What Is Smishing? SMS Phishing Explained

The text says your package could not be delivered. It has a tracking link. You tap it on your phone while walking to a meeting, the page looks like the courier's site, and it asks for a card number to cover a small redelivery fee. You are not at your desk, you are not looking at a full browser address bar, and the message arrived on the same channel your bank and your dentist use. That is the entire attack. No malware on the gateway, no exploit, just a short message and a moment of inattention on a device that was built to be trusted.

That is smishing: phishing delivered over SMS and mobile messaging. It targets the phone because the phone is where people are least defended. Corporate email runs through gateways that scan links and detonate attachments. A text message lands raw, on a small screen, with the real URL hidden behind a tap. This guide covers what smishing is, how an attack moves from the first text to a drained account, the lures that show up over and over, why the mobile channel works so well for attackers, and how to defend against it as a user and as a SOC.

What is smishing?

Smishing is a form of social engineering in which an attacker sends a fraudulent text message designed to trick a person into revealing sensitive information, handing over credentials, installing a malicious app, or sending money. The name is a contraction of "SMS" and "phishing." It is the same con as email phishing, moved to the text channel, where the message impersonates someone the target trusts: a bank, a delivery company, a government tax office, an employer, or a colleague.

The defining feature is the channel, not the goal. The goal is the same as any phishing attack: get the target to act against their own interest. The channel changes the math. A text is short by design, so an attacker does not have to fake a convincing letterhead or a long corporate email. A link in a text shows no hover preview and is usually shortened, so the real destination is invisible. And the message arrives on a personal device that often sits outside corporate filtering, even when it holds corporate email, MFA apps, and saved passwords.

Smishing is distinct from its siblings only by medium. Vishing is the same attack by voice call. Email phishing and email spoofing run over email. Smishing runs over SMS, RCS, and messaging apps such as WhatsApp, iMessage, and Signal. The investigation artifacts differ, but the manipulation is identical.

How a smishing attack works

Most smishing follows the same short path, whether the payoff is a stolen password or a fraudulent payment.

1. Targeting. The attacker gets phone numbers. These come from data breaches, scraped websites, sequential dialing, or lists bought on criminal markets. Some campaigns spray millions of numbers blindly; targeted ones pair a number with a name and employer pulled from the same breach data.
2. The lure. A text arrives impersonating a trusted source and carrying a hook: a failed delivery, a locked bank account, a tax refund, a suspicious login, a too-good job offer, or a message that looks like it came from the recipient's own boss.
3. The action. The text pushes one of three things: tap a link, call a number, or reply. The link leads to a credential-harvesting page or a malicious app download. The number routes to a fake call center that runs a vishing script. The reply opens a direct conversation the attacker steers.
4. The capture. The target enters credentials or card details into a cloned page, installs an app that reads their texts and steals one-time codes, or is talked into a payment or a multi-factor approval.
5. The cash-out. The attacker uses what they took: draining the account, taking over the login, reselling the credentials, or pivoting into a corporate environment if the target reused a work password or approved a work MFA prompt.

Break the chain at any stage and the attack fails. The hardest stage to defend technically is the lure, because a raw text is difficult to filter, which pushes most of the defensive weight onto recognition and onto what happens after the tap.

Common smishing lures

The pretexts rotate with the seasons and the headlines, but a small set recurs because they work.

Two of these deserve a closer look.

The delivery and bank lures are the bulk volume. They exploit the fact that almost everyone is expecting a package or worried about their account, so the message lands in a context that already feels plausible.

The executive text, often called CEO fraud over SMS, is the high-value targeted version. The attacker pulls a manager's name from a company website, spoofs or claims their identity in a text to a subordinate, and opens with a low-commitment question to start a conversation before making the real request. It is the SMS cousin of business email compromise, and it skips malware entirely.

Why smishing works

Smishing is effective for reasons that are structural, not just human.

• Trust in the channel. People treat texts as personal and urgent in a way they no longer treat email. A text from an unknown number still gets read, and read fast.
• No link preview. On a phone there is no hover-to-preview. Shortened and lookalike URLs hide the real destination, and the mobile browser shows only a sliver of the address bar.
• Thin filtering. Carrier SMS filtering is improving but remains far weaker than enterprise email security. Many texts arrive completely unscreened, and personal devices that carry corporate access often sit outside any corporate control.
• Small screen, divided attention. Phones are used on the move, in seconds, between other tasks. The conditions that make a person slow down and scrutinize a message are mostly absent.
• Cheap and scalable. Bulk SMS gateways, spoofing services, and ready-made phishing kits make a campaign cheap to launch. A response rate of a fraction of a percent across millions of texts still pays.

The result is a channel where the attacker's message reaches the target with fewer controls in the way than almost any other, and where the target is primed to act quickly. That combination is why phone and text-based attacks have grown into a primary attack surface rather than an afterthought.

How smishing fits the wider attack chain

Smishing is rarely the end goal. It is a delivery mechanism, the way an attacker gets a first credential, a first device foothold, or a first fraudulent payment, after which the real objective begins.

A harvested password becomes an account takeover. A stolen one-time code, captured by a malicious app that reads incoming SMS, lets an attacker walk past multi-factor authentication. An installed app becomes spyware that tracks location, messages, and banking sessions. And when the target reused a work credential or approved a work login prompt, a personal smishing text becomes the entry point for a corporate intrusion that ends in lateral movement, malware, or extortion.

