Smishing is phishing delivered through text messages. Learn how SMS-based attacks work, why they bypass email defences, and how to train employees to recognise them.
Smishing is phishing delivered through text messages. The word combines "SMS" and "phishing," and it describes a category of social engineering attack that arrives on the device most people treat as personal: their mobile phone. The pretexts are familiar from email phishing — fake delivery alerts, urgent account warnings, impersonated authority figures — but the channel changes the behavioural dynamics entirely.
Reported smishing losses in the United States exceeded 470 million dollars in a recent year according to FBI Internet Crime Complaint Center data, and that figure understates the true scale because most smishing incidents are never reported. The reason it works so consistently is not that smishing is technically sophisticated. It works because the mobile phone is a high-trust environment that most organisations have not trained their employees to defend.
How Smishing Differs from Email Phishing
Email phishing has been a recognised threat for two decades. Most organisations operate enterprise email gateways that filter known malicious messages, scan attachments for malware, and quarantine suspicious senders. Employees have been trained — usually repeatedly — to scrutinise email more carefully than other forms of communication.
Smishing bypasses every one of those defences.
No gateway protection. Personal mobile carriers operate spam filtering, but the protection is far less mature than enterprise email gateways. Messages routinely reach the device.
No technical scanning. SMS messages are short, plain text, and contain no attachments to scan. Malicious URLs are often shortened, masking the actual destination until the moment of tap.
Higher trust, faster action. Phones are personal devices. Messages on personal devices feel personal, and the mental scrutiny that protects an inbox tends not to extend to a text message glanced at between meetings.
Less reporting infrastructure. Most organisations have a "report phishing" button in their email client. Very few have an equivalent for mobile messages. Smishing attempts that are recognised by employees often go unreported simply because the reporting workflow does not exist.
Common Smishing Tactics
The pretexts are not new, but each is tuned to exploit specific mobile context.
Fake delivery alerts. "Your package is held at the depot. Confirm your address within 2 hours to avoid return." The expectation of legitimate delivery notifications, especially during peak retail periods, makes these messages effective against a wide audience.
Verification code phishing. A message claiming to be from a bank or service asks the recipient to confirm a code, then a follow-up call from a "fraud team" socially engineers them into surrendering the real authentication code. This pattern accounts for a significant share of account takeover incidents.
Tax and government impersonation. Messages impersonating tax authorities — the IRS in the United States, HMRC in the United Kingdom, regional tax authorities elsewhere — exploit fear of regulatory consequences to drive clicks on credential harvesting pages.
Payroll and HR pretexts. "Your salary deposit needs reconfirmation," "Update your tax form here," "Benefits enrollment closes today." These messages target the entire workforce because every employee has payroll and HR touchpoints.
MFA fatigue prompts. A message arrives claiming to be from internal IT or a service the employee uses, asking them to approve an unexpected multi-factor authentication push. Combined with repeated push notifications on a real authenticator app, this technique has bypassed strong authentication at major organisations.
Executive impersonation. "Hi, this is the CEO — are you available? I need a quick favour." Short, personal-feeling messages aim to start a conversation that escalates into a gift card purchase, wire transfer, or sensitive data request.
Why Smishing Works So Well
The behavioural dynamics that make email phishing successful are amplified on mobile.
Glance behaviour. Mobile messages are read quickly, often while doing something else. Employees scrutinising an email at a desktop apply more cognitive attention than employees glancing at a text in a corridor.
Truncated context. A short message contains few of the signals that help recipients evaluate legitimacy. There is no sender domain to inspect, no header to expand, no detailed signature to compare against a known contact. Attackers exploit the lack of context to make pretexts feel plausible.
Personal-device trust. The same phone receives messages from family, friends, doctors, and delivery services. The mental category for "messages on my phone" is dominated by legitimate communication, which lowers the alarm threshold for the few messages that are not.
Hidden URLs. Link shorteners hide the actual destination until the moment of tap. By the time an employee sees the destination URL, they have already committed to following the link.
