SMiShing: Your Guide to SMS Phishing

By now, you’re well aware of phishing and the threat it presents. You probably even think twice before clicking a link sent to you by a stranger. But, just as you’ve gotten familiar with the latest cyber threat, a new threat emerges. SMiShing.

What is SMiShing?

SMiShing is the term that many in the security industry are using to describe a social engineering technique that exploits its victims using SMS, or text messaging. Where phishing uses email as the entry point of attack, SMiShing uses text messages as its point of entry.

SMiShing is a relatively new trend and one that is particularly alarming. Most of us are aware of the phishing threat around our email inboxes and therefore, tend to exercise caution. Most of us aren’t aware of the threat that’s presented in our cell phone’s text message inbox and therefore, we tend to trust text messages more than we do emails, even from unknown senders.

This elevates the probability that we will click on a malicious item sent to us via text. Hackers know this too, and that’s why they’re using SMiShing attacks at an increasing rate.

What does a SMiShing message look like?

It’s common to receive a SMiShing message that alerts you to daily charges that you will begin receiving unless you opt-out of the service.

A link will be provided and you will be instructed to follow that link in order to opt-out of the service and avoid daily charges.

When you click the link, you’re brought to a website page that asks you to fill out a form if you want to opt-out of the service. The form will ask for your personal information.

If you submit this information, the person behind the scam will either keep your information to use in other fraudulent acts or they will sell it on the dark web to other criminals in the market for stolen identities.


Is your organization safe from social engineering attacks?


Protecting yourself against SMiShing attacks:

  • Treat “you-must-act-now” messages with great suspicion. This is a warning sign of a social engineering attempt.
  • Financial institutions won’t send you texts asking to update your account or confirm your card numbers. If you get a message like this that appears to be coming from your bank. Don’t click anything. Call your bank directly and report fraud.
  • Look for suspicious numbers such as “5000” numbers. These numbers are tied to email-to-text services, which social engineers use to avoid using their personal phone numbers for the attacks.
  • Protect your community, report all suspected SMiShing to the FCC to keep others safe from fraud.