What is Smishing
Smishing is phishing delivered by text message. Learn how attackers run SMS lures past the defenses that protect email, the kits that industrialized the attack, and the controls that build a verify-before-you-tap reflex.
Smishing is the fastest-growing branch of phishing
Smishing is phishing carried over text messages. The word blends SMS and phishing, and it describes any fraudulent text that pressures a target into tapping a link, calling a number, sharing a one-time code, or installing an app. It works because a phone has no secure email gateway in front of it, link shorteners hide the real destination, and people read texts within minutes, often while distracted and away from a keyboard.
The scale is now industrial. The US Federal Trade Commission reported $470 million lost to text-message scams in 2024, up from $373 million the year before, with fake package-delivery notices impersonating the US Postal Service the single most reported text scam. The FBI 2024 Internet Crime Report ranked phishing and spoofing as the most reported crime type at 193,407 complaints, and unpaid-toll smishing alone generated 59,271 complaints in a single year.
Most of that volume traces to organized operations rather than lone scammers. Resecurity attributes a large share to the China-based Smishing Triad, which rents ready-made smishing kits over Telegram and rotates lures through USPS, toll services, and banks. The same tradecraft reaches the enterprise: the 2022 campaign tracked as 0ktapus used Okta password-reset texts to breach more than 130 companies, including Twilio and Cloudflare.
How smishing attacks unfold
Number sourcing and targeting
Attackers buy phone numbers from breach dumps, data brokers, and lead lists, or generate them in sequence against a known area code. Enterprise-targeted campaigns pair a name and role from LinkedIn with a number from a breach, so the text can reference the right employer, manager, or tool. Consumer campaigns go wide and cheap, blasting millions of numbers with a lure that works on anyone who recently ordered a package or drove a toll road.
Lure crafting with a trusted brand
The message impersonates a courier, a bank fraud line, a toll authority, an employer help desk, or a mobile carrier. It compresses the ask into one or two sentences with a deadline, because a small screen rewards brevity and urgency. Smishing kits ship with pre-built templates and localized copy, so the same operator can run a USPS lure in the morning and an E-ZPass lure in the afternoon without writing a word.
Link masking and gateway evasion
SMS has no equivalent of a secure email gateway, so the link does most of the work. Attackers use URL shorteners, freshly registered lookalike domains, and open redirectors to hide the destination, and they often gate the page behind a CAPTCHA so automated scanners cannot reach the payload. Some campaigns skip the link entirely and ask the target to reply or to call a number, moving the attack to a channel with even less inspection.
Credential and code capture
The link opens a mobile-optimized page that mimics a bank, carrier, or single sign-on login. On a phone the address bar is short and easy to overlook, which makes the lookalike domain hard to catch. When the target enters a username and password, the page asks for the one-time code as well, then relays both to the attacker in real time. This adversary-in-the-middle pattern is why an SMS or app-push code does not stop a determined smishing operator.
Escalation and monetization
A captured consumer login becomes drained funds, opened credit lines, or resold identity data. A captured employee login becomes the first step of a breach: the attacker logs into the corporate identity provider, adds their own device, and pivots to email, code repositories, or customer systems. Many enterprise smishing campaigns hand off to a voice call within hours, using the text as the opener and the call to close, as the 2023 Retool breach showed.
Real-world smishing case studies
2022 0ktapus / Scatter Swine SMS-to-breach campaign
The group tracked as 0ktapus and Scatter Swine ran a coordinated SMS phishing campaign against more than 130 organizations, including Twilio, Cloudflare, MailChimp, and DoorDash. Texts impersonated Okta password resets and routed employees to lookalike single sign-on portals that captured live credentials and one-time codes. Cloudflare avoided a breach because it had mandated hardware security keys for every employee, while Twilio confirmed attacker access to internal tools and customer data. The campaign proved that one well-timed text can be the entire initial-access stage of an enterprise compromise.
2023 Smishing Triad USPS data-theft campaign
Resecurity attributed a wave of USPS-impersonation texts to the China-based Smishing Triad, a network of operators who build and rent smishing kits over Telegram. The texts claimed a package could not be delivered and pushed recipients to a fake USPS page that harvested names, addresses, and payment-card details. Resecurity recovered more than 108,000 victim records from the operators infrastructure. The case showed how a fraud-as-a-service model lets many low-skill actors run professional-grade campaigns at national scale.
