SmishingNot Even Your Phone Is Safe from Fraudsters!

July 5, 2023 | 11 min read

This image was created by artificial intelligence using the following prompts:

Someone getting a fraudulent text on their cell phone, pops of red and teal. (added text bubble)


In a Nutshell

Smartphones have become an integral part of people's lives, and fraudsters see that as an opportunity. A relatively new technique on the scene is smishing: using fake SMS text messages to steal personal data from individuals and businesses. This post examines what smishing is, as well as some ways to prevent it, and tricks to identify it before you become a victim.

How You Can Identify & Prevent “Smishing,” or SMS Text Scams

Picture this: an email appears in your inbox at work. It’s from your boss; apparently, a vendor — one you know the company uses — is saying you must pay for a shipment now, or a crucial order will be canceled. Your “boss” instructs you to forward him the details for one of your company’s accounts to make the payment.

You don’t panic, though, because you’ve already learned to recognize the red flags of phishing.

This is a common trick that fraudsters use to get you to download malicious software, send money, or disclose sensitive information. Luckily, you’re smart enough to know not to take the bait.

However, what if you received the message as a text sent to your phone, rather than an email? Would you respond the same way?

So-called “smishing” attacks can be just as dangerous as email phishing. From the fraudster’s perspective, though, it can be a much more effective technique, as most targets don’t know how to respond.

What is Smishing?


[noun]/s • miSH • əng/

Smishing is the fraudulent practice of using fake text messages in an attempt to steal confidential information, such as passwords or credit card numbers.

Smishing is a portmanteau of “SMS” and “phishing.” As the name implies, it’s a kind of phishing attack, but instead of targeting victims through emails or websites, smishing relies on mobile (SMS) text messaging. It’s just one more way for fraudsters to turn technology against both consumers and businesses. 

Some smishing messages are obviously scams. For example, imagine that a person you’ve never met, and who has no connection to you, sends you a text asking for a “favor.” The favor involves restricted personal or company information such as credit card numbers. It’s an obvious scam, and few people would fall for that.

Other fraudsters are sneakier. The sender is realistic; for instance, they’re posing as a coworker, a manager from another department, or a friend of a friend. The request feels legitimate, as well; the sender’s message is in the voice of the person they’re impersonating. If it’s worded carefully, the message may convince you that it’s authentic.


Vishing is another, similar scam to watch for. It has the same end goal as smishing (to trick the victim into giving over sensitive data). However, vishing uses phone calls and voice messaging instead of SMS texts.

In most cases, smishers are after confidential information. For example:

  • Credit card or online account credentials
  • Banking or other financial info
  • Work login passwords and usernames
  • Internal business directories
  • Social Security numbers
  • ZIP codes
  • Customer or vendor lists

Yes; even something like a vendor list would allow them to target specific individuals in the company, like the CEO or CFO.

How Do Smishing Attacks Work?

Smishing attempts can come from standard messaging apps, non-SMS messaging like WhatsApp, or even through social media messaging. Attacks targeting businesses can, in some cases, use a company directory to make the messages seem more legitimate.

There are myriad scams that smishers can use to manipulate victims into taking a desired action. The most popular tricks we’re seeing currently include:

  • Free Covid testing (or stimulus money)
  • Overdrawn accounts or past-due payment warnings
  • Getting paid for answering surveys
  • Receiving gifts or rewards
  • Compromised account warnings
  • Order or delivery confirmations
  • Phony apps update
  • Notice of attempted delivery
  • Friend, family, or colleague's emergency

As for the action in question, smishers tend to follow one of three strategies when they attack:

The message has a link that leads to a bogus website; this dummy site will often be designed to mimic the site of a well-known brand. The sender makes an innocuous-sounding request that requires following the link and providing sensitive personal information.

Malware Installation

This tactic also requires the recipient to click a URL link. In this case, though, it downloads and installs malware to the user’s phone. Again, the goal is to trick the victim into entering confidential information.

Personal Messages

The first two tactics are commonly used for both phishing and smishing. The personal message scam works best on mobile devices, though, for the simple reason that we expect personal messages on our phones. If it appears to have come from someone we know (like a friend or colleague), or an institution we trust (like a bank), it seems logical to follow the message’s instructions.

This may be a link to a site or malware, as we saw above. It could also be a request for account information to “confirm” a transaction. When businesses are targeted, it may seem like a simple request that reveals company data.


While they’re certainly a threat to individuals, the majority of smishing attacks currently seem to be targeted at businesses. That makes complete sense: corporate credit cards or bank accounts are typically going to be more profitable than a single person’s.

How Smishing Impacts Businesses

Smishing can be a real nightmare for businesses.

Instead of targeting random individuals, hackers target employees of a specific business, then try to trick those employees into giving away sensitive information. The scams are simple: a cybercriminal may pose as a company executive asking for an account number, or telling an employee to pay an invoice from their own account. If this sort of attack is successful, it can have a major, long-lasting impact on the business’ reputation and financial future. You could see:

  • Business disruption
  • Loss of customer confidence (especially in cases of data breach)
  • Loss of company value/investors
  • Reputational damage with vendors, banks, etc
  • Potential fines and fees (in cases that involve theft of customer data)
  • Loss of intellectual property, research findings, trade secrets, or proprietary designs.
Smishing, vishing, and phishing are all real and growing threats, but even combined, they barely scratch the surface of fraud risks. To survive, you need a strong strategy and a solid partner.REQUEST A DEMO

How Big of a Problem is Smishing?