This is why smishing is not only a consumer fraud problem. It is the first link in chains that end in a full cyberattack, account takeover, or wire fraud, and breaking it early is far cheaper than cleaning up what follows.

How to defend against smishing

No single control stops smishing, because it spans the carrier, the device, the user, and the organization. Effective defense layers them.

For users.

• Never tap links in unexpected texts. Go to the company directly through its app or a typed address instead of the link in the message.
• Treat urgency as a warning, not a reason to hurry. Account lockouts, fines, and one-hour deadlines are the manipulation, not the emergency.
• Verify out of band. A text from your bank, your boss, or a courier gets confirmed through a known number or the official app, never by replying to the text.
• Never share one-time codes. No legitimate organization asks you to read back an MFA code sent to your phone.
• Report and delete. Forward spam texts to your carrier's reporting short code and block the sender. Do not reply, even to opt out, because a reply confirms a live number.

For organizations and the SOC.

• Phishing-resistant MFA. FIDO2 security keys and passkeys defeat code-relay and credential-replay attacks, because the credential is bound to the legitimate site and cannot be entered into a cloned page or read out of a text.
• Mobile device management. Managed devices can restrict sideloaded apps, the main vector for SMS-stealing malware, and enforce a baseline on the phones that hold corporate access.
• User reporting and awareness. Make it easy to report a suspicious work-related text. A reported smishing campaign aimed at staff is early warning of a targeted operation.
• Out-of-band verification for money and access. Any payment change, gift-card request, or credential reset prompted by a message gets confirmed through a separate known channel. A callback to a known number stops executive-text fraud.
• Monitor for the follow-on. When a smishing text targets employees, watch for the next step: logins from unusual locations, MFA enrollment changes, and password reuse against corporate accounts.

How a SOC handles a reported smishing attempt

When an employee reports a suspicious text, the response follows a repeatable loop, adapted from the email phishing workflow to the constraints of the mobile channel.

1. Triage. Confirm whether the message is malicious. Capture the sender number or short code, the full message text, and any link, without tapping it on a live device.
2. Extract indicators. Pull the URL, the destination domain, the sender number, and any app or file the link serves. These become the indicators of compromise for the rest of the response.
3. Detonate safely. Open the link in an isolated sandbox or analysis device to see where a credential page posts to and what an app download actually does.
4. Scope it. Determine who else received the text. Targeted campaigns hit many employees at once, so identify everyone messaged and, critically, anyone who tapped or entered credentials.
5. Contain and remediate. Block the domain and any payload at the gateway and on managed devices, reset credentials for anyone who fell for it, and revoke active sessions to kill stolen tokens.
6. Hunt and improve. Check for follow-on activity, then feed the indicators into detections so the next instance is caught, and treat a confirmed compromise as the start of full incident response.

The skill that matters here is the same one that matters for email phishing: reading an indicator and telling a real attack from noise. The channel is smaller, but the analysis is the same.

Frequently Asked Questions

What is smishing in simple terms?

Smishing is a scam sent by text message. An attacker pretends to be someone you trust, such as your bank, a delivery company, or your boss, and tries to trick you into tapping a malicious link, sharing a password or code, installing a bad app, or sending money. It is phishing moved from email to SMS and messaging apps.

What is the difference between phishing, smishing, and vishing?

They are the same kind of social engineering attack on different channels. Phishing usually means email, smishing means SMS and text messaging, and vishing means voice phone calls. The manipulation is identical; only the delivery medium and the artifacts a defender investigates change.

Can smishing get past multi-factor authentication?

Yes. Some smishing apps read incoming SMS and steal one-time codes, and some lures simply ask the target to read a code back or approve a push prompt. This defeats SMS and push-based MFA. Phishing-resistant MFA, such as FIDO2 security keys and passkeys, stops it because the credential is tied to the legitimate site and cannot be relayed.

What should I do if I tapped a smishing link?

Do not enter anything on the page. If you already entered credentials, change that password immediately and reset MFA. If you installed an app, remove it and run a mobile security scan. Report it to your security team or your carrier, watch the affected accounts for unusual activity, and revoke active sessions where you can.

Why is smishing increasing?

Texts are cheap to send in bulk, carrier filtering is weaker than enterprise email security, and people trust and act on texts quickly. Phones also hold banking apps, MFA codes, and corporate access while often sitting outside corporate controls. That combination of a lightly defended, highly trusted channel is why attackers have shifted volume toward SMS.

Is replying STOP to a spam text safe?

Usually not for unknown spam. Replying anything, including STOP, confirms to the sender that your number is live and monitored, which can increase the volume you receive. For texts from senders you never signed up with, block and report the number instead of replying.

The bottom line

Smishing is phishing aimed at the phone, and it works because the phone is the channel people trust most and defend least. A short text, a hidden link, and a moment of divided attention are enough to harvest a credential, steal a one-time code, or open the door to a corporate account.

Defending against it means recognizing the lures, refusing to act on a text under pressure, verifying through a known channel, and deploying phishing-resistant MFA so a stolen code is worth nothing. For a SOC, a reported smishing text is early warning, and the analysis that follows is the same triage discipline as email phishing, run on a smaller screen.