2024-2025 toll-road smishing expansion
From late 2024 the Smishing Triad pivoted to unpaid-toll lures impersonating E-ZPass and other toll services, targeting drivers across at least eight US states before spreading to the UK. The texts warned of a small overdue toll and a late fee, a figure low enough that many people paid without checking. The FBI Internet Crime Complaint Center logged 59,271 toll-smishing complaints in 2024, and reporting from 2025 showed the same operators shifting their kits toward direct bank-card theft.
How to defend against smishing
Never act on a link or number inside a text
Treat every unexpected text as unverified. Do not tap links, and do not call numbers the message provides. Open the courier, bank, or toll account through the official app or a typed web address instead, and check whether the claim is real there. This single habit defeats the majority of smishing, because the attack depends on the target staying inside the channel the attacker controls.
Deploy phishing-resistant MFA for the workforce
SMS and app-push codes can be relayed in real time by adversary-in-the-middle smishing kits, so they do not stop a credential-capture attack. Move employees, starting with IT, finance, and engineering, to FIDO2 hardware keys or platform passkeys, which bind the login to the legitimate domain and cannot be completed against a lookalike page. Cloudflare credited mandatory hardware keys with stopping the 2022 0ktapus texts at its perimeter.
Report smishing to 7726 and delete
In the US, UK, and Canada, forwarding a scam text to 7726 (SPAM) feeds carrier and GSMA threat intelligence that blocks the sending numbers for everyone. Teach staff to report-then-delete, and give the workforce an internal channel to flag work-related smishing so the security team can warn others. Reporting rate is the leading indicator that tracks with resilience, on mobile as much as on email.
Enable on-device and network mobile threat defense
Mobile threat defense agents (from vendors such as Lookout, Zimperium, or the mobile tier of an existing EDR) flag malicious links and sideloaded apps on managed devices. Pair them with DNS filtering that blocks resolution to known phishing infrastructure, and enable the built-in spam and scam-text filtering in iOS and Android. These controls catch the link even when the lure copy is new.
Verify any payment or access change out of band
Require a callback to a published internal number before any wire change, banking-detail update, MFA reset, or new-device approval, no matter which channel the request arrived on. Adopt a code word for high-value finance and help-desk requests so a text plus a follow-up call cannot complete the chain alone. The combined SMS-then-voice pattern behind the Retool breach is exactly what this control is built to stop.
Run recurring role-based smishing exercises
Generic annual training does not transfer to the phone. Role-based exercises that mirror live tradecraft (toll and delivery lures for everyone, help-desk MFA-reset texts for IT, vendor-payment texts for finance) keep the verify-before-you-tap reflex current. Measure reporting rate and time-to-report, not click rate alone, and refresh the scenarios monthly to track the kits as their lures rotate.
How RansomLeak trains employees to spot smishing
RansomLeak runs immersive, scenario-based exercises rather than recorded videos and static quizzes. The smishing exercise drops the learner into a realistic text thread, a delivery lure, a fake fraud alert, a toll notice, and forces a decision on a phone-shaped screen where the address bar is short and the pressure is real. Each scenario ends with immediate feedback that names the cues the learner missed and the verification step that would have caught the real attack.
Coverage extends across the mobile and messaging surface. The vishing exercise moves the same reflex to voice calls, the callback phishing exercise drills the text-then-call pattern attackers use to bypass link scanning, the QR code phishing exercise covers image-based lures, the MFA fatigue exercise covers the push-bombing that follows a captured password, and the WhatsApp social engineering exercise extends the muscle to chat apps. Every exercise ships as SCORM 1.2 and SCORM 2004, so it drops into Cornerstone, Workday Learning, Docebo, or any standards-compliant LMS without integration work.
Programs are scoped by role rather than blasted to all staff. Frontline and field teams get delivery and toll lures, IT and help-desk staff get MFA-reset and account-recovery texts, finance gets vendor-payment and banking-change pretexts, and executives get targeted spear-smishing. The result is a verification reflex that transfers across SMS, voice, QR, and chat, measured by reporting rate and time-to-report and refreshed monthly to track attacker tradecraft as the kits rotate their lures.
Recommended exercises
Scenario-based simulations from the 100+ catalogue.
Smishing
Drops learners into a realistic text thread with delivery, toll, and fraud-alert lures, building the verify-before-you-tap reflex on a phone-shaped screen.
Try the exerciseVishing
Moves the same reflex to voice calls, the channel smishing campaigns escalate to when a text alone does not close the attack.
Try the exerciseCallback Phishing
Drills the text-then-call pattern where the message carries no link and asks the target to dial a number, defeating every link-scanning control.
Try the exerciseQR Code Phishing
Covers the image-based lure that moves the victim from a printed or on-screen code straight to a mobile credential page.
Try the exerciseMFA Fatigue Attack
Covers the push-bombing that follows a captured password, the step a smishing kit triggers after it relays the first code.
Try the exerciseSpear Phishing
Builds detection of targeted pretexts, the reconnaissance-driven approach behind enterprise smishing aimed at named employees.
Try the exerciseWhatsApp Social Engineering
Extends the mobile-messaging reflex to chat apps, where smishing operators increasingly move once a phone number is verified.
Try the exerciseBusiness Email Compromise
Walks finance teams through the payment-redirection pattern that a smishing text often opens before the money moves.
Try the exerciseFurther reading
Deeper guides on adjacent topics.
Related glossary terms
Quick definitions for the terms in this pillar.
Frequently Asked Questions
What security leaders ask about this threat.
What is the difference between smishing and phishing?
Phishing is the umbrella term for fraudulent-message attacks that impersonate a trusted source. Smishing is the branch of phishing delivered by SMS or text message, rather than by email.
The psychology is identical: both exploit urgency, authority, and trust to move a target into an action they would not take if they paused. The channel is what differs, and it matters. Texts have no secure email gateway in front of them, links are masked by shorteners, and a small screen hides the lookalike domain, which is why smishing often slips past people who would spot the same trick in their inbox.
What is the difference between smishing and vishing?
Smishing is phishing over text messages. Vishing is phishing over voice calls. Both move the attack off email and onto the phone, where corporate defenses are thinnest and people respond fastest.
The two are frequently chained. A smishing text sets up a pretext, then a vishing call arrives to close it, as in the 2023 Retool breach where a text lure was followed by a call using a deepfaked voice. Defending the phone means training for both channels, not just one.
Why are smishing attacks so effective?
Texts reach a channel with almost no filtering. There is no secure email gateway for SMS, link shorteners hide the real destination, and the short mobile address bar makes a lookalike domain hard to spot. People also read texts within minutes and often act while distracted.
Smishing kits have lowered the barrier too. Operators like the Smishing Triad rent ready-made templates over Telegram, so professional-grade USPS, toll, and bank lures run at national scale. The FTC recorded $470 million in text-scam losses in 2024.
Does MFA stop smishing?
SMS codes and app-push prompts do not stop modern smishing. Adversary-in-the-middle kits relay the one-time code to the attacker in real time the moment the target enters it on a lookalike page, so the second factor is captured along with the password.
Phishing-resistant MFA does stop these attacks. FIDO2 hardware keys and platform passkeys bind the login to the legitimate domain, so a fake page cannot complete the handshake. Cloudflare credited mandatory hardware keys with blocking the 2022 0ktapus smishing campaign.
How do I report a smishing text?
In the US, UK, and Canada, forward the message to 7726, which spells SPAM on a keypad. This feeds carrier and GSMA threat intelligence that helps block the sending number for other people. After forwarding, delete the text and do not tap any link or reply.
If the text targeted you at work, also report it through your internal security channel so the team can warn colleagues and check whether others received it. Fast reporting is the single most useful thing an employee can do.
What should I do if I tapped a smishing link?
Stop immediately and do not enter any credentials, codes, or payment details, even if the page looks genuine. Close the page and, if it is a work account, report it to your security team or help desk through the published channel right away.
If you already entered details, the security team will rotate the password, revoke active sessions, check for new devices added to the account, and watch for unusual logins. Speed matters, because the gap between the tap and the report is the window an attacker uses to take over the session.
References
Primary sources cited above.
- Top Text Scams of 2024 (text-scam losses reached $470M) — US Federal Trade Commission
- 2024 Internet Crime Report — FBI Internet Crime Complaint Center (IC3)
- Smishing Triad Targeted USPS and US Citizens for Data Theft — Resecurity
- Recognize and Report Phishing — CISA
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.