anavem.
Back to Glossary
S

Smishing (SMS Phishing)

Smishing is a form of phishing carried out via SMS or mobile messaging, designed to trick users into revealing information or clicking malicious links.

What is smishing?

Smishing (a combination of SMS and phishing) is a social engineering attack where attackers send fraudulent text messages pretending to come from trusted entities such as banks, delivery services, government agencies, or employers. The goal is to manipulate recipients into clicking links, calling fake support numbers, or providing sensitive information.

Why smishing matters

Smishing is particularly effective because:

  • SMS messages feel more personal and urgent
  • Mobile users are less likely to inspect links carefully
  • Messages often bypass traditional email security filters
  • Mobile devices store authentication tokens and sensitive apps

Smishing is a growing threat as mobile usage increases.

Common smishing scenarios

Typical smishing attacks include:

  • Fake delivery notifications with malicious links
  • Bank or payment alerts requesting urgent verification
  • Account suspension or security warning messages
  • Prize or refund scams
  • Corporate impersonation targeting employees

These messages often use urgency and fear to prompt quick action.

How smishing attacks work

A smishing campaign usually involves:

  1. Sending bulk SMS messages with spoofed sender IDs
  2. Luring victims to malicious websites or phone numbers
  3. Stealing credentials, payment data, or personal information
  4. Delivering malware or enabling account takeover

Smishing is frequently combined with phishing and spoofing techniques.

Smishing vs phishing

  • Phishing: email-based attacks
  • Smishing: SMS or mobile message-based attacks

Both rely on social engineering but target different communication channels.

Indicators of smishing

Warning signs include:

  • Unexpected or unsolicited text messages
  • Urgent language or threats
  • Shortened or suspicious links
  • Requests for credentials, codes, or payments
  • Messages from unknown or unusual senders

Preventing smishing

Effective defenses include:

  • User awareness and mobile security training
  • Avoiding clicking links in unsolicited SMS messages
  • Using mobile device security features and filtering
  • Enforcing MFA and strong account security
  • Reporting smishing messages to carriers or security teams

User vigilance remains a critical defense.

Smishing and enterprise security

In organizations, smishing can:

  • Lead to credential theft for SaaS and cloud services
  • Bypass email security controls
  • Enable account takeover and data breaches
  • Target executives and remote workers

Mobile channels must be included in security strategies.

Common misconceptions

  • "SMS is safer than email"
  • "Smishing only targets consumers"
  • "Mobile devices can't be infected via SMS"
  • "Spam filters stop smishing"