Smishing Explained: How SMS Based Attacks Scam Victims

Hard to prevent

Hard To Prevent

SMS messages are delivered automatically and not blocked by network security.

Aim is Credentials and Personal Information

Aim is Credentials and Personal Information

Online account credentials, especially banking. Personal information to use for identity theft and credit fraud.

Hard to prevent

Lack of Awareness of Risk

Can compromise device or network – a link is a link.

What is Smishing?

Smishing or SMS phishing is a form of social engineering that uses a text message to contact the victim, often with an embedded hyperlink to move the attack out of the limited text message environment. While some people may think that an old-fashioned SMS text message is intrinsically less dangerous than an email, an openable link is a link wherever it is.

Mobile usage has exploded in the last decade with 5 billion mobile users, 35 billion app downloads a year, and in the UK, 4-fifths of online time being spent on a mobile phone. If you launch an electronic social engineering attack, there is a good chance that attack is going to land on a mobile device. So in this article we are going to look at mobile phishing, including sms based smishing, but looking beyond that at the specific risks and defences relating to social engineering attacks on mobile devices.


How Popular are Smishing Attacks?

Fraudulent SMS messages are very common, with millions being sent every year, in a recent study 84% of companies reported having Smishing attacks against their company. While not as common as email based phishing attacks, the ease with which SMS can be sent, and the difficulty of blocking SMS messages from arriving, make this a popular and effective method.

Smishing is popular vector for scammers, usually sending bulk SMS messages to individuals.  This SMS Spam is relatively unsophisticated because of the large number of messages sent out.


What do they want?

SMS attacks are predominantly looking for two types of information:

-Online account credentials, especially banking.

-Personal information to use for identity theft and credit fraud.


How Does Smishing Work?

Like all forms of social engineering including vishing and phishing attacks, Smishing leverages psychology and the principles of persuasion to get the victim to act. Commonly used principles include URGENCY -Act now to stop your account being taken over” and AUTHORITY – “I am the government -click this link to get a support grant”.  Here are some commonly used themes in SMS smishing attacks:

Common Smishing Themes to Look Out For

Here are some example of common impersonated organisations along with the type of message commonly being used.

Tax authorities -HMRC and IRS (“You are due a tax refund”)

Banks and Building Societies (“there is a problem with your account”)

Utilities (“Update your details or lose access to the service”)

Technology provider like Apple or Google (“confirm your account details”)

Parcel company (“Your package has been lost. Please click here for more information”)

Large retailer (“free gift vouchers available”)

You’re a winner! (“The prize needs to be claimed ASAP. Please reply with bank details so we can deposit the money”)

6 Ways to Spot a Smish or SMS Scam Text

Most organisations don’t communicate important or urgent things by SMS – If its urgent, like a fraudulent transaction, they will phone you. If it’s important they usually send an email or letter.

Bearing that in mind, here are a few ways to spot Smish or scam text message.

1. The message is out of character

Your bank won’t send you links by text to update your details and Amazon isn’t in the business of sending out free vouchers.

2. The website link is different/ overly complex

If the link has a different name or extra punctuation it might not be from the claimed sender.

3. Urgency/Emergency!

The message will often say that something disastrous has happened that needs dealing with immediately. Your bank account is locked! Your identity has been stolen! It will need dealing with before you have a chance to think about it.

4. Too good to be true

– You’ve won something! Have you really?

5. The message is impersonal

Because attackers need to send out so many of these messages, and because they don’t know much about the victim, they need to keep the messages as general as possible.

6. Short-codes

Many organisations use specific short-code SMS messages which have 6 or 10-digit length numbers, as opposed to our ordinary 11-digit numbers. If a large organisation is apparently texting you from an ordinary phone number, this could be a red flag.

Smishing is a Growing Attack Vector – Source: Verizon 2020 Mobile Security Index Report

39% of companies suffered a mobile-related security compromise
85% of attacks seen on mobile devices now take place via mediums other than email
54% of companies were less confident about the security of their mobile devices than that of their other systems

7 Defences to Mobile Phishing

Remember that SMS messages are easily spoofed and difficult to filter and mobile devices are vulnerable to malware in the same way as other computers.