Smishing already poses a huge threat, but that threat is growing as people spend more time communicating on their devices. In some cases, it may even work better than conventional phishing. This is true for a variety of reasons:

Smishing Opportunity: With an estimated 280 million active cell phones in the US alone, anyone could be a potential victim.
Smishing Texts are Shorter: Texts are generally quick and easy to read. This works to the sender’s advantage, since a lack of information can drive curiosity, or lead a victim to act without thinking fully.
Smishing It’s Easy: in the US, Phone numbers all follow the same pattern: (123) 456-7890. A simple calculator can easily produce every possible combination to use with an automated texting
Smishing Texts Get Read: Check your email. How many messages are waiting on a response? Or worse, haven’t even been read? Compare that to your texts, and you can start to see the benefit.
Smishing We’re Distracted: If we’re otherwise engaged when we receive a text – and we usually are – we may respond without thinking.
Smishing Social Media: Social media accounts are often connected to phone numbers, corporate accounts, and more. This can make it easier to make a message sound convincing.

Red Flags of Smishing

One of the most important steps in smishing protection is to recognize some of the warning signs. For businesses, this means making sure your staff is aware of some of the triggers.

Obviously, none of these conclusively prove that a message is fraudulent. But, when taken together, they might be cause for closer examination:

Suspicious Sources

Legitimate companies and established businesses typically text using a shortcode; a five or six-digit number that doesn’t designate where the call is from. Regular numbers or unknown caller IDs point to a smishing attempt.

The goal of most smishing is to get the victim to click a link to a facsimile website. So, as a rule, it’s best to never follow unsolicited text links. Even if a text seems legitimate, you’re better off contacting the alleged company via phone or email.

Extreme Urgency

Smishers want you to believe that immediate action is required. They’ll often claim that, without an immediate response, your account will be closed or legal action will be taken against you. Stop for a moment and consider if the immediacy makes sense.

Spelling/Grammatical Errors

Multiple spelling errors could indicate a non-professional source. Awkward sentence structure may mean English is a second language for the sender; since a good share of fraud originates from outside the US, this should be a red flag.

Asking for Private Information

No legitimate, professional institution will require usernames, passwords, financial details, transaction amounts, or internal company information being sent via text or SMS.

Emotional Messages

Smishing masters will often try to play on people’s emotions with bogus stories of a family member’s plight. They may claim to be calling from prison or a hospital with a realistic-sounding story to make a request for money.

Unexpected Prize or Gift Offers

“Random giveaways” are clear warning signs of possible smishing activity. Fraudsters often offer some benefit or reward; gift cards, for example. They only need a credit card number for shipping or handling.

How to Defend Against Smishing Attacks

So, what should you do if you receive a strange text message, and suspect it may be a smishing attempt? Here are a few recommendations:

  • Respond Visa Official Channels: If you have any doubts at all about a text’s legitimacy, contact the alleged sender directly using official channels.
  • Don’t Engage: Any prompt to reply, even something as simple as texting “STOP” to unsubscribe, can be a trick to identify active phone numbers.
  • Check the Phone Number: Does the sender’s number seem legitimate? Scammers have an entire range of tactics to mask their phone numbers.
  • Slow down: Stop and consider urgent account updates and limited-time offers. Is it really important to act in that moment? Does the threat make sense?

The threat from smishing continues to grow, and that probably won’t change. But, there is no better tool to use against smishing than education. You need to teaching yourself, as well as your employees, to identify, report, and negate smishing threats.

Of course, there’s a lot more to fraud prevention than identifying smishing attacks. True fraud prevention and risk mitigation require a more comprehensive approach. If you’d like to know more, contact Chargebacks911® today.


What is smishing vs. phishing?

While both are electronic attacks that aim to steal personal (or company) information, phishing often does so through emails and links. Smishing uses text messages or popular messaging apps, specifically.

What is an example of smishing?

In one common type of smishing, the victim will receive a vague text claiming a package could not be delivered, along with a link to respond. Clicking the link downloads malware on the victim’s phone, or may lead to a bogus site requesting personal information in order to “confirm” delivery information.

What happens if you click on a smishing text?

Clicking on a smisher’s link may take the victim to a fake website and attempt to gain their personal details. It could also infect the victim’s mobile device with malware designed to steal personal or financial information stored on the device. This type of software can continue to send messages back to the fraudster until it is discovered.

What are the red flags for smishing?

A few of the warning signs of smishing include: claiming to be from a legitimate source but requesting personal information; the presence of suspicious URLs; demands for an immediate response; emotional requests for money or information; offers for unexpected prizes or rewards.

Can hackers get into your phone by text messages?

Yes. Hackers can exploit vulnerabilities in both iOS and Android operating systems to gain unauthorized access to stored personal information on your phone. That said, current techniques require the victim to actively click a link or call-through number.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form