What is Smishing? Definition, Detection & Prevention

What is smishing?

Smishing is one of the fastest-growing cyber threats, with as many as 84% of organizations encountering an attack last year, according to a Proofpoint study.

The attacks – which are a specific type of phishing conducted over text message – have spiralled as businesses embrace more fluid ways of operating.

No longer limited to office environments and face-to-face communication, many employees interact on mobile apps and IM clients.

When combined with the uptick in BYOD (bring your own device) policies and the freedom to perform non-work-related activities on those devices, the borders between our personal lives and work environments are blurred and the threats escalate.

Unfortunately, Proofpoint’s study found that half of respondents didn’t know what smishing was, and only 25% of organizations ran simulated attacks to test employees’ ability to spot scams.

If organizations are to prevent data breaches, these figures must improve. We explain how to get started in this blog, outlining how smishing works and five ways you protect yourself.


How does smishing work?

Smishing works in much the same way as phishing. Scammers send messages posing as a legitimate organisation with the aim of getting recipients to follow a link.

The messages are usually delivered via text message, but they can also occur on instant messaging clients such as WhatsApp, or on social media.

Smishing attacks are most likely to replicate:

  • Alerts from your bank, such as a notification of a new payment, or a warning that you have entered an overdraft.
  • Account suspensions. These messages can imitate any number of organizations, although PayPal and Amazon are by far the most common. They generally claim to have detected suspicious activity and frozen your account.
  • The government, with tax offices being a particularly likely candidate.
  • Competitions and giveaways. Scammers will often claim that the recipient has won – or has the chance to win – a prize.

In all these scams, the objective is to get the recipient to follow a link, which directs them to a mock-up of a genuine organization’s website.

From there, you are asked to provide your login credentials and, in some circumstances, additional information, such as your bank details and social security number.

But how can you avoid falling for scammers’ tricks? In the next section, we provide our top five tips to protect yourself from smishing.


How to prevent smishing

1. Don’t assume it’s genuine just because it’s written professionally

There is a misconception that scams are characterised by poor spelling and grammar. Although that’s sometimes the case, many messages are carefully crafted to perfectly imitate the real thing.

That’s much easier to do with smishing, because text messages are shorter than emails and don’t need specific formatting.

So just because the message reads as though it has come from a legitimate person, don’t presume that’s the case.


Find out how to prevent scams by downloading Cybersecurity 101 – A guide for SMBs.

This free green paper outlines common cybersecurity myths, and advice on how you can protect you and your staff.

It also provides guidance on implementing effective and affordable cybersecurity measures to improve your security posture.


2. Check the attached link

As we’ve previously mentioned, the objective of smishing is to get recipients to follow a link. You may be familiar from advice regarding phishing to look out for domains that differ slightly from their genuine counterparts – such as those that use a capital ‘I’ in place of a lowercase ‘l’.

This is particularly difficult with smishing, for two related reasons. First, because texts are designed to be short, you’ll rarely see the full linked address in the message.

You’ll instead see a hyperlink within a piece of text, such as ‘Follow this link’. Fortunately, there is a way to see where the destination address goes without having to visit the website. Simply hold the link instead of tapping it, and a pop-up will appear showing you the destination address.

From there, you can review the domain and determine whether it’s suspicious.

The second problem is that many services – legitimate and phony – use link-shortening platforms, such as bit.ly.

These convert domains into a shorter string of letters, and are frequently found whenever there are character limits on messages, such as texts and on Twitter.

But again, there is a way to review these links without visiting the website. If you hold down the link as before, you will have the option to copy it.

You can then paste it into your browser and include a ‘+’ to see a preview of the website. This allows you to review the content of the domain and determine whether it looks phony.


3. Never give out personal information via text

The most decisive way to protect yourself from scams is to never provide personal details in response to an unsolicited email.

Scammers’ objective is to capture these details, so if you simply ignore their requests, you can be assured of your safety.

That does of course leave you open to the possibility of ignoring a genuine message. However, if it’s urgent enough, you can assume that the organization will contact you again – particularly via an alternative method (such as email or by calling you).

But if you want an immediate guarantee that you’re not missing out on an important, genuine message, you can follow our next tip.


4. Visit the organization’s website directly

If you have an account with the app or service that has appeared to contact you, we recommend logging in manually by typing the company’s address in your web browser.

Usually if the message is real, you’ll see a notification that contains the same message, in which case you know that the message is genuine. If you don’t see a notification, it’s probably a scam.

But if you’re still not convinced, there is one more thing that you can do.


5. Phone the company using a trusted telephone number

The most conclusive way to determine whether a message is genuine is to phone the organization and ask.

Assuming the claim in the text is genuine, someone on the other end of the line will be able to verify that fact – and they will also be able to help you address the issue that the message relates to.

If you decide to do this, though, you must make sure that you use a trusted telephone number. Don’t simply call the number that you received the text from. That will only direct you to whoever sent the original message, which may well be a scammer.

You can find an appropriate phone number easily enough. For example, if the message relates to your bank account, there should be phone number on your bank card.

Likewise, for messages from the government, you should look for a phone number on a previous correspondence – including a letter or email.


Looking for more tips?

You can find out more about smishing and how to keep your organization secure with IT Governance USA’s Phishing Staff Awareness E-Learning Course.

This online course explains everything you need to know about scams, from phony text messages and emails to telephone con artists.

Your staff will learn about specific cons, the consequences of a successful attack, and how to identify a bogus message before it’s too late.