1. Don’t click hyperlinks in text messages.

2. Treat SMS messages as notifications, use a different channel to verify the information.

3. Never click a reply link in a text message if you don’t recognise the number.

4. If you are suspicious that you may have received a message from a spoofed number, call or message them back from the number in your address book, not the one they give you.

5. Most organisations have a policy of not asking for personal details by SMS.

6. If in doubt, call on a recognised number.

7. Don’t respond to the text, if you do, you risk being added to a list of “victims” which will be circulated on the dark web and lead to more scammers contacting you.


While many organisations and executives are targeted with highly personalised and specific phishing emails, the evidence of SMS messages being used in this manner is limited, although targeted messages have been received by journalists leading to tracking malware being found on their devices.


Smishing and Number Spoofing

Number spoofing means altering the sender’s number so when it is received the recipient thinks it is from someone else.  SMS is old and insecure technology. It is easy with technology to make it appear as if the text (or the call) is coming from someone else. If an attacker knows your mobile number and that of your boss (perhaps listed in your email signature) they can send you a text which will show up with the sender as being however you have them listed in your phone book.


Signs of SMS Spoofing

In a spear-smishing attack utilising SMS spoofing, the same defences apply as to a regular smish. However, unlike a regular smish, it is vital to the attacker that you don’t question the request or respond to the text because if you reply, it will go to the actual number, not to the attacker. So, if they spoof “Dave” asking for a bank transfer to a new account, and you reply going “Hey Dave, are you sure?” Real Dave is going to get the text and wonder what’s going on. Hence attackers will often put something like “can’t talk now -going into a meeting/on a plane/ out the office” to stop you querying the request.


Case study: Bank of Ireland Smishing Scam

In 2020 bank of Ireland customers were targeted in a smishing attack which led to 800,000 euros ($970,000 USD/£700,000) being stolen from 300 account holders. The message they received told them their account had been compromised and to click the link in the SMS to update the personal information. Those who followed the link to the cloned bank website and submitted their PIN and account details had money taken from their account. This is not the first time BOI customers had been targeted in this way, with a similar scam being perpetrated in 2017. This is not a particularly sophisticated attack, relying on high volumes of SMS messages with a few hundred unsuspecting victims.

Case study: DHL “FluBot” Malware

UK Mobile networks are warning users about a SMS based attack that can result in malware being installed on a their mobile phone. The attack begins with the user receiving an SMS text message with the words “DHL: Your parcel is arriving, track here”. Should the user click the link, they are prompted to download an app which claims to let the user “track your parcel”. According to the National Cyber Security Centre (NCSC): “The tracking app is in fact spyware that steals passwords and other sensitive data. It will also access contact details and send out additional text messages – further spreading the spyware.”

The NCSC advises that if you have installed the malware not to enter passwords on your device and to complete a factory reset as soon as possible. Further details here.


Case Study: Covid Pass

PSNI warn  of phishing text message scam circulating tells people that they must apply for their Covid-19 pass. The scam message reads: “We noticed you haven’t applied for your Covid pass” and links to a convincing, but fake, NHS page which then asks for bank details.


How to Report Smishing

In the UK and USA you can forward the text to 7726 –  This free-of-charge short code enables your provider to investigate and block potentially malicious SMS messages. More info here

You can also report to Action fraud in the UK and the FTC in the US.

UK -Report to Action Fraud

USA Report it to the Federal Trade Commission at

4 Things to Do if You are a Victim of a Smishing Attack

1. Disconnect your phone from the Wi-Fi and mobile connection.

It is possible that you have installed malware as a result of the smishing attack. Some signs of malware include high data usage, battery drain, overheating and unexpected crashes.

2. Change passwords

If you gave out a password by logging in to a fake page or over the phone, log in and change that password immediately. If you can set up 2fa for the service and for any other accounts on your device you should do this too.

3. Contact the organisation that was being impersonated

Let the impersonated organisation know so that they can try and get the number blocked and alert their customer service staff.

Report the attack to the numbers above.

4. Reset your device to factory settings.

If you think you have installed malware, reset your device to factory settings. For more signs of mobile malware see here

Train Your Team to Defend Against Smishing and other Social Engineering Attacks.