What is Smishing?
A Complete Guide

Malicious actors are using Smishing techniques to disguise themselves as reputable companies.

Phishing > Smishing

What is Smishing? A Complete Guide

Smishing is a type of phishing cybercrime where mobile text messages are used as bait. Also called SMS phishing, hackers use mobile SMS to disguise themselves as reputable companies, then trick the user into sharing personal information like passwords and credit card numbers.

By Cian Fitzpatrick | May 29, 2023

Smishing is shown on the conceptual photo using the text

Smishing is similar to phishing, with the only difference being that smishing uses mobile phone SMS and phishing uses email attachments. Cybercriminals deceive the targeted victim by sending an attractive text. The compelling message tempts the victim to click the link sent by the scammer. That link either shares private information from the target’s smartphone or instals malicious software inside the victim’s phone.

How does Smishing Work?

Cybercriminals send a mobile text message in the name of someone credible about a lucrative offer. The compelling message realistically impersonates a reputable organisation and lures the victim to comply and follow the hacker’s instructions.

The hackers send you a malicious link as part of the process. Once downloaded on users’ phones, the link fetches the user’s personal information, like passwords and credit card numbers.

Sometimes, the link is also used for ransomware attempts. Once the hackers get access to your phone, they might hold the confidential information inside that phone as ransom.

Types of Smishing Attacks

Smishing attacks come in different, misleading forms. These targeted attacks aim to trick users into believing that the SMS text is sent from a reliable source. The decoy sounds realistic and tempting for normal users, luring them into the trap. Below are a few examples of the most recurring smishing attacks:

COVID-19 Smishing

Hackers use smishing techniques to catch users off guard and in their most vulnerable situations. Covid-19 Smishing occurred during the desperate coronavirus outbreak of 2019. The pandemic created a chaotic environment for everyone, and the concerned health or government authorities were desperate to pass and receive communications. The distressing environment was such that people consequently followed any instructions that seemed logical and valid.

Hackers used the vulnerable situation and sent SMS messages in the names of government health officials, asking to download links for surveys or breaking news.

Gift Smishing

Gift smishing is yet another prominent smishing trick. It comes in the form of free offers of services or products from popular stores or trusted companies. These offers could be in the form of contest prizes, shopping rewards, or other attractive giveaways. Hackers take advantage of the idea of getting something for free to make you act quickly without thinking. They might create a sense of urgency by giving you a limited response time or claiming that you’ve been specially chosen for a free gift card.

Financial Services Smishing

Smishing scams also involve sending fake messages resembling notifications from banks or financial institutions. These messages deceive people using banking and credit card services, whether generic or targeted to a specific institution. These smishing attacks frequently include scams related to loans and investments. The attackers pose as a bank or financial institution to gain trust but aim to commit financial fraud. Warning signs of a smishing scam in the financial services category include urgent requests to unlock your account or verify suspicious account activity.

Customer Support Smishing

A support-based smishing scam includes receiving messages about billing problems, difficulties accessing your account, unusual activity on your account, or promises to address a recent customer complaint. The scammers impersonate helpful representatives from reputable companies like Apple, Google, or Amazon and claim an issue with your account. They provide instructions to resolve it, which are as simple as clicking on a fake login page or as complex as providing a genuine account recovery code to reset your password.

Invoice and Order Confirmation Smishing

Confirmation smishing scams users with fake confirmations for a recent purchase or bill related to a service. The scammers might send a link to make you curious or anxious about potential charges, pushing you to act quickly.

Avoid Falling Into Smishing Traps.

Contact Topsec today to secure your valuable information

Click Here

Statistics on the Number of People Affected by Smishing Attacks

  • Consumer Reports states that the FTC logged 378,119 complaints in 2021 related to fraudulent activities through unwanted text messages, including smishing attempts. This represents a higher number than the 332,000 complaints received in 2020, indicating increased unwanted texts and smishing incidents.


  • According to a CNET report in 2020, Smishing made up a significant portion of reported fraud cases, representing 21% of all instances.


  • According to KCRA, in 2021, out of the total 87.8 billion scam texts sent, more than 5.6 billion were spam texts that falsely claimed to offer free COVID-19 tests.


  • According to Robokiller’s 2022 Insights & Analysis, cybercriminals who engaged in smishing successfully stole an alarming $20.6 billion (USD) from Americans in 2022. This amount reflects a substantial 105% increase compared to the $10 billion reported in the previous year, underscoring the growing magnitude of the issue.


  • OpSec Security reports that in 2020, smishing scams led to Americans losing more than $50 million (USD), as stated by the FBI. Moreover, there was a remarkable 700% surge in the number of scam text messages reported to authorities during the first half of 2021.


  • According to the Office for National Statistics (ONS), adults between the ages of 25 and 44 are the most susceptible to receiving Smishing.


  • According to Robokiller’s 2022 Insights & Analysis, cybercriminals who engaged in smishing successfully stole an alarming $20.6 billion (USD) from Americans in 2022.


