regarding COVID-19 symptoms and when to get tested in your geographical area. Visit the site here.”
- Boss: Text message from an employer asking for gift cards or payments
- “Hey, this is [Name]. I'm in a meeting, but I would like you to order 5 Amazon gift cards ASAP. I'll reimburse you once you send them to this email address.”
- Never respond to suspicious text messages.
- “Hey, this is [Name]. I'm in a meeting, but I would like you to order 5 Amazon gift cards ASAP. I'll reimburse you once you send them to this email address.”
Smishing messages are only dangerous if the targeted victim acts on them by clicking the link or sending the fraudster private data.
Detecting and Avoiding Smishing Attempts
Here are six ways to detect smishing and avoid becoming a victim (Proofpoint):
- Verify requests from banks and/or retailers directly.
- FIs will never send texts asking for credentials or a money transfer. “Never send credit card numbers, ATM PINs or banking information to anyone via text messages.
- Avoid responding to a phone number or text message you do not recognize.
- Text messages received from a number with only a few digits probably came from an email address, which is a sign that this is spam.
- Banking information stored on the smartphone is a target for attackers. Avoid storing this information on a mobile device. This banking information could be compromised if an attacker installs malware on the smartphone.”2
- Never click on links or call phone numbers in random texts. Contact the company directly if you would like to verify the text message.
Take These Necessary Actions to Limit Any Damage After a Smishing Attack:
- Report the attack to your institutions.
- Freeze your credit to prevent any future or ongoing identity fraud.
- Change all passwords and account PINs where possible.
- Monitor finances, credit and online accounts for unknown login locations and other activities. Remember, take your time! Much like email phishing, smishing often uses the same social engineering tactics of creating a false sense of urgency in its message.
Smishing presents a pervasive and evolving threat to individuals and organizations alike, exploiting the widespread use of mobile devices. With its deceptive tactics (listed above) and ability to bypass traditional security measures that are wrapped into an email, smishing poses serious risks ranging from financial loss to data breaches and identity theft. As technology advances and attackers refine their methods, smishing will continue to increase as a sophisticated form of cybercrime.
Michael Wichmann, director of Information Security, Identity, Corporate Security & Fraud, Wintrust Financial Corporation (WTFC), Chicago, IL, MichaelWichmann@Wintrust.com,
- Jeff Beckman, “Spam Text Statistics (Growth and Severity of Fraud in 2024),” TechReport, May 29, 2024, https://techreport.com/statistics/cybersecurity/spam-text-statistics/
- “What Is Smishing?” Proofpoint, https://www.proofpoint.com/us/threat-reference/smishing