What Is Smishing (SMS Phishing)?

How Do Smishing Attacks Work?

Like all forms of phishing, successful smishing attacks do two things: gain a victim’s trust, and then exploit it to defraud them of private information or money. So, how do scammers do it?

First, let’s look at attack vectors. Smishing, also called SMS phishing, doesn’t have to be done through a Short Message Service text message, or even necessarily on a mobile device. It can also appear in messaging apps, forums, or social media platforms, such as Facebook, X (Twitter), or Reddit.

Senders often pose as entities their victims “know” in some way—financial institutions, retailers, work superiors, and civil service agencies are all common examples. This gets victims to let their guard down, so they don’t think critically about what the attackers are asking them to do.

Effective smishing messages convince victims to take immediate action. Usually, they present the victim with a negative outcome to avoid (account closure, a fee, disciplinary action, etc.) or a positive one to claim (a reward, a delivery, etc.). In either case, the message requests something, such as privileged information or a payment. If the ruse succeeds, the attacker makes off with their prize.

Recently, prepackaged “phishing kits” and generative AI tools have made it easier for threat actors to quickly launch attacks.

Why Do Attackers Run Smishing Scams?

Most smishing, like other phishing scams, is financially motivated. Cybercriminals may go directly after financial information to steal victims’ money, or they may pursue information to sell on the black market, such as valuable personal data or corporate intellectual property. Less commonly, some smishing campaigns try to trick victims into downloading malware.

Smishing attacks also benefit from a general lack of training, education, and awareness among targets, especially relative to email-based phishing. Beyond that, far fewer security solutions are designed to detect or block smishing spam. To top it off, many voice over IP (VoIP) services make it extremely easy to abuse caller ID to display specific numbers or names.

It’s also easy to cast a wide net with smishing, which makes it a strong bet for would-be cyberthreat actors. With more than 4.6 billion smartphone users in 2023 and projections over 5 billion by 2027 (Statista), there are effectively unlimited potential victims.

Types of Smishing Attacks

One reason smishing and other types of phishing attacks are so insidious is that there are many ways to frame a smishing attack. Let’s look at some of smishers’ common approaches and frameworks.

• Prize and package scams exploit victims’ excitement about something they’re made to believe they’ve won (a gift card, lottery money, etc.) or an item waiting to be delivered. Attackers often impersonate a major retail or package delivery firm—such as Amazon, Costco, FedEx, or UPS—and request an address correction, credit card information, a shipping fee, or similar. Typically, they direct victims to a malicious link designed to help steal that information.
• Banking and financial scams prey on financial sensitivity to provoke strong, quick reactions. Attackers will pose as a banking firm—or, to amplify the element of fear, an organization such as the IRS—and inform the victim of a bank account issue, pending refund, overdue payment, investigation, or something similar as a pretense for stealing login credentials, Social Security numbers, credit card numbers, or other banking information.
• Investment scams like the popular “pig butchering” scheme manipulate victims (the “pigs”) into investing in cryptocurrency, often promising high returns. Scammers urge victims to create accounts on fake crypto or financial trading platforms, often initially delivering returns to foster a false sense of legitimacy. Once the scammer gains unauthorized access to the victim’s account, they carry out fraudulent transactions, “butchering” the account of all funds.
• Account verification and password scams bait victims into compromising their accounts—often, paradoxically, by making them think their accounts have been compromised. This can go hand in hand with URL spoofing to create convincing fake login portals. In some complex account theft attacks, hackers may request the answers to security questions or multifactor authentication (MFA) codes, enabling them to bypass additional cybersecurity measures.
• Opportunistic and topical scams take advantage of victims’ fears, hopes, or sense of social responsibility around current events or trends to defraud them of money and/or personal details. Common examples over the last several years include COVID-19 vaccine appointment fraud; fake charities related to wars and natural disasters; economic scams related to student loans, taxes, stimulus payments, and job opportunities; and more.

Examples of Smishing Scams

Now, let’s look at a few examples of real smishing attempts, as well as some of the red flags in these attacks that can help you identify them as cyberattacks.

Example 1: USPS Package Smishing

This message is full of red flags that make it easy to identify as smishing. Note the lack of specific details, such as a name or a “warehouse” location, the odd spacing, and the strange “7cng.vip” string in the URL provided. 

