• Why IRONSCALES
    OUR VALUE
    • Protect Better
      Protect Better

      Gain protection against advanced email attacks like BEC, ATO, social engineering, and more

    • Simplify Operations
      Simplify Operations

      Turn hours-a-day to minutes-a-month combatting phishing with customizable security automation

    • Empower Your Org
      Empower Your Org

      Triple your org's email security awareness with real-world phishing simulation testing and training

    CUSTOMERS
    • Customers
      Customers

      Check out the benefits provided to our customers and their stories

    • flag
      Case Studies

      Explore inspiring success stories from our 13,000+ global customers

    • star
      Reviews

      Uncover honest reviews with authentic insights from Gartner, G2, Capterra, and more

    NEWS
    • mic
      Press

      Read our latest press releases, news publications, and media highlights

    • award
      Awards

      Explore our awards and industry recognition achievements

    Thumbnail-google-workspace-and-ironscales-a-complete-email-security-solution
    Press: New Research

    New Osterman study reveals orgs with high confidence still lack capabilities against QR code attacks

    header-card-image-3
    Case Study: Webhelp

    Learn how Webhelp saved over 450 SecOp hours and is protecting 36,000 mailboxes

    header-card-image-1
    Awards: INC. 5000

    IRONSCALES earns 'Fastest Growing Email Security Company' for 3rd straight year

  • Platform
    Spring '24 Software Release! Check out our new deep image-based detection, GWS capabilities, and more. Explore the new additions
    CAPABILITIES
    • Inbound Email Protection
      Inbound Email Protection

      Get Adaptive AI email security against advanced attacks missed by other security controls​

    • Account Takeover Protection
      Account Takeover Protection

      Eliminate the risk of ATO with advanced prevention, detection, and response

    • Image-Based Attack Protection
      Image-Based Attack Protection

      Protect your organization from image-based attacks like malicious QR codes

    • SOC Automation
      SOC Automation

      Put SecOps workloads on auto-pilot with automated email remediation and more

    • Phishing Simulation Testing
      Phishing Simulation Testing

      Send your employees customized simulations built from real-world threats

    • Security Awareness Training
      Security Awareness Training

      Build a security-centric culture with automated personalized awareness campaigns

    • Crowdsourced Threat Intelligence
      Crowdsourced Threat Intelligence

      Leverage insights from 20,000+ security analysts in our community for email remediation

    • Collaboration Tool Protection
      Collaboration Tool Protection

      Protect your collaboration tools including Microsoft Teams® from advanced threats

    Take an Interactive Platform Tour
    TECHNOLOGY
    • Adaptive AI Engine
      Adaptive AI Engine

      Learn how we level up our AI with advanced ML models and Human Insights

    • Human Insights
      Human Insights

      See how we uniquely enhance our adaptive AI with real-time Human Insights

    • Generative AI
      Generative AI

      Discover how we use Gen-AI, large language models, and techniques for email security

    • Ecosystem Integrations
      Ecosystem Integrations

      Maximize your existing security tools with our seamlessly integrated platform

    Take an Interactive Platform Tour
  • Solutions
    USE CASE
    • BEC & Executive Impersonation
      BEC & Executive Impersonation

      Stop advanced attacks like BEC, VEC, and VIP impersonation

    • Advanced Malware/URL Attacks
      Advanced Malware/URL Attacks

      Continuously protect against malicious links and attachments

    • Credential-Theft
      Credential Harvesting

      Block attackers from stealing your sensitive business data

    • Account Takeover Attacks
      Account Takeover Attacks

      Prevent, detect, and respond to ATO attacks in real time

    • QR Code Attacks
      QR Code Attacks

      Decipher image-based attacks from weaponized QR codes

    • Generative AI Attacks
      Generative AI Attacks

      Safeguard your organization against GPT-crafted attacks

    • Phishing Simulation Testing
      Phishing Simulation Testing

      Test your employees with real-world email attacks

    • Security Awareness Training
      Security Awareness Training

      Build a security-first organization with integrated SAT campaigns

    Get A FREE Email Health Scan
  • Learn
    New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
    LEARN
    • Blog
      Blog

      Stay informed with our insights and updates

    • Guides
      Guides

      Explore our multi-chapter email security guides

    • bookmark
      Glossary

      Decode cybersecurity jargon with our glossary​

    • Resource Library
      Resource Library

      Rich content hub including whitepapers, reports, and more

    • Get Started
      Get Started

      Get started today with a 14-day free trial

    • Platform Tour
      Platform Tour

      Navigate our platform directly with an interactive guided tour

    • Engineering Corner
      Engineering Corner

      Explore articles and lessons from our R&D team members​

    CONNECT
    • Events
      Events

      View our upcoming in-person and virtual events

    • LinkedIn_icon-vector
      LinkedIn

      Join the evolving email security discourse with us on LinkedIn

    • Newsletter
      Newsletter

      Join our LinkedIn newsletter for security news and best practices

    See all resources
    FEATURED
    Email Security in the Age of AI
    Email Security in the Age of AI

    Understand the role of AI in fortifying defenses against evolving threats.

    QR Code Phishing
    QR Code Phishing

    QR codes serve as a new bypass method to evade detection.

    The ABCs of MFA
    The ABCs of MFA

    MFA is your digital doorman that keeps the malicious actors at bay.

    Phishing Prevention
    Phishing Prevention

    Dive into our complete 13-chapter guide on phishing prevention best practices

    Spear Phishing Thumbnail
    Spear Phishing

    Understand the inner workings of highly specialized phishing tactics and how to stop them

    Voice Phishing
    Voice Phishing

    See how attackers leverage new methods and channels to defraud businesses

  • Partner
    BY TYPE
    • Resellers
      Resellers

      Elevate your business with exclusive reselling opportunities

    • MSPs / MSSPs
      MSPs / MSSPs

      Unlock powerful email security capabilities for your end clients

    • Technology Partners
      Technology Partners

      View our industry-leading technology partners

    ENGAGE
    • Become Partner
      Become Partner

      Apply to become an IRONSCALES partner today

    • Partner Portal
      Partner Portal

      Check out valuable tools and resources for partners

    Become a Partner

    Partner with IRONSCALES Today
  • Pricing
  • headset_icon user Get a Demo
headset_icon user Get a Demo

What is Smishing?

Smishing is a type of social engineering attack that uses text messages to trick individuals into divulging sensitive information. The text message often appears to be from a trusted source, such as a bank or another legitimate organization and may contain a link or phone number to call for more information.

Smishing Explained

Smishing is a type of social engineering scam that uses mobile texting rather than emails to deliver nefarious messages that dupe people into taking specific actions. The term is a combination of phishing and SMS, and its increasingly widespread use reflects a belief among cybercriminals that people are generally more likely to trust the contents of text messages over emails. Threat actors often text people directly using traditional SMS, but smishing also encompasses messages sent via apps like WhatsApp, Viber, or other messaging apps that require users’ phone numbers.

Industry reports and studies continue to highlight the growing prevalence of smishing attacks. One survey reported by Statista found that 74% of organizations and IT professionals experienced smishing attacks during 2021. This figure represented a 13% increase from the previous year.

How Do Smishing Attacks Work?

Smishing does not require a high degree of complexity for success when compared to other forms of social engineering such as whaling. Here is a brief run-through of how attacks typically happen:

A threat actor gets their hands on a list of genuine phone numbers

Cyber gangs try to compile lists of phone numbers using automated software by dialing many numbers in quick succession. Any number that answers or even rings out rather than going to a service provider message counts as a genuine number. These lists then get sold on dark web marketplaces to threat actors for use in smishing campaigns.

Another way that phone numbers proliferate is in today’s data-sharing economy. With many apps and online services requiring a phone number to sign up, this information can easily get into the wrong hands after a data breach. Once again, the dark web is the place where stolen phone numbers end up either freely available or for a fee.

Social engineering tactics help to craft convincing text messages

Whether a target falls for a smishing text depends largely on how convincing the content of the text message is. While there is more implicit trust in messages sent to personal phone numbers versus emails, texts containing obvious red flags will get ignored. Social engineering techniques include creating a sense of urgency that bypasses potential skepticism, leveraging trust in authoritative organizations and figures, or compelling people to act for personal gain.

Malicious links lead to desired actions

The vast majority of smishing messages contain malicious links. Often, professional URL shortening software helps to create links that look legitimate or that don’t raise any suspicions among targets. The victim opens the text, clicks the link, and then either discloses sensitive information or downloads malware. The hacker uses the disclosed information to commit fraud and profit or tries to take control of or monitor the victim’s device if malware is involved.

Types of Smishing Scams

Adversaries constantly innovate and refine the bait they use in smishing messages to lure unsuspecting individuals into clicking malicious links or disclosing information. However, there are common trends among scams that are worth watching out for.