  • AARP highlights that smishing fraud plays a significant role in its impact on mental health. Individuals targeted by any type of fraud often face various mental health difficulties. Specifically, victims of smishing schemes commonly encounter negative emotions, sleep disorders, post-traumatic stress disorder (PTSD), and depression, underscoring the expected consequences of such incidents.


  • A study conducted in 2022 and reported in ARXIV found that women between the ages of 18 and 25 are particularly susceptible to smishing attempts. The research highlights that susceptibility to spam texts is more influenced by age than gender, with the highest vulnerability observed in the 18–25 age group. Specifically, among females, the susceptibility rate is 11.38% higher, while within the 18–24 age group, the figure is 4.17%.

Contact Us to implement a robust email security system for your organisation

Call Us Now

Some Popular Examples of Smishing Attack

  • Twilio, a major communications tool provider catering to over 250,000 corporate clients such as Facebook and the American Red Cross, faced a significant system breach. The breach occurred when unidentified individuals inundated Twilio employees with fraudulent password reset requests via text messages. This security incident compromised the integrity of Twilio’s systems and raised concerns regarding the company’s capacity to safeguard its customers’ data.


  • In 2020, the Australian Cyber Security Centre was confronted with a major task as it grappled with a sudden influx of smishing text messages. These messages specifically targeted individuals by offering misleading instructions related to COVID-19 testing. The senders cleverly disguised themselves as “GOV” to appear trustworthy. The recipients found a link inside the messages that supposedly led to a website containing relevant information. Unfortunately, the website contained malicious software that infected the recipients’ devices instead of genuine details. The Cyber Security Centre had to respond swiftly to combat this wave of smishing attacks, working diligently to minimise the potential risks to people’s cybersecurity and privacy.


  • In the United States, an alarming number of almost 60 million Americans were targeted by text and phone scams in 2020, leading to a staggering collective loss of around $30 billion. These scams involved fraudsters using deceitful strategies, such as pretending to be providers of free COVID-19 testing kits, offering help with paperwork for stimulus packages and unemployment benefits, and even masquerading as charitable organisations seeking donations to assist those affected by the pandemic. Exploiting people’s vulnerability during a difficult period, these fraudulent activities resulted in significant financial hardships for numerous individuals.


  • Teige Gallagher, a 21-year-old individual, faced legal consequences in May 2021 for his participation in an opportunistic scheme aimed at generating quick wealth. Gallagher’s activities included posing as an NHS employee and exploiting unsuspecting individuals by enticing them to register for a fake vaccination programme. Once lured into the scheme, victims fell prey to Gallagher’s manipulation as he syphoned funds from their bank accounts. Gallagher’s devious tactics extended to creating web pages that closely resembled the authentic GOV.UK website. Through these deceptive platforms, he coerced victims into divulging sensitive personal details, such as their full names, addresses, bank account information, and credit card numbers. To heighten the ruse, the fraudulent website falsely claimed that this information was required to confirm eligibility for receiving the COVID-19 vaccine. As a result of his actions, Gallagher received a prison sentence lasting four years and three months.


  • In March 2019, the CEO of a UK energy provider had an unnerving experience when he received a phone call that eerily replicated the voice of his boss. Despite thorough investigations, the police were unable to pinpoint any suspects and eventually closed the case. The caller successfully posed as the chief executive of the company’s parent company in Germany, persuading the CEO to transfer a substantial amount of €220,000 ($243,000) to a purported “Hungarian supplier.” The imposter’s deception was remarkably convincing, as they even adopted a slight German accent that mirrored the CEO’s actual boss. Trusting the call’s authenticity, the CEO complied and transferred the funds to the scammer’s account, unknowingly becoming a victim of the ruse. Later, the fraudster attempted another call, this time impersonating the parent company’s CEO and claiming that a reimbursement had been sent to the UK company. They requested a second transfer. However, the CEO grew suspicious when no one at the company knew about any reimbursement, coupled with the call originating from an Austrian phone number. Recognising the warning signs, the CEO promptly reported the call to the relevant authorities.
Smishing (SMS Phishing)

How does Smishing Spread?

Smishing messages are usually spread in two ways: traditional SMS’s and web-based messaging apps. Users often possess a high level of trust in text messages, leading them to have a false sense of security. This makes it considerably easier for attackers to execute smishing attacks.  Android devices hold most of the market share, becoming a prime target for such attacks. However, despite iOS devices enjoying a strong reputation for security, iOS users are not immune to phishing-style attacks. Therefore, it cannot be assured that iOS users are free of Smishing targets. Since smartphones enable multitasking, users frequently fall prey to smishing attacks when they negligently click on links.

Smishing Vs Phishing: What's the difference?

Phishing and smishing are identical in almost all areas, with the major difference being that phishing is a fraudulent attempt via emails, while smishing is done through mobile phone messages. Phishing is a common form of fraud where scammers trick people by using a fake email address that looks real. They include a link that asks for personal information like your full name, social security number, and credit card number. Smishing is similar, but scammers use text messages or popular messaging apps like Slack to target unsuspecting individuals instead of email.

How to Protect Yourself Against Smishing Attacks?

