smishing

Your phone buzzes. A text from your “bank” says suspicious activity was detected on your account. Click here to verify. The link looks legitimate. The message is urgent.

You’re already reaching for the link before you’ve finished reading.

That reaction is exactly why smishing works. SMS phishing succeeds where email fails because we’ve spent years training ourselves to distrust our inboxes. Nobody taught us to be suspicious of texts.

I’ve watched security-conscious people who would never click an email link tap a suspicious SMS without hesitation. The psychology is different:

Texts feel personal. Email comes from companies. Texts come from people you know. When a text arrives, your brain defaults to trust.

There’s no time to think. Email sits in your inbox until you’re ready. A text notification demands immediate attention. You’re responding on instinct, not analysis.

You can’t see where links go. On a phone screen, URLs get truncated. That suspicious domain? Hidden behind ”…” in a tiny font.

Your phone has no defenses. Your email has spam filters, phishing detection, attachment scanning. Your SMS app? Nothing.

“Chase Alert: Unusual activity detected on your account. Verify immediately: chase-verify-security.com”

These messages exploit:

• Trust in bank security alerts
• Fear of financial loss
• Urgency of fraud prevention

“USPS: Your package cannot be delivered. Update delivery preferences: usps-redelivery.net”

Effective because:

• Everyone receives packages
• Delivery issues feel plausible
• Small “redelivery fees” seem reasonable

“Google: Someone is trying to sign into your account. Reply YES if this was you, or click here to secure your account.”

This attack intercepts legitimate login attempts by tricking users into revealing authentication codes.

“Apple Support: Your iCloud is full and backups are failing. Upgrade now to prevent data loss: icloud-upgrade-storage.com”

Targets users’ fear of losing photos and data.

“IRS: You have an outstanding tax obligation. Avoid legal action by paying immediately: irs-payment-portal.com”

Uses authority and fear of government penalties.

Unexpected contact: Legitimate organizations rarely initiate sensitive communications via SMS.

Urgency language: “Immediately,” “urgent,” “within 24 hours” pressure quick action over careful evaluation.

Generic greetings: Your bank knows your name. “Dear Customer” suggests fraud.

Shortened or suspicious URLs: Bit.ly links or domains that don’t match the claimed sender.

Requests for sensitive info: Legitimate organizations don’t ask for passwords, PINs, or full account numbers via text.

Poor grammar or formatting: Professional organizations have professional communications.

Attackers rarely use just one channel. A smishing text might tell you to call a number (leading to vishing). A vishing call might reference a “confirmation text” they’re about to send. The channels reinforce each other.

The difference between them comes down to what makes each channel vulnerable:

• Email phishing gives attackers more space to craft convincing messages, but we’ve learned to be suspicious
• Smishing exploits the trust and urgency built into text messaging
• Vishing adds real-time social pressure that’s almost impossible to resist

If you get suspicious communication on one channel, expect attempts on others.

Never click links in unexpected texts. Navigate directly to services by typing URLs or using apps.

Verify independently. If a text claims to be from your bank, call the number on your card, not any number in the message.

Enable spam filtering. Both iOS and Android offer SMS spam detection. Enable it.

Report smishing. Forward suspicious texts to 7726 (SPAM) to report to carriers.

Don’t respond. Responding (even to say “stop”) confirms your number is active.

Mobile device management (MDM): Implement security policies on company devices including SMS threat detection.

Employee training: Include smishing scenarios in security awareness programs. Mobile threats are undertrained relative to email.

Clear policies: Establish that your organization will never request credentials or sensitive data via SMS.

Reporting mechanisms: Make it easy for employees to report suspicious texts to security teams.

Simulation testing: Include SMS-based simulations in phishing awareness programs where possible.

1. Delete the message
2. Block the sender
3. Report to 7726 (SPAM)

1. Close the page immediately
2. Clear browser data
3. Monitor for unusual activity

1. Change password immediately on the real site
2. Enable 2FA if not already active
3. Contact the real organization’s fraud department
4. Monitor accounts for unauthorized activity
5. Consider identity theft protection if personal information was shared

Smishing attacks increased 700% during 2021-2022 as attackers recognized the opportunity. Contributing factors:

• Mobile-first communication: People increasingly handle sensitive transactions on phones
• Trust gap: Security training focuses on email while mobile threats are undertrained
• Technical limitations: SMS lacks the authentication and filtering infrastructure email has developed
• Pandemic acceleration: Increased reliance on delivery services and mobile banking created new attack surfaces

A 2023 smishing campaign impersonated USPS, UPS, and FedEx simultaneously:

Attack pattern:

1. Text claiming delivery issue
2. Link to credential harvesting page mimicking carrier site
3. Request for “small redelivery fee” ($1.99)
4. Payment form capturing full credit card details

Scale: Millions of texts sent during holiday shipping season

Effectiveness: Higher success rate than equivalent email phishing due to timing (everyone expected packages) and mobile trust dynamics

Lesson: Seasonal context dramatically increases smishing effectiveness. Training should address current attack patterns.