False delivery notifications

A widespread type of smishing scam piggybacks off the explosive growth of eCommerce. Exploiting the fact that many individuals at any given time are awaiting the delivery of a parcel, large-scale smishing campaigns notify hundreds or thousands of users at a time about the progress of their deliveries. These messages purportedly come from courier or postal companies, but they typically contain malicious URLs pointing to false websites where victims disclose sensitive information under the pretense of verifying their details.

Messages from financial institutions

Messages claiming to be from financial institutions like credit card companies or banks demonstrate the malevolence of threat actors who run smishing scams. Most people feel a sense of urgency when notified about pressing matters of a financial nature, whether that means being locked out of a bank account, or a bill not being paid. Typically, these messages request victims’ card details or login information for online banking platforms.

Fake prize wins

Fake prize wins hark back to the early days of phishing when fraudulent email messages commonly informed users about unexpected lump sums or prize wins for competitions they didn’t enter. While such scams remain widespread in both phishing and smishing, they remain unlikely to bear fruit except perhaps when targeting elderly people or anyone else with heightened vulnerability to these scams.

Government messages

The onset of the COVID-19 pandemic coincided with a marked increase in smishing texts ostensibly from government services. Many such messages related to COVID attempted to leverage uncertainty and vulnerability among individuals during a time of widespread societal fear. Texts from government sources can try to persuade people into revealing sensitive details or even their bank account information. Other “sources” of such messages include tax departments or citizen services.

Account compromise scams

These scams are usually an attempt to get victims to disclose login credentials for important accounts. Spoofed sources could include banks, technology companies, utility companies, crypto exchanges, and more. The text message might ask the target to verify their password due to apparent suspicious activity on their account. A more sophisticated variation on this scam sees threat actors, who already have the victim’s username and password, trying to get them to disclose a one-time password sent to their phone as part of 2FA security protecting an account.

Employee focused

Some smishing messages target an organization’s employees with the aim of infiltrating a corporate network and stealing data or perhaps convincing the employee to wire funds to an account under their control. The social engineering tactics involved in these scams usually involve masquerading as a high-ranking official inside the organization, an IT helpdesk, a third-party supplier, or a service provider that controls access to an important business account.

Defending Against Smishing

Smishing impacts both individuals and organizations. Here are some tips to strengthen defenses from both a business and individual perspective:

Business defenses

  • Gauge smishing awareness among employees using surveys and incorporate smishing material in future training materials to compensate for any knowledge gaps and reduce the susceptibility to these fraudulent text messages.
  • Use the principle of least privilege access to ensure that even if an employee’s account gets compromised, your attack surface is minimized by restricting access levels to only what’s necessary for job functions and duties.
  • Use phishing simulation and training exercises to give employees practical opportunities at improving their ability to detect social engineering techniques common across various types of attacks.
  • If you have a BYOD policy that allows employees to connect their smartphones to your corporate network and apps, update the policy to include specific tips and guidance for employees in ensuring they don’t fall victim to text-based scams.

Individual defenses

  • A useful rule of thumb is to avoid clicking any links embedded in text messages.
  • Enable any two-factor or multi-factor authentication options available for your most important accounts, including banking, email, money exchanges, and eCommerce platforms.
  • Call your bank, retailer, or relevant government service directly to verify the authenticity of any text messages about suspicious activity, account lockouts, transactions, and appointments.
  • Avoid storing sensitive information on your phone, such as your credit card number or passwords for accounts because malware can enable device takeover, giving hackers free rein to easily find and use this information.

 

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.

Platform-tour-glossary-side-panel-square
Explore Our Platform Tour

Immediately jump into an interactive journey through our AI email security platform.
Begin Tour

Featured Content

AI in Email Security

This comprehensive Osterman Research study explores the evolving landscape of AI-driven threats and innovative solutions implemented to stay ahead.

Download Report

Gartner® Email Security Market Guide

This guide gives email security experts an exclusive access to Gartner® research to ensure their existing solution remains appropriate for the evolving landscape.

Get The Gartner Guide

Defending the Enterprise from BEC

Data shows organizations deploy defense-in-depth approaches ineffective at addressing BEC attacks. Discover truly effective strategies in this report.

Download Report
Schedule a Demo

Request a demo to see what IRONSCALES AI-powered email security can do for you.
Get a Demo