What You Need to Know About Text-Based Smishing Attacks

by | Jul 26, 2022 | Cybersecurity

The COVID-19 pandemic generated several changes that have irrevocably become part of our lives. Many of us have switched to working at least part-time on a remote basis. Although lower productivity is frequently associated with working from home, the opposite has come true for employees working from home during the pandemic.

Productivity has increased by double digits.

Other changes associated with the COVID-19 pandemic are not as positive and in some cases, extremely negative. One of the prime examples of how the pandemic has made things worse concerns the classic digital scam called phishing. As the illegal practice of sending emails that impersonate a reputable company, phishing has always been one of the top cybersecurity issues confronted by CIOs from all over the world.

Now, phishing has a troublesome cousin that is called smishing, which represents the act of phishing done via text messages.

In March of 2022, scammers sent more than 11.6 billion fraudulent texts over American wireless networks, which is an increase in smishing texts from February of 2022. The average amount of money stolen because of smishing scams increased from $800 to $900 over the same period. Although smishing is not considered a new illegal cyber tactic, scammers have become more brazen in their attacks, as well as have implemented more sophisticated techniques to get victims to take the proverbial bait.

The onslaught of new smishing techniques and the frequency with which scammers carry them out should grab the undivided attention of CIOs and IT executives.

What is Smishing?

Smishing combines the terms phishing and short message service (SMS). The more technical definition is that smishing represents a type of social engineering attack that exploits human trust to make money illegally. When an online criminal phishes, the criminal sends a fraudulent email to deceive someone to click a malicious link. Smishing is simply the act of phishing by sending unlawful messages through text-based systems.

As with phishing, the act of smishing can unfold by two different methods.


If you click on a malicious link that is part of a text message, the malicious link might down software that installs on your cell phone. The SMS malware can mimic a valid app, which tricks a victim into revealing confidential financial data and personal information. Installed SMS malware can share your private data and information with numerous criminals operating in cyberspace.


Instead of downloading a malicious app that masquerades as a valid link, a malicious link can take you to a fake website that appears to be legitimate. The website requests highly-sensitive financial data and personal information. Cybercriminals have significantly improved their skills when it comes to developing websites that appear valid, which makes it easier than ever to exploit the trust of unsuspecting victims.

What Are the Social Engineering Principles Behind Smishing?

Like phishing, fraud and deception represent the two driving forces behind smishing attacks. However, fraud and deception do not work unless a cybercriminal can exploit one or more social engineering principles.


By acting like a reputable individual or organization, cybercriminals decrease the level of skepticism felt by potential victims. Building trust takes patience, which a growing number of cybercriminals have developed to make the exploitation of trust work. Since text messages are viewed as a more personable form of communication as opposed to sending emails, potential victims eventually lower their guards enough to fall for smishing scams.


The most effective smishing scams rely on manipulating the emotions of potential victims. Overriding a victim’s critical thinking skills can involve using images to convey positive thoughts. Cybercriminals also are known for manipulating the emotions of potential victims by playing uplifting background music while making a scam pitch. The key is to override critical thinking quickly to prevent a potential victim from rejecting illicit online pitches.


Capitalizing on an event or situation that is meaningful to potential victims can help a cybercriminal create a personalized message that takes advantage of the event or situation. Think about the large number of television public commercials that run in the aftermath of a natural disaster. Savvy con artists take advantage of a plea for money, but instead of doing it on television, they exploit their victims via text messages.

How Can IT Executives Prevent Smishing Scams?

Educating your team is the most effective way to prevent smishing attacks. The first method for fighting back against smishing attacks is to never respond to any messages that are not recognized by the receiver of the message. Your employees should consider any urgent request for action to be indicative of a smishing attack. Explain the importance of taking your time to digest text messages. Never respond to requests for information updates via text from your financial institution. Ethical financial institutions do not request sensitive information through vulnerable SMS portals.

Finally, encourage the use of multi-factor authentication (MFA) to create additional roadblocks for cybercriminals that want to gain access to the most sensitive financial data and personal information.

Additional Cybersecurity Resources

Guide to Zero Trust Security

Top CISO Priorities: Summer 2022

Data Breach Industry Forecast


Submit a Comment

Your email address will not be published. Required fields are marked *

IT executives are invited to register to participate in this exclusive community and receive the latest news and important resources directly to your inbox: