Smishing
Smishing is phishing conducted via SMS or mobile messaging apps. Attackers send text messages that appear to come from trusted services to trick victims into revealing personal data or downloading malicious applications.
Table of Contents
What is smishing?
Smishing attacks exploit the immediacy and trust people often place in text messages. Victims are pressured to click on links or respond quickly because the messages claim to involve deliveries, banking issues, or urgent account alerts.
How it typically works
- Message creation: attacker crafts a short, urgent SMS, often using shortened URLs.
- Delivery: the SMS is broadcast to many numbers or to a targeted list.
- Engagement: the victim clicks the link, calls a fraudulent number, or installs a malicious app.
- Exploitation: attackers harvest credentials, spread malware, or carry out fraud.
Common techniques and variants
- Delivery scams: fake messages claiming parcels need to be confirmed
- Banking smishing: fraudulent alerts asking users to verify accounts
- Tech support or security smishing: impersonating providers to fix issues
- Mobile malware links: URLs leading to APKs or malicious downloads
Impact
Smishing can lead to stolen login credentials, financial fraud, and malware infection of mobile devices. Because messages are short and often bypass email security filters, detection is difficult. For organizations, smishing is a growing threat as employees increasingly use mobile devices for work-related communication and authentication.