We’ve spent two decades building email security. Spam filters, phishing detection, user training. And it worked. Click rates on phishing emails have dropped.

So attackers moved to SMS, where none of those defenses exist.

The same skepticism you’ve learned to apply to email needs to extend to every channel. That “bank alert” text? Call your bank using the number on your card. That “delivery notification”? Check the tracking on the carrier’s actual website.

It feels paranoid. It’s not. It’s just how we have to operate now.

Build the instincts that catch smishing before you click. Try our interactive security exercises with realistic SMS attack scenarios.

Your employees no longer work exclusively from secure office networks. They access company data from smartphones on public WiFi, tablets at coffee shops, and laptops in home offices. This shift to mobile and remote work has expanded your attack surface.

Attackers have noticed. Mobile-specific attacks like smishing (SMS phishing) have increased over 300% in recent years. Employees who carefully evaluate emails on their work computers often tap malicious links on their phones without thinking. Mobile security training addresses this gap.

Mobile devices present unique security challenges that traditional training often ignores:

On desktop, employees can hover over links, examine sender details, and evaluate content carefully. On mobile:

• URLs are often hidden or truncated
• Email headers are collapsed
• Sender verification requires extra steps
• Quick taps replace careful clicks

This design encourages fast action over careful consideration, exactly what attackers exploit.

Many employees use the same phone for work and personal activities. This creates risks:

• Personal apps may access work data
• Work credentials exist alongside personal accounts
• Security policies compete with personal convenience
• The line between work and personal security blurs

Mobile devices are always within reach, meaning employees encounter threats constantly:

• Text messages arrive anytime
• Push notifications demand immediate attention
• Work communications mix with personal messages
• Security fatigue accumulates faster

Mobile devices face threats from multiple directions:

• SMS/text messages (smishing)
• Messaging apps (WhatsApp, Telegram, etc.)
• Voice calls (vishing)
• Malicious apps
• Compromised WiFi networks
• QR codes leading to malicious sites

Traditional email-focused training misses most of these channels.

Text message attacks have become increasingly sophisticated:

Common smishing lures:

• “Your package couldn’t be delivered. Confirm address: [link]”
• “Unusual activity on your account. Verify: [link]”
• “Your payment failed. Update information: [link]”
• “IT: Your VPN access expires today. Renew: [link]”

Why smishing works:

• People trust text messages more than email
• No spam filters on SMS
• Urgency feels more pressing on mobile
• Short URLs hide true destinations
• Quick tap response is instinctive

Phishing emails viewed on mobile are more dangerous:

• Links harder to verify before tapping
• Fake login pages look identical to real ones
• Screen size hides suspicious elements
• Mobile email apps provide less context

Studies show mobile users are 18x more likely to click phishing links than desktop users.

Phone calls targeting mobile workers:

• IT support impersonation requesting credentials
• Executive impersonation demanding urgent action
• Vendor calls requesting payment information
• Technical support scams gaining device access

Caller ID spoofing makes these attacks appear legitimate.

Dangerous apps that employees might install:

• Fake versions of legitimate apps
• Apps requesting excessive permissions
• Malware disguised as utilities
• Compromised apps from legitimate stores

Even official app stores occasionally host malicious applications.

Threats from compromised or malicious networks:

• Evil twin WiFi networks mimicking legitimate ones
• Man-in-the-middle attacks on public WiFi
• Network sniffing capturing unencrypted data
• Rogue access points in public locations

Remote workers frequently connect to untrusted networks.

QR codes have become attack vectors:

• Codes directing to phishing sites
• Malicious codes placed over legitimate ones
• Payment fraud through fake QR codes
• Automatic downloads triggered by scanning

The convenience of QR codes bypasses normal URL scrutiny.

Train employees to identify text message threats:

Red flags:

• Unexpected messages about accounts or deliveries
• Urgency demanding immediate action
• Links in text messages (especially shortened URLs)
• Requests for personal or financial information
• Messages from unknown numbers claiming familiarity

Safe practices:

• Never tap links in unexpected text messages
• Verify through official apps or websites directly
• Call companies using numbers from their official sites
• Report suspicious messages before deleting
• Question any text requesting credentials or payment

Adapt email security for mobile context:

Challenges:

• Sender addresses often hidden by default
• Links difficult to preview before tapping
• Smaller screens encourage quick scanning
• Mobile email clients vary in security features

Training focus:

• Expand sender details before taking action
• Long-press links to preview destinations
• Access sensitive accounts through apps, not email links
• Be extra cautious on mobile compared to desktop
• When uncertain, wait and verify on desktop

Establish mobile app security guidelines:

Installation:

• Only download apps from official stores
• Verify developer identity and reviews
• Check permissions requested before installing
• Be suspicious of apps with few reviews or recent uploads

Permissions:

• Question apps requesting unnecessary access
• Deny permissions not essential to app function
• Review permissions periodically
• Remove apps no longer used

Updates:

