Smishing is a cybercrime that uses manipulative text messages to steal confidential personal and corporate information from people.

Cybercriminals send carefully worded text messages to the victim, urging the victim to respond or to take further action. The text message might ask the victim to confirm delivery of an Amazon order or ask the recipient to click a link to finish registering in a new government program.

The ultimate goal of any smishing tactic is the same – to compromise people by stealing confidential information.


The Cyber Security Hub

Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.

*Just in time for the cyber security awareness month!

Texting is fast becoming the most common way people communicate. Cybercriminals know that 98% of all text messages are read and opened. And on average 90% of all text messages are read within three minutes. Compound this with the fact that text messages have a 209% higher response rate than emails, phone calls, or Facebook messages, and cybercriminals have the perfect medium for committing cybercrimes.

Cybercriminals know that people have become more knowledgeable about phishing, so they have turned their attention to texting. To make things even easier for cybercriminals, people are less suspicious of text messages than emails. This simply comes down to the fact that very few people have heard of smishing or text messaging cyber attacks.


Smishing relies on social engineering to get victims to respond and take action

Using urgent and compelling language, the text message may threaten the victim with severe consequences if they don’t take action or convince the victim that they’re helping the sender by providing the requested information.


What is social engineering?

Social engineering is a manipulation technique used by cybercriminals to trick people into giving up confidential information. Social engineering relies on the basic human instinct of trust to steal personal and corporate information that can be used to commit further cybercrimes.

How Does Smishing Happen?

Smishing happens when the cybercriminal is able to capitalize on the human tendencies of trust and wanting to help others. The cybercriminal knows that people are motivated by compelling language such as “Act Now”, “Urgent!”, or “Don’t Miss Out!”.

People are naturally curious and want to know more about the promised reward, the unexpected Amazon delivery, or the new government subsidy program. Typically, smishing victims respond instantly without giving the text message a careful read, missing out on telltale signs that the text message is a scam.

People have a tendency to read and respond to text messages wherever they are and regardless of what they’re doing. Cybercriminals prey on this level of distraction to catch people off-guard.


1. Fake Link Tactic

The text message sender pretends to represent a valid organization or company and includes a link that looks very similar to the real URL for the organization or company. The sender asks the recipient to click the link and take some kind of action such as updating their personal information, confirming the delivery of a package, or entering a draw for a free prize.

Asset 5

2. Convincing Phone Call

The text message tells the victim to call the sender back. Often the text message will appear to come from a government or city organization and uses urgent language to convince the victim that they have to call immediately to protect themselves from serious consequences. When the victim calls the number, they speak to a person who sounds legitimate, is very helpful, and reassuring – the victim believes they’re doing the right thing by providing the information the person needs.


3. Malware Attack

The text message includes a link to an executable that installs malware on the victim’s mobile device. Typically, the cybercriminal installs Trojan Horse software that captures and records the victim’s keystrokes, making it easy to steal passwords, contact lists, banking information, etc.

Asset 2

4. Spear Smishing

This type of smishing takes more work and research on behalf of the cybercriminal. Using background information on the victim collected from social media sites such as Facebook and LinkedIn, the cybercriminal can send a targeted and specific smishing attack that appears to be legitimate. Due to the personal nature of the smishing message, the victim trusts the sender and doesn’t hesitate to respond.

What Are The Differences Between Smishing, Vishing, and Phishing?


Uses text messages to steal information and commit further cybercrimes.


Uses intimidating phone calls and voicemail messages to convince victims to provide personal information and to steal from the victim.


Uses a range of attack methods including emails, fake websites, and text messages to steal from victims. Smishing and vishing are two types of phishing.

How To Prevent Smishing Attacks

1. Educate your employees on the risks that can arrive in text messages. Use security awareness training and simulations to educate employees with real-world scenarios.

2. Remind employees to never respond to or click links in text messages from senders and phone numbers they do not recognize. Employees should block the text message and delete it from their device.

3. Use security awareness campaigns to alert employees to social engineering and how cybercriminals use it to send convincing and urgent text messages.

4. Ask your security leaders and internal cyber heroes to regularly monitor employee awareness of smishing. Highlight to employees that they need to carefully read every text message and if in doubt – never respond.

5. Use security awareness training and simulations to raise awareness of the risks of clicking links and downloading attachments in text messages. Take advantage of training that use gamification and micro- and nano-learning modules to keep training interactive and engaging.

6. Install malware protection and anti-virus software on all employee mobile devices. This is particularly important for companies that have a bring your own device (BYOD) policy.

7. Provide regular and ongoing communication and awareness campaigns about smishing, social engineering, and cyber security. Reinforce to employees that they should never click links or respond to an unknown sender.

What Not To Do With A Smishing Text

  • Do NOT Reply To A Smishing Text
  • Do NOT Call The Sender Phone Number
  • Do NOT Click Any Links
  • Do NOT Send A STOP Text Message

Phishing simulation is the best way to raise awareness of smishing and phishing risks. Remember that smishing is a type of phishing and often cybercriminals use multiple phishing and smishing attacks at once.

Phishing simulations help you identify which employees are at risk of cybercrimes that come through text messages and emails. Real-time phishing simulations are a key part of any successful security awareness training program.

Together security awareness training and phishing simulations help raise alertness levels to cyber security threats. Phishing simulations give people first-hand experiences with smishing, so they know the signs and what to look for.


Benchmark Report 2020


Download your complimentary report to find out.

How Can Phishing Simulations Help Prevent Smishing Attacks?

Phishing simulations help you show employees how cybercriminals use text messages to steal and commit cybercrimes.

1. Increases alertness levels to how cybercriminals use manipulative language in text messages.
2. Changes human behavior to eliminate the automatic trust response.
3. Creates awareness to reduce the cyber threat level.
4. Measures and monitors the level of corporate and employee vulnerability.
5. Deploys targeted ant-smishing solutions.

6. Assesses the effectiveness of cyber security awareness training.
7. Keeps employee alertness levels to smishing high.
8. Protects valuable corporate and personal information.
9. Instills a cyber security culture and creates internal cyber security heroes.
10. Meets industry security training compliance obligations.

To learn more about smishing and how you can keep your employees and organization cyber secure, take advantage of these free cyber security awareness resources:

Contact us at 1-866-889-5806 or at [email protected] to learn more about smishing.

Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.