What is next in AI Security
Watch on-demand event
Table of contents
Threats

What Is Smishing?

4 min. read
Table of contents

A combination of SMS–short messaging service, or texting–and phishing, smishing refers to text messages sent by attackers to gain personal and sensitive information. Like spear phishing, smishing attacks rely on tricking users into clicking a link to provide sensitive information, like login credentials which can be used to access target systems, or even deposit malware.

This method of attacking has recently become more popular due to the ease of gathering phone numbers, the prevalence of smartphones, and the inferred trust of a text message over a traditional email. While emails can contain any number of letters or special characters, phone numbers around the globe follow specific patterns, such as the three-four-three 10-digit pattern in the U.S., and attackers can try different combinations or send out blasts to a specific range. Additionally, phone numbers are often associated with social media, making them easier to find while also providing attackers a repository of information to make smishing attempts more personalized.

Scammers are also succeeding due to the relationship between a user and their phone. Whether they’re on the go or distracted with something else, users are more likely to trust their smartphones or skim a message rather than reading it carefully. To best protect against smishing – and phishing scams in general – it’s important for users to scrutinize phone numbers, read messages carefully, and never click on an unfamiliar link.

 

How to Spot a Smishing Attempt

Unfortunately, there is no shortage of phishing attacks on any device. Whether cybercriminals are hunting for credit cards, login credentials, or any other bits of sensitive information, SMS phishing attempts are threats that mobile users need to be prepared for.

A common smishing attack involves banking services. Posing as a legitimate financial institution, these text messages can appear to be time sensitive to encourage victims to log in without thinking critically.

sample text message alerting victim
Figure 1: Sample text message alerting victim of account compromise, encouraging them to sign in with link provided

The best way to react to these types of messages is to bypass the link and go directly to the bank itself. Go to the bank’s website, log in to their app or even call a local branch to verify if there are any issues with a bank account.

Another example of smishing attacks takes advantage of multifactor authentication (MFA). Attackers will send credential text messages to users, encouraging them to sign in. Hackers build these malicious domains to look like the authentic credential sites that users are familiar with.

sample text message encouraging victim
Figure 2: Sample text message encouraging a victim to sign in at the provided link so they can verify their identity.

With attacks like these, users have to think carefully. Have they signed in to something recently? Is this the normal way for them to verify their identity? As with banking institutions, it’s best to go directly to the source and verify. It’s important to note that while some attackers are taking advantage of MFA, the added security of MFA is still an incredibly important defense against cybercrime.

Figure 3 is a realistic example based on a smishing message that one of our employees received.

Screenshot of a smishing attempt
Figure 3: Screenshot of a smishing attempt with the strange number and incorrect link highlighted

 

How to Avoid Being Smished

As mentioned earlier, one of the best techniques to avoid being smished is being critical with the text messages you receive. Never click on a link you’re unfamiliar with and don’t feel obligated to respond to a strange text from a number you don’t recognize. If you receive a smishing text in the U.S., you can report it to reportfraud.ftc.gov.

For security professionals, it is important to implement user education. Training and testing your company on how to identify phishing and smishing will greatly reduce the likelihood of a successful phish attempt.

Taking it a step further, another important piece of this puzzle is the organization-wide adoption of a Zero Trust stance. It’s important to monitor your environment with the understanding that nothing should be implicitly trusted – anything in your network can be used against you. Products like endpoint detection and response (EDR) provide broad visibility and machine learning (ML)-based detection for real-time threat analysis. An EDR product can be paired with a security orchestration, automation, and response (SOAR) platform for automation-based threat response.

Learn more about how endpoint and network security work together.

Sign up for a Cortex demo to see how XDR and XSOAR can improve your security posture.

