Smishing: what it is, how it works and how to prevent it

Smishing, also known as SMS phishing, is a type of phishing scam that targets victims via SMS/text messages. It attempts to dupe them into handing over sensitive information such as financial information and login credentials, which could then be used to steal money or commit identity fraud.

Read more about the different types of social engineering attacks >>

What’s the difference between smishing and phishing?

Whereas smishing pursues victims via SMS/text messages, phishing attacks target individuals via emails and purport to be from legitimate senders. They usually contain malicious attachments or links to sites that use drive-by downloads to install malware onto victims’ machines or harvest their credentials.

Find out more about phishing attacks >>

Examples of smishing attacks

The most common types of smishing attacks imitate banks, retailers, HMRC, delivery companies, and technology providers such as Apple or Google. They often use messaging that creates a sense of urgency and plays on the recipient’s emotions – typically the fear of losing something or eagerness to take advantage of an exclusive offer that features unusually high savings and is only available for a limited time – such as a message from your bank informing you of suspicious/unusual activity on your account or lack of funds, or a message from HMRC stating that you are due a tax rebate.

How people fall victim

In this day and age, everything is fast-paced, and people tend to be in a rush to get things done, especially in the lead-up to the festive season. They skim read, and inadvertently open links out of haste, not stopping to think about what they are doing.

If you do fall victim, you must take immediate steps to protect your information, such as informing your IT department, changing your password(s) and contacting your bank.

How to avoid falling victim to smishing

Some basic tips to avoid falling victim:

  • Do not follow links in text messages if they look unusual.
  • If an offer sounds too good to be true, it probably is.
  • Always question whether the sender would contact you via a text message, e.g. would your bank ask you to follow a link to log in to your account?
  • If a text looks suspicious, get in touch with the organisation using contact information from their website to confirm the message is legitimate.
  • Not all smishing attacks impersonate organisations – they can impersonate people too.

If in doubt, you can check HMRC’s guidance on recognising scams, and smishing attacks can be reported to Action Fraud.

Unfortunately, you cannot prevent smishing from occurring, but you can educate your employees to be aware of the risks to prevent them from falling victim. A smishing attack on a company device could prove more problematic than on a personal device, mainly because of the company data that could be stored on there – it could have the potential to compromise your entire system.

Educate your employees on the risks of phishing attacks, teach them the consequences, and help them understand how easy it is to fall victim and how to identify scams with our Phishing Staff Awareness E-learning Course.

Get in touch with our team today to find out how we can help your organisation >>


  • Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology..