How smishing works and how to spot a smishing attack

Ray Fernandez

Sep 20, 20238 min read

How smishing works and how to spot a smishing attack: Header image

Cybercriminals use a plethora of techniques to breach systems, steal data, launch malware campaigns, and cause damage. One of the most popular tools of the trade is smishing. But what is smishing, how do smishing attacks work, and how can you keep safe?

What is smishing? The definition and meaning

To understand the meaning of smishing, we must first look at the more common term “phishing.” In phishing, a cybercriminal poses as an official organization, such as your boss, a coworker, a family member, or a trusted website. The entire campaign is designed with the hope that you will give away crucial data or install malware based on your trust in that relationship.

The term “phishing” is slightly modified depending on what channels the attacker uses. When the criminal uses email, it’s simply called phishing. When phishing is conducted using phone calls, it’s called vishing, and when the attacker sends SMS or non-SMS services like WhatsApp, it’s known as smishing. Therefore, smishing is defined as a cyberattack that uses malicious text messages to deceive victims.

Examples of smishing attacks

The main goal of a smishing attack is to get you to click on a malicious link or download a malware file. However, attackers may also use more personal SMS communications or direct you to fake online forms for you to fill out.

Common types of SMS attacks include:

  • Health-related smishing scams
  • Financial services smishing attacks
  • Customer support smishing
  • Gift smishing scams
  • Fake lotteries
  • Family or friends with urgent requests
  • Fake law enforcement scams
  • IRS officer frauds

The following are some of the most infamous smishing cases to date.

  • 2020 Olympics Smishing Campaign: Olympics fans were targeted via SMS during the 2020 Olympics in Tokyo, Japan. This campaign attempted to sell fake tickets to the event and stole financial and personal information from victims in the process.
  • 2020 U.S. Mail Smishing Attacks: In this attack, cybercriminals posed as representatives of the United States Postal Service to steal sensitive information via SMS.
  • 2022 Verizon Smishing Campaign: In 2022, Verizon users were targeted in a unique smishing campaign in which hackers managed to send SMS that appeared to come from users’ personal phones. The campaign’s goal was for users to click on malware that was attached as a link in a message.

How common is smishing?

Smishing is very common. In fact, smishing attacks increased by 300% in 2020 as people started using technology even more actively during COVID lockdowns, Proofpoint reports. Since then, attacks have continued to rise, with a staggering 74% of companies saying they experienced smishing by 2021.

The reasons why smishing is so popular among cybercriminals are simple. For one thing, SMS attacks are cheap. They can be automated and done in bulk, resulting in millions of SMS sent daily. Plus, smartphones have become the device of choice for people worldwide.

How smishing works

In a smishing attack, criminals may target you specifically, in which case, they will have researched your life using social media and online information. On the other hand, hackers may also target a specific group, for example, the high-level employees of a bank who have credentials to breach the institutions. Finally, the most common attacks are spam bulk-style smishing attacks, where attackers randomly send out millions of SMS using automated software.

Attacks usually follow these steps:

  1. Attackers send out texts that contain credible-looking communications and links or malware
  2. The victim falls for the scam, pressed by the urgency of the text, and clicks on the link or downloads a file
  3. The link the victim clicks either automatically downloads malware or directs them to a site that does so

On rare occasions, attacks take on a more personal approach, in which the attacker himself engages in communications via SMS, trying to convince the victim to take an action that will cause him damage. Attackers might also try to move the conversation from text to voice calls, evolving the attack into a vishing attack.

What does a smishing text look like?

A smishing text’s main intention is to look like a normal SMS message. However, the number that sends the message may be unknown or blocked. It may also be an international number or, more commonly, just seem strange.

A smishing text will attempt to impress a sense of urgency. Malicious SMS texts do not tend to be very long. They will have a link at the end of the message or in the middle. Additionally, links may be concealed inside the text. Smishing texts can also have attachments you will be urged to open or attachments concealed in links.

What happens if you click on a smishing text?

If you are being targeted in a real smishing campaign, there are endless possibilities of what can happen if you click on the text. As mentioned above, links may be hidden inside the text, so even if there seems to be no apparent link in the message, clicking it can have serious consequences. In short, clicking on a malicious message is like lighting a match that will start a fire.

Clicking on smishing texts can lead to:

  • Stolen data and credentials
  • Financial data leaks
  • Stolen contacts
  • Malware including spyware, adware, browser hijackers, ransomware, and much more
  • The spreading of the attack to other devices, a network, or an organization 

Can a scammer get your info if you text back?

Your best bet in an SMS attack is not to engage in any way. Just report and block the number. Responding to a smishing attack will inform the criminal that your number is active. This means you will continue to get more fake SMS. In addition, by responding to a text, even asking the person not to keep sending you messages, you risk getting the real attacker on the line, and some of them can be very convincing when it comes to scams.

While it is highly unlikely that your data will be stolen or that malware will infect your smartphone just by responding to a text, experts do not recommend replying, as hackers constantly improve the technology they use.

For example, when using Zero Click Attacks, hackers do not have to convince you to click on a link, go to a site, fill out a form, or download a file. In these types of attacks, just receiving the SMS can breach your phone. One technique used to automatically download malware into your phone via SMS without you engaging with the text is sending you a gif, which, when it plays, runs a series of commands to infect your mobile device.

How to protect yourself from a smishing attack

Despite the global wave of attacks, there are still several things you can do to prevent smishing from happening to you or, when it does happen, to at least mitigate the damage.

1. Never respond: Report and block

It goes without saying that you should never send personal information via SMS. As mentioned above, you should never even respond to a suspicious message. In fact, this should be your first rule, followed by report and block. By not replying, you may pass as an inactive phone if the attackers use robo SMS programs. Additionally, blocking the number prevents it from re-engaging with you, while reporting helps authorities end that specific attacker’s campaign.

2. Use two-factor authentication

You can use several technologies to keep your smartphone safe from SMS scams. One of them is two-factor authentication (2FA). While 2FA will not stop malicious SMS from reaching you, it will protect you if you fall for a scam by giving your email, bank, work, and other accounts an extra layer of security. Make sure you activate 2FA on all your accounts.

3. Download trusted antimalware

Just like 2FA, antimalware cannot prevent an attacker from sending out SMS, but it can do a lot for your security. If you do download malware or visit malicious sites, efficient antimalware software will flag the threat and might even block you before you take action. On the other hand, if malware finds its way into your smartphone, professional antimalware that runs scheduled scans or is in live monitoring mode will detect the malware automatically and remove it.

4. Check and verify the source

It’s always a good idea to check and verify the source of an SMS. Note that this doesn’t mean you should call the attacker’s number. Rather, if you receive a message that appears to be from your bank, contact the bank through official channels to check and verify that they sent you a message.

What to do if you fall victim to smishing

If you have already experienced a smishing attack, here are some tips to guide you through the process.

1. Remain calm

It’s essential that you remain calm if you fall for a smishing trick. Having a clear head will prevent you from taking actions that can lead to further damage, like deleting files or accounts or resetting your phone. Remember that it’s best to keep calm and push on through. 

2. Change your passwords

You should change all your passwords, whether the attacker managed to get away with your credentials or not. And to further increase your security, after you change your passwords, activate 2FA. And, as mentioned above, make sure you report and block the number.

3. Contact the official organization

Suppose the attacker posed as your financial organization, employer, government agent, or other official organization. In that case, you should contact them and let them know that someone is impersonating them illegally. If you have given away credentials, you should also let the affected organization know. If the attacker managed to get your credit or debit card numbers, cancel the cards and get new ones.

4. Download and scan your phone with trustworthy antimalware

If you don’t have antimalware installed on your mobile device, now would be the best time to get one. Antimalware can help you find and remove any malware that an attack may have left on your smartphone. Always use trusted, professional, and high-rated security apps.

5. Check for suspicious activity

You should remain vigilant for a few weeks after the attack, looking for any suspicious or out-of-the-ordinary events. This includes monitoring your bank balance, financial activity, emails (sent and received), call logs, smartphone performance, etc.

Mobile cyber attacks like smishing will continue to multiply as smartphones play an increasingly significant role in our daily lives. Hackers will always find new ways to convince you to engage with them over SMS, so stay informed and take the best steps toward a safer digital life. And to find out more about various types of phishing attacks, check out our article on whaling, the phishing that targets high-ranking individuals.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.