SMS Phishing Attacks and How to Prevent Them

Bart Lenaerts-Bergmans - January 13, 2023

Cybercriminals are always on the hunt for your personal information. Once they get your information, they can steal your identity, spend your money and harm your credit. While techniques such as dumpster diving are still used to gather sensitive information, cybercriminals are adopting more advanced tactics. Phishing, the practice of sending fraudulent email pretending to be a reputable company to trick individuals into revealing personal information, is becoming more prevalent.

One type of phishing attack now being used is smishing, or SMS phishing. A smishing attack takes the tactics of an email phishing attack and translates them to a text. By using social engineering, cybercriminals can convince individuals to reveal sensitive information with smishing attacks.

There are several indicators that a text you receive might be a smishing attack, and there are proper ways to prevent and respond to these attacks. With the right knowledge, you can protect yourself from smishing and other social engineering attacks.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

What is smishing?

Types of phishing attacks are named and defined by the vehicle the attack uses to gain your information. The strategies for composing a phishing email, a phishing video (a tactic known as vishing) and a smishing text are similar, but each is tailored to be effective for the target message. While all use social engineering tactics such as inducing fear, cybercriminals use specific phishing attacks such as smishing to target those who may not be as susceptible to other tactics.

Smishing Defined

Smishing is the act of sending fraudulent text messages designed to trick individuals into sharing sensitive data such as passwords, usernames and credit card numbers. A smishing attack may involve cybercriminals pretending to be your bank or a shipping service you use. The goal of these attacks is to trick you into revealing your information without you knowing that information is now vulnerable. Attackers achieve this effect through social engineering.

Smishing and Social Engineering

As a social engineering attack, smishing will often target fear, love and money because each of these can elicit extreme emotional responses. By offering to fulfill a desire or by tapping into your fears, a smishing attack can get you to reveal sensitive information without thinking about the dangers.

Cybercriminals can use smishing to make many attacks at once. The rationale of this tactic is that if a hundred texts offering a million dollars to a lucky winner who follows a link are sent, one or two people might click. By using social engineering, smishing attacks work to steal your information without you knowing it happened until it’s too late.

Learn More

Curious if you could catch a phishing email? Test your knowledge by reviewing this post:How to Spot a Phishing Email

How Smishing Attacks Work

Most people know the dangers of a typical email phishing attack. An email that tells you to click a link tends to raise red flags. A sophisticated phishing attack will attempt to appear legitimate to avoid these suspicions. Smishing follows this same style, except people tend to be less critical with text messages and other messaging apps.

How Smishing Attacks Begin and Spread

Smishing attacks start when cybercriminals get access to your phone number, which is surprisingly easy considering most modern phones have texting built in. This can be done as a broad-based smishing attack, sending a generic message out to as many people as possible. If a cybercriminal has a specific target, they will use the smishing equivalent of a spear-phishing or a whaling attack. These require knowing the text message recipient or their demographic to be effective.

Smishing attacks work by first garnering your trust. Posing as a legitimate organization or business lowers a target’s skepticism. Since smishing texts tend to be more personal in nature, the threshold of suspicion is already lower than in email where you might receive spam messages every day.

By targeting emotion or using a common context such as package delivery, cybercriminals use social engineering to lower their target’s guard. This false confidence in messaging apps is how smishing attacks spread undetected. Since people often carry their phones around with them during the day, cybercriminals can target individuals during times when they might be rushed, leaving them further vulnerable.

Why Smishing Attacks Are Effective

Once an individual has a lapse in judgment and types in a password or clicks a bad link, the smishing attack starts to work. A link might share personal information from the smartphone used or even install malware on the device. A password once given is compromised until the user changes it, and cybercriminals will begin to take over accounts or steal more information with this access.

For a smishing attack to work, only one target needs to have a lapse in judgment and click a link or supply information willingly. This, along with the fact that users tend to be more trusting of texts than email, is why cybercriminals are adopting smishing. There are some examples of successful smishing attacks that can help you know what to look out for.

Types of Smishing Attacks

Since smishing attacks use social engineering tactics, they fall under four main categories of attack. One is fake messages from trusted brands. Organizations are encouraged to send messages when new products become available or when sales occur. This means seeing a message from a brand can be common or expected. Pretending to be a brand and offering a sales link is one type of smishing attack.

Another broad type of smishing attack is the urgent message. These might appear to be from a bank or a local government office. Regardless of who the cybercriminal is pretending to be, the message will urge an individual to act quickly or else something bad will happen, or something good won’t happen. Related to this type of smishing is a fake notification of winning a prize. Some people will follow a link thinking they are a lucky winner, only to give away their personal information.

The fourth type of smishing attack is a fake survey link. This is less commonly used alone because people are less likely to fill out surveys they didn’t sign up for. With the proper incentive, such as a gift card or cash back, these smishing attacks can still be effective.

Characteristics of Smishing Messages

All four types of smishing attack share characteristics that can help you spot an attack in action. If you are wary and calm when reading a text, smishing attacks can often be spotted. Poor grammar and misspelled words are as common in smishing attacks as they are in phishing attacks.


A smishing attack will usually be short and include a malicious link. Careful examination of links that look legitimate at first can help you spot them. Smishing attacks will also work on your emotions. If you find yourself panicking or wanting to act right away in response to a text, this may be a sign it is a smishing attack.

Examples of Popular Smishing Scams

Smishing attacks can be used against employees of a business to perform cyberespionage or against individuals for identity theft. Smishing attacks fall under four basic categories and share characteristics that can help you spot them. With smishing becoming more prevalent, patterns have emerged for how cybercriminals use them and who they impersonate to gain your trust.

Some types of smishing scams are effective because the organization the cybercriminals impersonate is widely used or known. These smishing attacks are more effective because they are believable. Some common disguises used by smishing attacks include:

  • Delivery services such as UPS, FedEx and the U.S. Postal Service. A text saying your package was delayed, rerouted or needs confirmation along with a link is relevant to most people. If a target has a package in transit from the impersonated company that they want or need soon, they are more likely to click a link to ensure delivery.
  • Amazon. While also a delivery service and susceptible in the same way, a smishing attack can also target an Amazon purchase or password. If a cybercriminal gains access to your password, they can find stored credit card information, mailing address and other private information.
  • Financial services such as PayPal, Apple Pay and banks. Because loss of money or compromise of banking credentials easily induces fear, these smishing attacks are effective because people are encouraged to act right away. If PayPal or your local banking institution tells you there is a problem with your account, that rings alarm bells.

How to Prevent Smishing

Preventing phishing scams such as smishing is the best way to avoid harm to you or your business. Since many people use personal devices such as smartphones for work, smishing presents a danger to your workplace credentials as well as personal information. If you keep calm and take the time to investigate potential smishing scams, you can prevent them.

The first step for preventing a smishing scam is to never text back or call the associated number. Replying can result in more spam messages coming to your number. The cybercriminal might sell your number as one known to reply or simply change their smishing tactic to try and deceive you again. Also, never click on any links in a suspicious text message.

You can take time to verify the sender when you receive a suspicious text message. Do this via web search or by calling the company where the text is supposed to be from directly. If your bank sends you a text saying your money is at risk, don’t reply; find and call the number for your banking institution.

How to Respond to Smishing

If you receive an SMS message that you suspect is a smishing scam, you should report it to the Federal Trade Commission (FTC). The organization wants the number and name presented in the message along with time of day and any information requested by the cybercriminal. It is important that you don’t respond to the text or click any links provided.

If you have already become a victim of smishing, you should first report the scam to the FTC, and then inform any organizations that might use the stolen information. This includes changing passwords and calling any financial institution and warning them about possible fraudulent activity with your credentials. By responding quickly, you can prevent some of the harm a cybercriminal wants to cause using your stolen information.

Protect Yourself from Social Engineering Attacks

Social engineering attacks such as smishing are designed to prey on your emotions, causing you to give away private information. By leveraging your fear or desire along with the intrinsic trust many messaging services have, cybercriminals can steal your identity.

Protecting yourself from social engineering attacks requires vigilance and care whenever you are asked for personal information or to click a link. By taking preventative measures, you can keep yourself, and potentially your business, safe from smishing attacks.

CrowdStrike provides information and services to keep you knowledgeable and safe against social engineering attacks as well as other cybercriminal activities. Learn more here.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.