The Authentication Reference

Your go-to place for authentication information

Successful Authentication with Incognia

The Authentication Reference

What is a Smishing Attack? [How it works and how to protect yourself]

Smishing attack is a type of scam in which criminals send an SMS to the victim pretending to be some institution, such as a bank or a company, in order to steal personal information. The word “smishing” is a combination of the terms SMS (short for “short message services”) and “phishing”.

While there is still some confusion between smishing and email phishing, smishing is nothing more than a type of phishing performed over mobile text messages. The term “phishing” refers to the social engineering technique in which criminals impersonate a person or corporate entity to manipulate the victim in order to obtain information. 

Phishing attacks can occur via email, social media and other digital media. In the case of smishing, as the name implies, communication is done via SMS. The difference in the term only serves to specify the channel used. It is very easily performed by attackers, only being in possession of the victim's phone number. This does not mean, however, that all smishing attacks are the same. It's important to know how they occur to protect yourself as best you can.

How Do Smishing Attacks Work

Smishing attacks typically take two forms: by asking the victim to click a link, or by asking the victim to reply to an SMS. In the latter case, the technique used is simpler -- the fraudster sends an initial message claiming to be from a certain company and asks the victim to reply to the message with personal information. 

If the SMS includes any links, there are two other ways used by the criminal to steal the victim's personal phone data: The first option is for the victim to be directed to a fake website -- which is usually very similar to the alleged official company page -- to fill out a form with personal information. The second is, as soon as the victim clicks, malware is automatically downloaded, and it allows fraudsters to spy on the device activities, offering access to sensitive information silently. 

Examples of Smishing Attacks

Since this type of scam employs social engineering techniques, criminals try to approach victims in different ways in order to convince them that is a legitimate message and that immediate action is needed. Most of them appeal to a sense of urgency.

Common types of smishing are:

  • Bank messages notifying that there is a problem with the victim’s account or credit card

Certainly, money and account problems could be the most sensitive topics for most people. Therefore, common types of smishing are messages on behalf of the victim’s financial institution stating that a suspicious transaction has been identified, or their account or credit card is blocked. In order for the problem to be solved, or the account or credit card to be unlocked, the victim is instructed to click on a link to confirm their identity. 

  • Alerting some company of suspicious activity

To enhance user security, many companies now send a notification if the account is accessed from a different device or location. Smishing attacks also copy the technique and send alerts with suspicious links to the victim so they verify where the access came from. It is also common for SMS to be disguised as two-factor authentication, requiring the victim to click on the link for access to be granted. 

  • Invitations to Participate in a Survey

Even in the case of authentic surveys, few people actually like to give their time to participate. Therefore, in order to convince the victim to click on the link, messages often offer some prize. These invitations may include supposed surveys to evaluate a service or product from large stores.

  • Messages notifying that the victim has been awarded

Another very common technique is a message informing the victim has been awarded by the lottery or other types of prizes and that they must click on a link to find out more information or claim their prize. Although in some cases, it is easier to identify that it is a scam, many criminals use real promotions that take place in large stores, such as the drawing of receipts, which makes it a higher chance that the victim clicks or responds. 

How to defend against smishing attacks


During the year 2020 alone, the number of smishing attacks grew by 328%, according to a survey by security firm Proofpoint. In addition, another disturbing statistic is the fact that less than 35% of the population knows when they are targeted by this type of fraud. Precisely because it is a type of cybercrime that uses social engineering, one of the ways to prevent such scams is to be aware of how they work and to know how to identify potential fraudulent messages. 

While attacks are becoming increasingly sophisticated, replicating real messages from trusted institutions, there are some details that could reveal a smishing attempt. Spelling and grammar errors are one of the indicators, as well as suspiciously formatted links (“” instead of “”, for example).

In case of doubt if a text message can be trusted or not, it is worth searching the number and the message on the internet to see if other people were also the target of attacks. An even safer alternative is to contact the company through official channels to confirm that the communication was sent through them. It's important to make sure it's a reliable sender before replying to any SMS or clicking a link. 

Another tip to be on the safe side is not to store personal and banking information, such as your credit card number, on your smartphone. Thus, even if the device is targeted by malware, the criminal will not have access to this data.

If you spot a smishing attempt, it's important to report the sender so that the original company can take action and so that others aren't victims of scams.

Institutions can fight account takeover performed by smishing attacks using recognition signals, such as location behavior, to identify a fraudulent mobile device trying to gain access to a mobile account. Learn more by reading how does Incognia prevents account takeover.