Furthermore, according to the United States Postal Inspection Service: “USPS will not send customers text messages or e-mails without a customer first requesting the service with a tracking number, and it will NOT contain a link.”

Example 2: Costco Survey Smishing

This smishing text is a little more difficult to identify, but still has plenty of telltale signs. First, Costco Wholesale Corporation doesn’t refer to itself as “CostcoUSA.” Like the fake USPS message, the wording is a little stilted and artificial. The most telling sign of smishing is the URL, as legitimate Costco communications always come from a Costco domain.

Smishers can be extremely clever, but if you know what to look for, there are often subtle and not-so-subtle ways to spot their attempts.

How to Defend Against Smishing Attacks

Smishing is difficult to avoid altogether, but fortunately, there are a lot of effective ways to defend yourself against it before it can do any harm:

• Just ignore it: If you receive a smishing message, all you really have to do is nothing. Once you’ve determined a message you’ve received is not legitimate, you can simply delete it with no further consequences. Smishing doesn’t work if the victim doesn’t take the bait.
• Think critically: One of the best ways to identify a smishing attempt is to stop and think—exactly what attackers are counting on victims not to do. If you receive a suspicious text message, step back and consider the circumstances. Were you expecting to hear from the supposed sender? Did the sender clearly identify themselves? Is the request reasonable?
• Look for red flags: Scrutinize the details. Did the message come from a phone number suspiciously similar to yours? If so, that could indicate “neighbor spoofing.” Does it contain email addresses or links? Make sure they match up with the real contact info or official channels you expect from the sender. Are there vague details or mistakes? Most legitimate business messages are checked carefully for errors.
• Verify first: If you still aren’t sure a message is legitimate or not, you can verify with the sender separately by going through an official channel. For example, you can look up a customer service number or chat with a representative on your bank’s website.
• Block and/or report it: You can reduce your own risk as well as lower the likelihood of others being smished by blocking and reporting smishing attempts. Most private messaging apps as well as the Apple iOS and Android operating systems have built-in blocking and reporting functions that will also help flag suspicious messages when other users receive them.

What to Do If You’re the Victim of Smishing

If you realize, or even strongly suspect, that you’ve become the victim of smishing, you can still act to limit the damage from a successful attack.

1. Report the attack to applicable authorities. Most banks have robust fraud management frameworks in place, and they may even be able to help you recover lost funds. In the case of more serious fraud or identity theft, you may consider filing a police report or contacting a government agency such as the Federal Bureau of Investigation (FBI) or Federal Trade Commission (FTC).
2. Update compromised credentials. If an attacker has your account details, there’s no telling when they’ll use them. Change affected passwords, PINs, and the like immediately. If you receive a legitimate email confirming a password change you didn’t request, reach out to the sender right away.
3. Keep an eye out for malicious activity. Once you’ve done the above, watch for indications of further compromises in the affected areas. You can request fraud alerts to be placed on many accounts to help identify suspicious activity.

Zscaler Smishing Attack Protection

Because it relies on exploiting human nature to succeed, user compromise is one of the most difficult security challenges to overcome. To detect active breaches and minimize the damage successful breaches can cause, you need to implement effective phishing prevention controls as part of a broader zero trust strategy.

The Zscaler Zero Trust Exchange™ platform, built on a holistic zero trust architecture to minimize the attack surface, prevent compromise, eliminate lateral movement, and stop data loss, protects against smishing attacks and other cyberthreats by:

• Preventing compromise: Features like full TLS/SSL inspection, browser isolation, URL filtering and phishing site detection (including links in SMS and on mobile devices), policy-driven access control, and real-time threat intelligence protect users from malicious websites.
• Eliminating lateral movement: Once in your network, attackers can spread, causing even more damage. With the Zero Trust Exchange, users connect directly to apps, not your network, limiting the blast radius of an attack. Deception decoys help mislead attackers and detect lateral movement. 
• Stopping insider threats: Our cloud proxy architecture stops private app exploit attempts with full inline inspection and detects even the most sophisticated attack techniques with advanced deception tactics.
• Stopping data loss: The Zero Trust Exchange inspects data in motion and at rest to prevent potential data theft from an active attacker.