From MarketsWiki
Jump to navigation Jump to search


Smishing is a social engineering attack that is a form of a phishing attack that uses text messages (SMS) to deceive recipients into revealing sensitive information or downloading malware. The term "smishing" is a portmanteau of "SMS" and "phishing".[1][2][3][4]


Smishing attacks typically involve sending fraudulent text messages that appear to be from legitimate organizations such as banks, government agencies, or well-known companies. The messages often create a sense of urgency and prompt the recipient to take immediate action, such as clicking a link, calling a phone number, or replying with personal information.


Common smishing techniques include:[5]

  1. Fake order confirmations: Messages claim a package delivery issue and request action.
  2. Customer support impersonation: Attackers pose as representatives from trusted companies like Apple or Amazon.
  3. Financial institution spoofing: Messages appear to be from banks requesting account information.
  4. Government impersonation: Scammers pretend to be government agencies, often exploiting current events like the COVID-19 pandemic.
  5. Malware distribution: Messages contain links to seemingly legitimate apps that are actually malware.

Prevalence and Impact[edit]

Smishing attacks have become increasingly common. According to Proofpoint's 2024 State of the Phish report, 75% of organizations experienced smishing attacks in 2023. The rise in smishing can be attributed to several factors:

  1. Higher click-through rates for text messages compared to emails.
  2. Increased use of personal mobile devices for work (BYOD policies).
  3. Advancements in email spam filters, pushing attackers to explore other channels.

Prevention and Defense[edit]

To protect against smishing attacks, experts recommend:[6]

  1. Never click links, reply to text messages or call numbers you don't recognize.
  2. Being cautious of unsolicited text messages, especially those creating urgency.
  3. Avoiding clicking on links or calling phone numbers provided in suspicious texts.
  4. Do not respond, even if the message requests that you "text STOP" to end messages.
  5. Delete all suspicious texts.
  6. Verifying the sender's identity through official channels before taking any action.
  7. Make sure your smart device OS and security apps are updated to the latest version.
  8. Using mobile security software to detect and block malicious links and messages.
  9. Educating employees about smishing risks, particularly in organizations with BYOD policies.
  10. Protect any sensitive personal information - bank accounts, health records, social media accounts, etc. - by using multi-factor authentication to access it.