What is Smishing? Definition, Prevention and Examples

Smishing is a relatively new form of cyber attack that uses the same techniques that have made phishing such a potent security threat.

The main difference between the two is that, whereas phishing occurs via email, smishing campaigns are conducted using text message (also known as SMS messages, hence the name ‘smishing’).

Despite the apparent novelty of smishing attacks, they present a major cyber security threat. According to a Proofpoint study, 84% of organisations suffered a smishing attack last year.

In this blog, we explain how people are being targeted, using real-life examples of smishing attacks.

How does smishing work?

Smishing uses the same basic principle as email phishing and other types of online fraud. Scammers craft messages that replicate correspondence from a legitimate organisation and encourage people to follow an attached link.

That link directs recipients to a webpage that’s designed to trick them into downloading malware or handing over their login credentials.

There are certain differences between the way smishing and phishing attacks are carried out. For example, you cannot impersonate a legitimate sender’s phone number in the same way that you can mimic an email address.

Smishing attack examples

There are countless ways that cyber criminals target people with smishing. This is in part because of the changing way in which we work and interact with technology. No longer limited to office environments and face-to-face meetings, many employees communicate on mobile apps and instant message clients.

It’s also become more common for organisations to contact customers by text, creating additional avenues through which criminals can target people.

They’re aided by the lack of information needed to make an SMS message look genuine – as you can see in these real-life examples.

Online bank fraud

This message appears to be from HSBC, and claims that fraudulent activity has been detected on the victim’s account.

The text is written in an authentic style but is let down by a suspicious web domain that doesn’t include ‘HSBC’.

You’ve won an iPhone

For many, the iPhone and iPad are synonymous with luxury, so it’s no surprise that fraudsters dangle it as bait.

Such messages are among the most common pretexts in smishing scams, and can be found in practically every service that offers instant messaging capabilities.

In this example, the sender claims that the recipient is one of 100 people who is in with a chance to win an Apple iPad Pro, Magic Keyboard and a 12-month subscription to Apple TV.

Prize winner

Both smishing and phishing are heavily populated by scams claiming that the recipient has won a prize. In the example below, the message states that the recipient has won second prize in a lottery.

This scam exploits two common tactics in smishing emails. First, it generates excitement at the prospect of having won something.

In this case, it claims that it was ‘second prize’, which may well temper people’s expectations and make the message feel more believable. It’s not necessarily some huge luxury item such as an iPhone – which may arouse suspicion – but instead something presumably less valuable but still impressive.

That brings us to the second tactic used in this scam – namely, it piques the recipients’ interest by not stating what the prize is.

Whereas some bogus messages will promise something specific, like an iPhone, this message creates a layer of mystery that encourages the recipient to follow the link.

Free gift vouchers

Supermarket voucher scams are particularly popular whenever there are suggestions that people are on tight budgets.

The run-up to and weeks following Christmas are prime examples, and unlike scams that promise expensive gifts, supermarket voucher scams appear to provide a way to help people afford necessities.

In this message, the scammer claims that Aldi is giving away £150 in vouchers to celebrate its anniversary.

There are scams imitating almost every UK supermarket, but this one is especially deceptive given its authentic-looking URL. If you look carefully, you’ll see the ‘D’ in Aldi has been replaced by a near-identical letter used in the Arabic alphabet; the only difference is the small dot (a diacritic).

Tax rebate from HMRC

In this scam, the victim receives a message supposedly from the government saying that they are entitled to a tax rebate.

This scam works for two reasons. First, recipients may not view the unsolicited message with suspicion, because tax rebates are somewhat common and most people won’t be sure if they are expecting a rebate.

Second, the message accurately mimics a genuine correspondence. The URL, although fake, contains the words “hmrc” and “gov”, which you’d expect to see in a legitimate correspondence.

However, eagle-eyed recipients will notice that, whereas UK government websites use “.gov” as the top-level domain, this link uses “.com” and includes “gov” in the local part of the domain.

How to prevent smishing attacks

The most decisive way to protect yourself from scams is to never provide personal details in response to an unsolicited message.

Scammers’ objective is to capture these details, so if you simply ignore their requests, you can be assured of your safety.

However, many people are hesitant to do this because it leaves the possibility that they’ve ignored a genuine message. If it’s, say, a tax rebate or an online banking fraud warning, inaction could feasibly have significant negative consequences.

Although we understand this, it’s unlikely that you would only be alerted by text message in these scenarios. You would typically also get a letter from the government or a phone call from your bank.

If you’re ever uncertain whether a message is genuine, you can find an alternative way of contacting the sender. This might be by visiting your bank in-branch, logging into an online portal or finding a phone number on their website.

Additionally, everyone should be able to spot the signs of a suspicious email to protect themselves from scams. You can find out how by enrolling in our Phishing Staff Awareness E-Learning Course.

This online training courses uses examples such as the ones listed in this blog to help you identify the signs of scams.

It covers everything from phony text messages and emails to telephone con artists to ensure that you and your team is equipped to spot fraudulent messages before it’s too late.


  • Luke Irwin

    Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology..