background image


What is Smishing?


Phishing is one of today’s widely used social engineering attacks or tactics. It’s been around since the 1990s when internet-based communications were becoming more popular. Attackers, posing as trusted parties, entice unsuspecting people to open e-mails or online advertisements to steal their data or infect their computers.

People are becoming increasingly concerned about their online privacy and the amount of personal information they have access to others. In the cyberworld, phishing attempts using messages like smishing (the phrase incorporates SMS and phishing) and vishing are becoming more popular. We look at what vishing is in greater in this post. With smishing, the attacker creates convincing SMSs or text messages that appear to be coming from a trustworthy source or a well-known member of an organization.

The potential of smishing

According to a 2021 report, nearly 3.8 billion people own a smartphone. With the growing popularity of cellphones and SMS, smishing has evolved into a common approach for attackers and bad actors to target potential victims. Given that the opening rate of SMSs is 98 percent compared to e-mails, attackers find smishing a convenient and effective way to trap victims.

How does smishing work?

Smishing takes advantage of a wide range of social engineering and psychological manipulation to entice victims into disclosing personal or financial information. Scammers usually do a lot of research on all targets. They will then send text messages pretending to be a legitimate person or representative of a reputable organization. The message may contain a link or a reply option that would prompt the victim to unsuspectingly send money or share personal and financial details. The links within the text message may even lead to malware that infects a users’ device. The fraudsters would even go as far as carrying out SMS conversations with the victim to convince them, treating them as sales leads.

There are many ways that an attacker can use SMS conversations to target a victim. For example, an attacker can identify and target a person on holiday. The attacker will, through texting, pretend to be a well-known retailer and provide a link where the victim would have to ‘verify’ their billing information for shipping purposes. Once the victim reveals their personal information via text or a link, the attacker uses the data to commit identity theft and other cyberattacks.

Types of smishing attacks

Smishing has various forms depending on the many SMS-like communication methods widely used by people. Here are some well-known types and variants of smishing attacks that any typical internet user or employee should know.

  1. Text-based smishing: This is the most typical type of smishing attack, wherein the attackers, as discussed above, attempts to trick the victim into sharing sensitive information via text messages. Usually, these text messages would even have misleading links that steal user information or deliver malware on the user’s device.

  2. Cell-phone smishing: The scammer will pose as the users’ mobile phone service provider in these types of attacks. They will usually forward fake offers and discounts relating to recharges or updates. The message will lead the victim to a spoofed website that will look like the original provider’s website that relays login credentials and personal information to the attacker’s database. Similar smishing attempts entail “urgent” messages pertaining to the users’ credit card or bank account, fake winning notifications, misleading ads from ‘trusted’ brands, and fake survey links.

  3. IM smishing: Instant Messaging platforms like Facebook Messenger, WhatsApp, etc., serve as the perfect avenue to propagate smishing attacks, given their similarity to text message interfaces. They are initiated in the same way text-based smishing is.

How to stay protected from smishing

  • Users should not open any links inside text messages from unknown senders.

  • Upon receiving suspicious text messages, users can ignore them or cross-verify the message’s authenticity by contacting the organization—that the text message claims to represent—through their legitimate phone number or e-mail ID.

  • It is always recommended to avoid sharing personal information or financial details through SMS replies to anyone unknown.

  • It is also a good practice to block suspicious or unknown senders

  • Organizations should also consider including smishing in their security awareness training and conduct hands-on workshops to demonstrate its potential.


The best defence against smishing assaults is to remain on guard about who you’re responding to and what you are opening in each message. Furthermore, everyone should stay up to date on the best methods to avoid becoming victims of these attacks. To know more about such cyberattacks, visit Packetlabs.