Ignoring a mobile text you are not fully assured of is one simple technique that can prevent smishing. But in the era of mobile phones, verifying the sender every time is not a preferred choice. And on top of that, cybercriminals constantly try newer tricks to lure your attention and click.

Keeping in mind the following important factors can help you protect yourself from smishing attacks:

  • Only respond to mobile texts if you are confident they are legitimate.
  • Stay alert for new tricks employed by cybercriminals to catch your attention and prompt you to click.
  • Be cautious when asked to reply to messages, such as by texting “STOP” to unsubscribe, as it might be a tactic to confirm active phone numbers.
  • Take your time when dealing with urgent messages and treat them as potential signs of smishing. Approach them sceptically and proceed with caution.
  • If you have any doubts about a message, directly contact your bank or merchant. Legitimate institutions do not request updates or login information through text messages.
  • Verify any urgent notices by accessing your online accounts or contacting the official helpline.
  • Exercise caution when using links or contact information provided in suspicious messages. Whenever possible, use official contact channels.
  • Pay attention to unusual phone numbers, like those with only four digits, as they may indicate scammers using email-to-text services.
  • Avoid storing credit card numbers on your phone to minimise the risk of digital wallet theft.
  • Enhance your security by implementing multi-factor authentication (MFA), such as two-factor authentication (2FA), using text message verification codes. Consider more robust options like dedicated authentication apps such as Google Authenticator.
  • Never share passwords or account recovery codes via text, as they can compromise your account if obtained by unauthorized individuals. Only use them on official websites.
  • Report all instances of SMS phishing to the relevant authorities assigned to handle such incidents.
oice Phising word cloud. Cybersecurity concept for Vishing. Sca

What to do If You Become a Victim of Smishing Attacks?

Smishing attacks can be frightening and harmful. Most people store personal information on their phones in various ways, and discovering that someone has access to it can cause significant stress. When someone breaches your personal phone, it not only raises concerns about the misuse of important security credentials but also puts your personal files, photos, social media accounts, and contacts at serious risk. Having your personal and sensitive information in someone else’s hands is scary. However, remaining calm and taking careful steps can help you recover from the compromise. If you become a victim of a smear attack, promptly report the suspected attack to institutions that can provide assistance and support.

Take immediate action to freeze your credit, preventing potential identity fraud from happening now or in the future. Additionally, change all passwords and account PINs whenever possible to enhance security. To minimise the damage, proactively monitor your finances, credit, and various online accounts for any unusual login locations or suspicious activities. Remember, prevention is better than cure. With the increasing number of cybercrimes, staying informed and prepared is crucial to avoiding falling victim to malware attacks.

How to Report Smishing Attacks to the Proper Authorities

Smishing attacks can cause panic attacks in their aftermath. However, it is important to understand and acknowledge that every country’s concerned law enforcement authorities are committed to eradicating cybercrimes. You should be wary that most smishing cases do get solved by the authorities. The reporting process will be simple: get in touch with your local police and lodge a complaint against the cyberattack. The authorities would take you around for the next few steps. However, time is of the essence in these circumstances. So it’s best to contact your local law enforcement force immediately.


With the growing vulnerability of smishing, it is important to be aware of how to avoid it and what to do in case of such attacks. Smishing occurs with links in mobile SMS texts that the hackers send in a deceiving way, often by impersonating a credible source. These scams are growing in numbers with crime, and it is important to be aware of them. Topsec is a reputable name in the field of email security. In our decades of experience, we have seen through most of these cybercrimes and we can always provide assistance. 

Know how to protect yourself from Phishing attacks

Don't let your business become another statistic – invest in your fight against smishing

Call Us Now

Smishing FAQ's

Warning signs of smishing include receiving messages from unusual phone numbers and claims of account issues, such as with your bank or credit card. These texts often provide a phone number to call, a website link, or an app download link. It’s crucial to remember that trustworthy companies, like government agencies, banks, or familiar retailers, will never ask for personal information via text messages.

Yes, Smishing can be controlled and stopped even before reaching your phone through sound preventive measures.

Smishing always comes in deceiving ways and tricks users into believing the message has come from a reliable source. If you accidentally click on a link in a suspicious text message, try detaching all the crucial information from your phone. If the situation gets to a very severe point, it is best to complain to the nearest police station immediately.

Apart from identity theft and financial loss, the experience of falling victim to a smishing attack is actually traumatising and long-lasting. Highly sensitive and useful credentials can be compromised, which might make you anxious. Meanwhile, the mental burden of such a horrific event might affect you in the long term.

A Smishing text tool will likely ask you to fill out a form or ask for information. The sender will deceive themselves like an authentic source, like government agencies or private entities. Cybercriminals usually play with user emotions and try to persuade or overwhelm them, ensuring that victims fall prey to the occasion and promptly comply with provided instructions.

Take screenshots of messages, emails, or other correspondence if you think you are a victim of a cybercrime and get in touch with your neighbourhood Garda station. Some of the most popular scams include phoney emails, calls, or texts that appear to be from legitimate businesses.

Join Our Topsec Newsletter Today

Sign up to get regular updates about email security

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Topsec Cloud Solutions will use the information you provide on this form to be in touch with you and to provide updates and marketing.