Smishing
What is Smishing?
SmishingPhishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data.
Smishing (SMS phishing) is a social-engineering attack that uses text messages — and increasingly RCS or messaging apps like WhatsApp and iMessage — to lure recipients into harmful actions. Common pretexts include parcel-delivery notifications, bank fraud alerts, tax-refund messages, two-factor-code interception requests, and toll-payment scams. Mobile context favours the attacker: links are truncated, sender IDs can be spoofed, and users are often distracted. Defences include carrier-level filtering, anti-phishing mobile clients, FIDO2 or app-based MFA instead of SMS codes, and user awareness focused on out-of-band verification of any urgent text.
● Examples
- 01
A text claiming "USPS delivery failed — pay $1.99 redelivery fee at hxxps://usps-redeliver[.]link".
- 02
A fake bank alert urging the recipient to call a fraud line that asks for full card details and one-time codes.
● Frequently asked questions
What is Smishing?
Phishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data. It belongs to the Attacks & Threats category of cybersecurity.
What does Smishing mean?
Phishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data.
How do you defend against Smishing?
Defences for Smishing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Smishing?
Common alternative names include: SMS phishing, Text-message phishing.