Skip Navigation

October 12, 2023 |

Smishing 101: Detecting and preventing SMS phishing attacks

Last updated: January 19, 2024

Loading table of contents...

As technology advances, so do the tactics behind cyberattacks. You may have heard of or even experienced phishing emails—a type of scam that targets recipients by sending them an email that appears to be from a trusted source, but it is typically just the start of a cyberattack.

So, while more legitimate businesses turn to text messaging as part of their outreach or marketing strategies, threat actors have added SMS to their strategies too. They've taken traditional phishing a step further by sending fraudulent texts to obtain personal or private information. This new threat is called "smishing."

It's important that you and your company are prepared to identify and defend against all types of cyber threats. In this blog, we will define smishing, explore common examples, offer tips for spotting smishing attacks, and more.

What is smishing?

In smishing, cybercriminals pretend to be legitimate businesses, government departments, or an individual you'd recognize. They'll ask you to send personal information or click on a link within that text message.

If you've received this type of scam message, you are not alone. The Truecaller Insights US Spam & Scam Report found that survey respondents received, on average, nearly 17 spam text messages per month. Although smishing is on the rise, only a small portion of the population is aware of smishing—less than 35%, in fact. 

Yet, in August of 2023, the Department of Health and Human Services (HHS) announced a formal warning for smishing and its particular threat throughout the healthcare industry. Healthcare isn't the only targeted sector, though. Smishing attacks are happening in various industries nationwide, and small-to-mid-sized businesses are also at risk. 

Types of smishing attacks 

Smishing is particularly dangerous as research shows that users are more likely to click a link or trust information in an SMS text message rather than an email. According to Constant Contact, emails have an average click rate of only 1.33%, while Klaviyo reports that SMS click-through rates are around 8.9% to 14.5%

Plus, the increasing number of employees using their personal phones for work-related tasks (or work phones for personal use) blurs the line between business and leisure, further heightening the risk of smishing attacks. 

Here are some common examples of smishing messages that you and your employees should be on the lookout for.

Pretending to be a financial institution

Hackers will sometimes pose as a bank and send texts to various numbers, alerting the recipient to a problem with their account. If the victim clicks on the link in the message, it will take them to a fake website or app where they are asked to surrender information—often their banking credentials.

Keep in mind that banks or financial institutions may sometimes send you text messages, but only if you've already opted in to that service. That said, numerous banks have released statements about this exact scam, confirming once and for all that they will never ask you for personal or account information.

Pretending to be a government agency 

Scammers are going as far as pretending to be revenue agencies, law enforcement, or other government bodies to trick victims into sharing information or clicking links. These smishing messages will falsely alert the victim that they're entitled to a government benefit and need to claim it, for example, or that they owe some sort of fine. 

Since COVID-19, the American Internal Revenue Service (IRS) has reported a significant increase in smishing attacks. People have received messages including false information about tax credits, COVID-19 relief, or help logging into an IRS account.

The IRS warned taxpayers that these messages should always raise a red flag for recipients, as the IRS does not send emails or text messages asking for personal or financial information or account numbers.

Pretending to be customer support or a shipper

Smishing criminals will also target victims with fake customer service messages from popular and trusted businesses like Netflix, Amazon, and more. These messages claim there is a problem with the customer's account or say there is an unclaimed reward or benefit, prompting the recipient to share personal account information. 

Another common trick is pretending to be customer support from well-known shipping services like Amazon, UPS, or FedEx. The hacker will sometimes say there was a problem completing your delivery, with a link to an illegitimate website where you can pay a fee to resolve the issue.

Protect yourself and your business

Thankfully, there are many simple steps you can take to protect yourself, your devices, and your business from smishing scams.

Be aware

The first step in preventing and identifying smishing attacks is simply being more aware of them. Now that you know what smishing is and have some ideas of how these attacks present themselves, it's time to work with your team to ensure they have the same knowledge. 

Banks, agencies, and businesses may send out text messages on occasion, particularly for general updates or notifications. But a good rule of thumb is that if any text message from an unknown number asks for personal information or further action on your behalf, it could potentially be smishing.

Be proactive 

Like ongoing awareness, proactivity is key to preparing your business to fight against smishing and other cybersecurity attacks. That's why stepping up your cybersecurity training for employees is key.

That said, be sure the training is up to date and includes more modern cyberattacks like smishing.

In addition to training, one of the best ways to be proactive against smishing and other cyberattacks is by taking advantage of a sophisticated threat detection and response solution. By identifying and stopping malicious or suspicious activity in real-time, you can respond to threats before they become a major problem for your business.

Be suspicious

Staying suspicious is key to identifying cyber threats like smishing. If you receive a text from an unknown number claiming to be a business, you can reach out to that business through alternate means, like their customer service email or support line, to check the validity of the text.

Or, say you receive a message with a link from a number claiming to be your bank. You can log in to your legitimate banking mobile app, if available and downloaded, to check for any notifications instead of clicking the link in the text.

It's best practice to avoid the urge to click on links altogether. Cybercriminals know how to tempt users by making their messages enticing. 

Put your defense in trusted hands

While awareness, proactivity, and employee mindfulness all play a large role in avoiding an attack, you never want to put all of your eggs in one basket. Especially when it comes to cybersecurity.

A cybersecurity solution that detects and responds to malicious and suspicious behavior creates a layered approach to security essential for a strong, resilient defense.

If you want to hear more about solutions that can be a one-stop-shop for cybersecurity attack prevention and risk reduction, click here to learn more about Covalence today.