What Is Smishing and How To Defend Against It?

image credit: nordvpn.com

Smishing, also known as SMS phishing, is a social engineering technique called phishing. Threat actors use it to send compelling text messages to unaware recipients, leading them to click a malicious link. Once clicked, the attacker can access sensitive personal information or even download harmful malware onto the victim’s smartphone.

There has been a significant rise in phishing scams where threat actors trick users into divulging sensitive data, downloading malware, or exposing their organizations to cyberattacks. On July 28, 2022, the Federal Communications Commission (FCC) warned Americans of the steady increase in smishing attacks attempting to steal vital personal information and cryptocurrency. As per FCC records, there has been a 168% increase in smishing attacks in the US between 2019 and 2021.

How Does Smishing Work?

Like phishing emails, smishing attacks lure users with irresistible messages that either compel them to click on links or demand personal information from them. Threat actors use various ways to trick users into sharing their private data by using information such as name and address. The attached link may lead to a phishing site or malware that can be used to access the user’s private data.

What are the different types of smishing attacks?

Victims most often receive different kinds of smishing messages. Let us look at the top four variants:

  1. Financial services phishing: Posing as a bank or credit card company, threat actors send messages such as a fraudulent purchase or missed verification process. These messages exercise persuasive techniques, urging users to click on the links urgently. Clicking on such links can lead to a locked account and lost money. While banks and financial institutes send such messages, they never include a link or exercise persuasion.
  2. Online shopping scams: eCommerce shoppers commonly receive notifications about order confirmation, shipping, and delivery. However, hackers, too, can replicate such messages and pose as legitimate brands to trick users.
  3. Prize scams: this is a common scam where threat actors send messages conveying that the target has won a prize. These are attractive prizes such as electronic gadgets, automobile, or cash prize, which serves as a net to trap targets.

What is the state of smishing attacks?

There has been a recent uptick in smishing attacks distributing FluBot malware, an Android banking trojan, through malicious links posing as Adobe Flash Player. Once it has control of the device, FluBot steals all online banking credentials and can send or intercept one-time passwords sent through SMS messages and capture screenshots. The effect of the malware is profound since it then uses the victim’s device to send new smishing messages to all the people in the contacts list.

Similar smishing attacks were reported by Indian banks such as Axis Bank, ICICI Bank, and State Bank of India (SBI), which delivered reward-themed malware such as Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.

Raising awareness about smishing and the signs to look out for is crucial to mitigating the effects of such attacks. A recent analysis by SonicWall suggests a rise in maliciously crafted PDFs and Microsoft Office files, considered safe by most workers and usually sent through emails as attachments, between 2018 and 2021.

Other instances are where individuals also wrongfully trust Secure Sockets Layer (SSL) activated websites (signified with a padlock icon on the search bar) with HTTPS prefixes since a whopping 84% of phishing websites were observed using HTTPS in 2020. Organizations must thus train their employees to be more cautious when receiving messages asking for personal information. At the same time, individuals should be more skeptical of unexpected messages prompting them to click on links or download files.

It is also recommended that individuals and organizations use Virtual Private Networks (VPNs) to obfuscate IP addresses while searching for or downloading files, effectively reducing the chances of social engineering attacks since VPNs encrypt all the data received and sent from a device.

In a nutshell, here’s how to defend against smishing:

  • Stay vigilant of unexpected messages and take suspicious financial services-related texts to the bank’s attention.
  • Don’t rush when a message persuades urgency. Read it carefully and evaluate the consequences and next steps.
  • Avoid clicking links received from any suspicious source or received unexpectedly.
  • Use a VPN to protect your enterprise.
  • Opt for passwordless authentication as hackers cannot hack these mediums.
  • Report any smishing scan to relevant authorities.
  • If anything seems suspicious, it’s always a good idea to immediately call the designated authorities on official contact. It could be your employees, banks, or online retailers, and verify the message received.


As people are getting more comfortable around digital conveniences, crimes are also getting more sophisticated, making detecting them more challenging than ever. The FBI Internet Crime Report 2020 further elucidates the effects of phishing attacks in the US, showing a shocking 1140% increase over five years.

Passwordless authentication is one of the key ways to defend against such attacks as it eliminates the need to enter passwords (that can be easily hacked), uses biometrics such as fingerprints that cannot be hacked, and eliminates the hassle of multi-factor authentication.  Therefore, enterprises, government organizations, and individuals must employ necessary cyber-security protocols. Finally, and most importantly—stay vigilant and take the matters to designated authorities if suspicious activities are witnessed.


(The author is Mr. Shibu Paul, Vice President – International Sales at Array Networks, and the views expressed in this article are his own)

Leave a Response