What Is a Smishing Attack?

What Is Smishing?

Smishing is a social engineering tactic that combines phishing with SMS text messages. Instead of cybercriminals using technical security flaws that your phone may have, they try to build trust with you through how you use your phone. Unlike regular phishing attacks where cybercriminals send malicious links to your email, smishing is where they send malicious links to your phone. A smishing attack can be a way to retrieve your personal and private details that cybercriminals can use. They may also use smishing attacks as ways to get money from you.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn more

How Does Smishing Work?

Cybercriminals typically use smishing attacks to steal your personal data, such as emails, passwords, and banking information, using one of the following methods:

• Malware. A cybercriminal might send you a smishing URL that tricks you into downloading malware on your phone. Malware is malicious software that can send information that you type to cybercriminals. An example of malware in a smishing attack might be an advertisement that looks like a real mobile app. However, when you create an account for the mobile app, a cybercriminal can see what you type and steal your personal details.
• Fake website. The smishing URL might very well open a website on your phone’s browser. However, the website is a custom-made malicious site that cybercriminals use to steal your private information. The website may mirror a website you’re already familiar with, like a popular store, and that’s what makes it believable.

If you fall for a smishing attack, you’re not alone. Cybercriminals use trust, context, and emotion to trick you. When they pose as an actual person or well-known organization, you may feel like the text message is legitimate enough to click the link. By personalizing the message with your name or other identifying details they can find out about you, they can play on your emotions and critical thinking skills.

Common Types of Smishing Attacks

Waves of smishing attacks tend to follow similar themes, gaining popularity until the ruse no longer works. Some common types of smishing attacks that have been widely used are:

COVID-19 Smishing

Cybercriminals send COVID-related URLs that mirror contact tracing websites. However, these fake contact tracing pages ask you for sensitive data, like your social security number, credit card number, and for other financial details.

Financial Smishing

Cybercriminals can send you fake text messages from alleged financial institutions. These messages might include reminders about finishing a loan application or changing your banking password. In financial smishing attacks, clicking the sent URL will take you to a mirrored website of the financial institution. Once you enter your personal details, the cybercriminals can use your information to commit other forms of financial fraud.

Smishing for free products

Text messages that say you won a free gift or product from a contest, shopping reward, or other free offer may also be smishing attacks. Cybercriminals use the word “free” because it promotes excitement and fast action. You may not think about if it’s a legitimate offer, and once you fill out the form to receive your free gift, cybercriminals can access your personal information.

Smishing via fake order confirmation or tracking

Be mindful of smishing attacks if you’re an avid shopper. Cybercriminals can send you fake URLs letting you know that an order has shipped or that an order has been confirmed. Even if you haven’t placed an order, clicking the URL can grant them access to your mobile phone’s data.

Fake customer service smishing attacks

Even if you haven’t placed a recent order, cybercriminals may use the consumer angle to try and trick you. They might send text messages to fake login pages advising you that there’s a security problem with your account and that you should reset your password or send a special recovery code. Once you grant them the requested information, they may be able to easily access your real accounts.

How to Prevent Smishing

Because you now have an idea of what a smishing attack might consist of, you may be more equipped to protect yourself from falling for an attempt. Some tips on how to prevent smishing are:

• Don’t respond to any unknown or unwarranted text messages.
• Lead with caution at all times. It’s better safe than sorry.
• If you’re unsure, research the company’s phone number and call them directly.
• Never click on any random links sent to you.
• Enable two-factor authentication on your personal accounts for an extra security.
• Download an anti-malware app, like Microsoft Defender, on your phone to protect yourself.

What to Do if You Become a Victim of Smishing

If you believe you’ve clicked on, interacted with, or responded to a smishing attack, there are additional steps you can take to protect yourself. Report the attack to the relevant company or organization if there is one. Sign up for a credit monitoring service so that you can make sure there aren’t any unauthorized changes to your report. Change relevant passwords and PINs to the potentially affected accounts.

Cybercriminals are becoming more creative in how they gain unauthorized access to your accounts and personal information. Keep your personal data safe by always second-guessing any unknown text messages you receive so that you can lessen your risk of falling for a smishing attack.