Smishing vs. WhatsApp Phishing
Some industry sources use "smishing" to refer to any phishing attack on a mobile messaging channel, including WhatsApp. Strictly, smishing means SMS phishing — the "s" in the term comes from SMS. Phishing attacks delivered through WhatsApp, Telegram, Signal, or other messaging apps follow the same social engineering playbook but use different channels with different operational characteristics.
The distinction matters for two practical reasons. First, technical detection differs by channel. SMS is unencrypted and routed through carrier infrastructure; WhatsApp is end-to-end encrypted and routed through Meta. Second, business communication patterns differ by region. In North America and parts of Europe, SMS remains common for business notifications. In the Middle East, GCC, and much of Asia, WhatsApp has become the dominant business messaging channel and is the more frequent attack surface.
The defensive habits, however, are essentially identical. Verify any urgent or sensitive request through a known channel. Treat unexpected links with skepticism regardless of how they arrived. Recognise that mobile messages deserve the same scrutiny as email even when they feel more personal.
How to Recognise a Smishing Attempt
The red flags that work for email phishing also apply to text messages, with a few mobile-specific additions.
Unknown sender with personal claim. A message that addresses you by name from a number you do not recognise should always trigger verification.
Urgency without proportional context. "Action required within 2 hours" is a manipulation pattern, not a normal communication style. Legitimate organisations rarely communicate genuine emergencies this way.
Shortened or unusual URLs. Bit.ly, t.co, and other shorteners are common in marketing, but they are also common in attacks. When in doubt, do not tap the link. Visit the service directly through its known web address or app.
Mismatch between sender claim and number. A message claiming to be from your bank that arrives from a personal mobile number is not from your bank.
Requests that bypass normal process. Wire transfers, credential changes, gift card purchases, and tax information sharing should never be authorised based on a text message — regardless of how plausible the sender appears.
Defending Against Smishing: the Awareness Layer
Technical controls help — carrier-level spam filtering catches some attacks, enterprise mobile device management can block known malicious domains — but the durable defence against smishing is employee recognition. Three layers of awareness training reliably reduce smishing success rates.
Pattern recognition training. Employees who have been shown the common smishing pretexts in advance recognise them faster when they arrive. Real example exposure beats abstract description.
Verification habit reinforcement. Training that emphasises specific verification steps — "if a message asks for money or credentials, call the sender on a number you already have, not the number in the message" — builds the behavioural reflex that defeats most smishing attempts regardless of pretext sophistication.
Reporting workflow clarity. Employees who know how to report a suspicious message report more of them. Organisations that establish a clear reporting channel — even something as simple as forwarding to a dedicated security email — see measurable improvements in detection speed.
Vishing and smishing simulation training provides a deeper treatment of how mobile-channel awareness programmes are structured.
How PhishSkill Approaches Mobile Phishing Today
PhishSkill currently runs phishing simulations across email and WhatsApp. SMS-channel simulation is on our roadmap but not yet live. Smishing recognition, vishing recognition, and other social engineering pattern training are covered through the awareness training modules so employees still learn to identify the patterns even when the live simulation surface is narrower than the full threat landscape.
This is the honest scope: live simulation on the channels we operate end-to-end today, educational training across the broader social engineering surface. If your organisation needs SMS-channel simulation as a near-term requirement, the right starting move is to deploy awareness training that covers the smishing patterns while planning to layer simulation when it becomes available.
Related Learning
- What Is Phishing?
- What Is Social Engineering?
- What Is Spear Phishing?
- What Is a Phishing Simulation?
- Vishing and Smishing Simulation Training
Related PhishSkill Capabilities
- WhatsApp Phishing Awareness Training — the WhatsApp channel implementation with admin-controlled enrolment
- AI-Powered Phishing Awareness Training — context-aware template generation for the channels we simulate today
More Learning Resources
View all learning resourcesWhat Is Phishing Awareness Training? A Complete Guide for Security Teams
Phishing awareness training teaches employees to recognise and report phishing attempts. Learn what makes it work, how it differs from phishing simulation, and how to build an effective programme.
Security Awareness Policy Template
Learn what a security awareness policy should include and how organizations can implement one.
How to Run a Phishing Simulation
A step-by-step guide to running phishing simulations and measuring employee security awareness.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.