Smishing FAQs

SMS phishing, or smishing, is a form of social engineering where attackers send deceptive text messages to trick recipients into revealing sensitive information. Messages often contain links to credential-harvesting sites or prompt the user to call a fake support line. The technique exploits trust in mobile messaging and often bypasses traditional email security controls.
A spoofed sender occurs when an attacker manipulates the “From” field of an SMS or email to appear as a trusted entity. This tactic enables impersonation of banks, cloud providers, or internal systems. Spoofing can bypass basic sender validation, making it difficult for recipients and filters to detect fraudulent origin.
Two-factor interception involves intercepting one-time passcodes or second-factor authentication tokens sent via SMS or app notifications. Attackers may use SIM swapping, phishing proxies, or mobile malware to capture the codes in real time, allowing unauthorized access even when MFA is enabled.
Credential theft refers to the unauthorized acquisition of authentication data such as usernames, passwords, tokens, or API keys. Attackers use phishing, keylogging, credential stuffing, or memory scraping to harvest these secrets, enabling lateral movement, privilege escalation, or full account compromise across cloud and enterprise environments.
A malicious short code is a five- or six-digit number used to distribute fraudulent SMS content. Attackers may lease or compromise legitimate short code services to send mass smishing campaigns. Short codes are trusted by default in many mobile networks, which makes malicious use difficult to distinguish at scale.
Voice phishing, or vishing, is a tactic where attackers impersonate trusted entities over the phone to extract credentials, MFA codes, or other sensitive data. In cloud environments, vishing often follows email or SMS lures and targets help desks, IT admins, or finance staff to escalate privileges or initiate wire fraud.
A smishing kit is a pre-packaged set of tools that automates the delivery of SMS phishing campaigns. Kits often include templates, sender spoofing tools, credential harvesting pages, and delivery infrastructure. Many support targeting by region or mobile carrier and are sold as subscription services on cybercrime forums.
MFA bypass techniques allow attackers to authenticate without access to the second factor. Methods include phishing proxies, token theft, session hijacking, or exploiting misconfigured fallback mechanisms. In cloud environments, MFA bypass often leverages OAuth abuse, conditional access weaknesses, or authentication token reuse across federated services.
Carrier spoofing involves falsifying the source of a message or call to appear as though it originated from a legitimate mobile network operator. Attackers use this to exploit SMS trust, deliver smishing payloads, or impersonate support agents. It can also assist in defeating fraud detection and content filtering systems.
A spoofed number is a falsified caller ID or SMS source used to impersonate a trusted contact or institution. Attackers exploit SS7 network weaknesses or over-the-top messaging APIs to inject deceptive sender identities, enabling social engineering, account manipulation, or delivery of phishing payloads that evade scrutiny.
An SMS payload is the embedded malicious element within a smishing message, such as a shortened URL, embedded command, or trigger for mobile malware. Payloads often link to credential harvesting pages or exploit kits and may initiate app downloads or autofill fraud on mobile browsers without user awareness.
Android malware is malicious code designed to compromise Android devices. It ranges from spyware and banking trojans to rootkits and credential harvesters. Attackers often disguise malware as legitimate apps, using APK sideloading or rogue app stores. Once installed, the malware may exfiltrate data, intercept SMS, or abuse accessibility services.
iOS phishing targets Apple device users through mobile-optimized credential traps, fake system prompts, or malicious Safari redirects. Attackers exploit user trust in native UI components to mimic iCloud logins, app updates, or MFA challenges. Because iOS limits background code execution, phishing often replaces malware as the preferred attack vector.
URL obfuscation disguises a malicious destination by manipulating the structure or appearance of a link. Techniques include use of punycode, homoglyphs, excessive subdomains, URL shortening, or hexadecimal encoding. Obfuscation enables phishing pages to bypass filters and fool users into trusting visually deceptive or contextually misleading URLs.
A phishing lure is the pretext or hook that compels a target to engage with malicious content. Common lures include fake invoices, delivery failures, credential alerts, or urgent policy updates. In cloud-targeted phishing, attackers often tailor lures around federated logins, access tokens, or expired session prompts.
A zero-click exploit compromises a device or application without any user interaction. Attackers deliver payloads through messaging apps, push notifications, or malformed files that trigger execution upon receipt or rendering. In mobile and cloud environments, zero-clicks often target flaws in media parsing, WebView rendering, or proprietary APIs.
A fake security alert mimics a system notification or provider warning, claiming suspicious activity, login anomalies, or policy violations. The alert usually directs the user to verify or reset credentials via a phishing site. Such lures are crafted to exploit urgency and typically impersonate known cloud or SaaS brands.
A QR code scam uses malicious QR codes to redirect users to phishing sites, initiate unauthorized payments, or trigger malware downloads. Attackers embed these codes in emails, posters, or digital interfaces, exploiting user trust and the opacity of encoded URLs to bypass traditional link inspection and content filtering.
SMS interception involves capturing text messages in transit to extract one-time passcodes, session tokens, or personal data. Techniques include SIM swapping, rogue base stations, and mobile malware with SMS permissions. Interception compromises two-factor authentication and enables adversaries to hijack cloud accounts secured by SMS-based verification.
An SMS trojan is a type of mobile malware that abuses SMS functionality to exfiltrate data, subscribe users to premium services, or deliver payloads. Trojans often hide inside fake apps and can forward MFA codes, alter SMS routing, or trigger secondary infections via malicious command-and-control instructions.
Telecom fraud exploits mobile or carrier infrastructure for financial gain or unauthorized access. Common schemes include SIM swapping, international revenue share fraud, and abuse of premium-rate numbers. Attackers often combine telecom fraud with account compromise techniques to intercept credentials, reroute traffic, or monetize unauthorized service consumption.
An SMS trojan is mobile malware that misuses messaging functions to exfiltrate data, trigger financial fraud, or relay commands. Often bundled in sideloaded apps, it may forward MFA codes to an attacker, subscribe the victim to premium-rate services, or serve as a dropper for additional payloads.
Message spoofing forges the sender address of a message to impersonate a trusted contact, typically within SMS or email. The attacker manipulates sender metadata to inject credibility into phishing attempts. In cloud scenarios, spoofed messages may mimic service alerts, credential requests, or identity verification notices.
Telecom fraud manipulates telecommunications infrastructure or billing systems for unauthorized benefit. Common forms include SIM swapping, international revenue sharing, and fake caller ID manipulation. Attackers may use telecom fraud to bypass SMS-based MFA, reroute voice or SMS traffic, or exploit billing platforms for financial theft at scale.

Related content

Get the latest news, invites to events, and threat alerts