What is smishing? Attacks via fake SMS messages

Anton P. | July 22, 2021

Smishing is a copycat of phishing. However, instead of sending deceptive emails, fraudsters forward misleading text messages. Sadly, smishing is not as well-known, and unfortunate victims’ stories rarely end up in the public’s eye. The lack of publicity and recognition hampers targets’ chances of noticing certain red flags. Thus, although users tend to be careful with incoming emails, text messages are still largely chaotic. Let’s discuss how dangerous smishing attacks can be and their common warning signs.

What is smishing? Attacks via fake SMS messages

Smishing definition and common goals

Smishing attempts to extort victims out of their finances, personal information, or other assets. It mirrors phishing in the sense that fraudsters manipulate victims with false promises, threats, and information. The purpose here is to mislead and defraud. Depending on the ploy, the end goal might differ. Typically, smishing attacks will go after:

  • Personal information. Fraudulent messages might urge targets to reveal their social security numbers or other details.
  • Financial credentials. Criminals might try to coerce their prey into sharing passwords or even temporary authentication tokens. After gaining access to victims’ bank accounts, these vile people will try to wipe them clean.
  • Infecting targets with malware. Some smishing texts might be brief and urge users to follow links for more information. In many cases, their destination will be a malicious site controlled by criminals. They might attempt to infect users’ devices with malware or other viruses.

How does smishing work?

Smishing exploits users and their instincts to take immediate action when faced with a problem or opportunity. Thus, this attack heavily relies on social engineering. As a result, pressure and psychological manipulation compel people to perform questionable, possibly even harmful, actions. The main tactical components include the following:

  • Pretending to be a reliable source. In the message, you will notice claims implying their source. It might state to originate from a bank, immigration services, tax accountants, or even family members.
  • Creating an urgent situation. Smishing attacks typically forward messages that require immediate attention. Fake bank representatives might claim they have detected suspicious activity on your account. In some common real-life situations, people tend to receive notifications from delivery companies. They might falsely report issues with their parcels or notify about modified delivery time. In all cases, the urgency pushes targets to perform specific actions as soon as possible.
  • Playing with targets’ emotions. Besides urgency, psychological manipulation is prominent in smishing attacks. The strongest driving force is fear of losing assets, money, data, or a golden opportunity. In other instances, fraudsters can work on a more personal level. They could pretend to be family members stuck in an emergency. Then, they might beg victims to send them money or help in other ways.

Besides a misleading but convincing message, fraudsters still need two components to initiate smishing attacks.

  • Potential victims’ phone numbers. Criminals can retrieve targets’ phone numbers in many ways. Web scraping, data breaches, and willingly revealed information are all possible sources.
  • Disposable or spoofed phone numbers. Fraudsters themselves will need a phone number that authorities won’t be able to trace. Thus, they typically spoof their numbers or use disposable “burner” devices. Many email-to-text services could also be a tactical decision for implementing smishing.

Recent smishing attacks

Here are some of the examples of smishing incidents and notable statistics:

  • According to a Proofpoint study, smishing messages increased by 328% in North America. Typically, the fraudsters would imitate financial institutions, content providers, and technology companies.
  • Many companies now address the threat of smishing and include helpful guidelines for their clients. For instance, Netflix has a dedicated page on suspicious emails or texts. The company’s clients had been targeted previously, with the “Account Locked” scam. This particular message claimed that Netflix would terminate accounts due to declined payments.
  • In January 2021, Paypal users received fake text messages reporting on particular suspicious activity on their accounts. The goal was to get victims to click on the link and provide their credentials on a fake website.
  • In May 2021, the Bank of Ireland had reported a spike in fake text messages sent to their clients. The institution reassured that it never requires personal details via a text message. Thus, the bank encourages clients to be careful and report all suspicious activity.
  • In July 2021, the Maine Secretary of State warned users about a possible smishing scam. The fraudulent messages claimed to originate from the Secretary of State Drivers Licence Facility. Their goal was to get users to click on a link, allegedly for verification. The Maine Bureau of Motor Vehicles quickly explained that they do not contact people about their driver’s licenses via texts.

Common red flags of smishing

Particular warning signs might help you determine that a text message you have received is fake:

  1. The text message contains errors, wrong capitalization, or inaccurate information. Your bank is unlikely to send messages with faulty content.
  2. The message is not relevant to you. For instance, a package delivery company contacts you about a delayed parcel. However, you have not ordered anything but might click the malicious link out of curiosity.
  3. Claims in the message contradict how a specific service runs its procedures. As an example, consider your bank provider. They constantly remind their clients that they will never require confidential information via phone call/message.
  4. The message seems bizarre and out of place. A random text message might congratulate you on winning the lottery or other valuable goods. Typically, such claims are nothing but fraudulent.

How to prevent and defend against smishing?

Smishing might occur due to various reasons. For one, your phone number might leak together with other compromised personal information. In other cases, you might voluntarily keep your phone number visible on social media platforms. However, in some scenarios, the situation may be out of your control.

Luckily, you are in the driver’s seat when it comes to reacting to these smishing scams.

  • Never follow links or call phone numbers provided in unexpected SMS messages. Your immediate course of action should be to contact the institution that the text allegedly originated from. For instance, if fraudsters claim to be from Netflix, contact the company representatives via reliable contact information.
  • If you have clicked on the link, do not provide any personal information via it. It likely belongs to the criminals, and they will receive these credentials. After that, they might drain your bank account or make unauthorized transactions.

Atlas VPN can also help in your journey to defend against smishing. Our app has a feature for blocking potentially dangerous websites. Thus, even if you click on the link provided, the tool may block access automatically. It is not a foolproof solution, as the website should be previously flagged as suspicious. Nevertheless, it is additional protection that might halt some attempts to trick you.

Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.


phishingsocial engineering

© 2023 Atlas VPN. All rights reserved.