Gain protection against advanced email attacks like BEC, ATO, social engineering, and more
Turn hours-a-day to minutes-a-month combatting phishing with customizable security automation
Triple your org's email security awareness with real-world phishing simulation testing and training
Get Adaptive AI email security against advanced attacks missed by other security controls
Eliminate the risk of ATO with advanced prevention, detection, and response
Protect your organization from image-based attacks like malicious QR codes
Put SecOps workloads on auto-pilot with automated email remediation and more
Send your employees customized simulations built from real-world threats
Build a security-centric culture with automated personalized awareness campaigns
Leverage insights from 20,000+ security analysts in our community for email remediation
Protect your collaboration tools including Microsoft Teams® from advanced threats
Learn how we level up our AI with advanced ML models and Human Insights
See how we uniquely enhance our adaptive AI with real-time Human Insights
Discover how we use Gen-AI, large language models, and techniques for email security
Maximize your existing security tools with our seamlessly integrated platform
Stop advanced attacks like BEC, VEC, and VIP impersonation
Continuously protect against malicious links and attachments
Block attackers from stealing your sensitive business data
Prevent, detect, and respond to ATO attacks in real time
Decipher image-based attacks from weaponized QR codes
Safeguard your organization against GPT-crafted attacks
Test your employees with real-world email attacks
Build a security-first organization with integrated SAT campaigns
Smishing is a type of social engineering scam that uses mobile texting rather than emails to deliver nefarious messages that dupe people into taking specific actions. The term is a combination of phishing and SMS, and its increasingly widespread use reflects a belief among cybercriminals that people are generally more likely to trust the contents of text messages over emails. Threat actors often text people directly using traditional SMS, but smishing also encompasses messages sent via apps like WhatsApp, Viber, or other messaging apps that require users’ phone numbers.
Industry reports and studies continue to highlight the growing prevalence of smishing attacks. One survey reported by Statista found that 74% of organizations and IT professionals experienced smishing attacks during 2021. This figure represented a 13% increase from the previous year.
Smishing does not require a high degree of complexity for success when compared to other forms of social engineering such as whaling. Here is a brief run-through of how attacks typically happen:
Cyber gangs try to compile lists of phone numbers using automated software by dialing many numbers in quick succession. Any number that answers or even rings out rather than going to a service provider message counts as a genuine number. These lists then get sold on dark web marketplaces to threat actors for use in smishing campaigns.
Another way that phone numbers proliferate is in today’s data-sharing economy. With many apps and online services requiring a phone number to sign up, this information can easily get into the wrong hands after a data breach. Once again, the dark web is the place where stolen phone numbers end up either freely available or for a fee.
Whether a target falls for a smishing text depends largely on how convincing the content of the text message is. While there is more implicit trust in messages sent to personal phone numbers versus emails, texts containing obvious red flags will get ignored. Social engineering techniques include creating a sense of urgency that bypasses potential skepticism, leveraging trust in authoritative organizations and figures, or compelling people to act for personal gain.
The vast majority of smishing messages contain malicious links. Often, professional URL shortening software helps to create links that look legitimate or that don’t raise any suspicions among targets. The victim opens the text, clicks the link, and then either discloses sensitive information or downloads malware. The hacker uses the disclosed information to commit fraud and profit or tries to take control of or monitor the victim’s device if malware is involved.
Adversaries constantly innovate and refine the bait they use in smishing messages to lure unsuspecting individuals into clicking malicious links or disclosing information. However, there are common trends among scams that are worth watching out for.
A widespread type of smishing scam piggybacks off the explosive growth of eCommerce. Exploiting the fact that many individuals at any given time are awaiting the delivery of a parcel, large-scale smishing campaigns notify hundreds or thousands of users at a time about the progress of their deliveries. These messages purportedly come from courier or postal companies, but they typically contain malicious URLs pointing to false websites where victims disclose sensitive information under the pretense of verifying their details.
Messages claiming to be from financial institutions like credit card companies or banks demonstrate the malevolence of threat actors who run smishing scams. Most people feel a sense of urgency when notified about pressing matters of a financial nature, whether that means being locked out of a bank account, or a bill not being paid. Typically, these messages request victims’ card details or login information for online banking platforms.
Fake prize wins hark back to the early days of phishing when fraudulent email messages commonly informed users about unexpected lump sums or prize wins for competitions they didn’t enter. While such scams remain widespread in both phishing and smishing, they remain unlikely to bear fruit except perhaps when targeting elderly people or anyone else with heightened vulnerability to these scams.
The onset of the COVID-19 pandemic coincided with a marked increase in smishing texts ostensibly from government services. Many such messages related to COVID attempted to leverage uncertainty and vulnerability among individuals during a time of widespread societal fear. Texts from government sources can try to persuade people into revealing sensitive details or even their bank account information. Other “sources” of such messages include tax departments or citizen services.
These scams are usually an attempt to get victims to disclose login credentials for important accounts. Spoofed sources could include banks, technology companies, utility companies, crypto exchanges, and more. The text message might ask the target to verify their password due to apparent suspicious activity on their account. A more sophisticated variation on this scam sees threat actors, who already have the victim’s username and password, trying to get them to disclose a one-time password sent to their phone as part of 2FA security protecting an account.
Some smishing messages target an organization’s employees with the aim of infiltrating a corporate network and stealing data or perhaps convincing the employee to wire funds to an account under their control. The social engineering tactics involved in these scams usually involve masquerading as a high-ranking official inside the organization, an IT helpdesk, a third-party supplier, or a service provider that controls access to an important business account.
Smishing impacts both individuals and organizations. Here are some tips to strengthen defenses from both a business and individual perspective:
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.
Immediately jump into an interactive journey through our AI email security platform.
This comprehensive Osterman Research study explores the evolving landscape of AI-driven threats and innovative solutions implemented to stay ahead.
This guide gives email security experts an exclusive access to Gartner® research to ensure their existing solution remains appropriate for the evolving landscape.
Data shows organizations deploy defense-in-depth approaches ineffective at addressing BEC attacks. Discover truly effective strategies in this report.
Request a demo to see what IRONSCALES AI-powered email security can do for you.