• Keep apps and operating systems current
• Enable automatic updates where possible
• Update promptly when notified
• Remove apps that no longer receive updates

Train employees on safe network practices:

Public WiFi risks:

• Avoid accessing sensitive data on public networks
• Use VPN when connecting to untrusted networks
• Verify network names before connecting
• Disable auto-connect to open networks

Home network security:

• Change default router passwords
• Use strong WiFi encryption (WPA3 where available)
• Keep router firmware updated
• Separate work and personal networks if possible

Address physical security of mobile devices:

Basic practices:

• Use strong passcodes or biometric locks
• Enable device encryption
• Configure auto-lock with short timeout
• Enable remote wipe capability

Loss prevention:

• Enable find-my-device features
• Report lost devices immediately
• Know how to remotely wipe if needed
• Maintain device backups

For organizations allowing personal devices:

Employee responsibilities:

• Keep devices updated and secured
• Use approved security apps if required
• Separate work and personal data where possible
• Report security incidents affecting personal devices

Organization responsibilities:

• Clear BYOD policies
• Technical controls that respect privacy
• Support for security on personal devices
• Incident response procedures

Training about mobile security should work on mobile:

• Short modules (5-10 minutes)
• Touch-friendly interfaces
• Content viewable on small screens
• Offline access capability

Test smishing recognition through:

• Simulated smishing messages (where legal and disclosed)
• Recognition exercises using example messages
• Reporting practice for suspicious texts
• Feedback on detection accuracy

Create realistic mobile scenarios:

• Receiving suspicious text while traveling
• Connecting to WiFi at a conference
• Installing an app for work purposes
• Receiving urgent call from “IT support”

Mobile learners benefit from brief, focused content:

• Single-topic modules
• Quick reference materials
• Just-in-time reminders
• Easy-to-access resources

Employees working primarily outside office:

• Home network security setup
• VPN usage and importance
• Secure video conferencing
• Physical workspace security

Staff frequently on the move:

• Airport and hotel WiFi risks
• International travel considerations
• Device theft prevention
• Secure communication while traveling

Employees working in various locations:

• Mobile device physical security
• Public location awareness
• Communication security in shared spaces
• Incident reporting while remote

Leadership facing mobile-specific threats:

• High-value target awareness
• Sophisticated vishing recognition
• Secure communication for sensitive discussions
• Device security during travel

Evaluate current mobile security posture:

• Device inventory (corporate and BYOD)
• Current security policies
• Past mobile-related incidents
• Employee mobile security awareness baseline

Establish clear mobile security policies:

• Acceptable use guidelines
• BYOD requirements
• Incident reporting procedures
• Security tool requirements

Implement supporting technology:

• Mobile device management (MDM) where appropriate
• VPN for remote access
• Multi-factor authentication
• Remote wipe capability

Launch mobile security training:

• Baseline training for all employees
• Role-specific advanced modules
• Regular reinforcement and updates
• Simulation exercises

Maintain and improve the program:

• Regular policy reviews
• Training content updates
• Metric tracking and analysis
• Adaptation to new threats

• Mobile-related security incidents
• Time to report mobile threats
• Device loss/theft incidents
• Malicious app installations

• Training completion rates
• Mobile training access patterns
• Resource utilization
• Employee feedback scores

Problem: Training designed for desktop doesn’t address mobile-specific threats or work well on mobile devices.

Solution: Create mobile-first training that covers mobile threats and works on small screens.

Problem: Organizations focus on email phishing while ignoring text message threats that employees face daily.

Solution: Include smishing in simulation programs and dedicate training to text-based attacks.

Problem: Employees use personal devices for work without clear security expectations or support.

Solution: Establish clear BYOD policies with appropriate security requirements and employee support.

Problem: Organizations rely on MDM and technical controls without training employees on mobile security.

Solution: Technical controls and training work together. Neither alone provides adequate protection.

Problem: Mobile security covered once during onboarding and never revisited.

Solution: Provide ongoing mobile security training with regular updates as threats evolve.

Prepare for evolving mobile risks:

• AI-generated voice calls (deepfake vishing)
• More sophisticated smishing campaigns
• Attacks through messaging apps
• IoT device vulnerabilities
• 5G-enabled attack capabilities

Mobile training will continue developing:

• More immersive mobile simulations
• Better integration with daily workflows
• AI-powered personalized training
• Real-time threat awareness updates

Mobile devices have become essential work tools, but they also represent significant security risks. Traditional security training developed for desktop environments doesn’t adequately prepare employees for mobile-specific threats.

Effective mobile security training addresses the unique challenges of mobile work: smaller screens that hide suspicious elements, smishing attacks that bypass email filters, network risks from working anywhere, and the blurred line between personal and professional device use.

Your employees carry potential entry points for attackers in their pockets every day. Mobile security training ensures they also carry the knowledge to protect themselves and your organization from mobile-specific threats.

Build mobile security awareness through hands-on practice. Try our free security exercises including smishing and vishing scenarios that prepare employees for real-world mobile threats.