As mobile phone use has risen, so too has cybercrime that targets mobiles. It is increasingly common for people to use their personal phones for work, which means that cellular cybercrime has become a threat to businesses as well as individuals.

Smishing is a type of cybercrime that sends phishing messages to mobile phones. The victims are tricked into sharing sensitive information or making payments to cyber attackers, who often conceal their identity behind a well-known and trusted organisation or brand.

So how does smishing work? What kind of smishing attacks should you be aware of? And what can you do to ensure you are well protected against them?

Read on as we explore answers to these questions and more.

Smishing is a portmanteau of SMS (short message service) and phishing. It is a type of cyberattack in which the attacker sends messages to the victim's phone that attempts to deceive them into sharing sensitive information or following malicious links.

Cybercriminals use smishing to steal your personal data, which can then be used to commit other crimes, or to get you to make payments to fraudulent accounts.

So let's jump in and find out how smishing works.

Cybercriminals use smishing to steal data and money. They can do this in one of the following three ways:

  • Trick you into downloading malicious software (malware) that infects your phone and steals confidential data. The SMS may encourage you to download an app that asks you to type in private information and data (such as passwords, bank account numbers, etc.) that will then be sent to the cybercriminals.
  • Link a malicious website. The smishing message may contain a link to a dangerous website that asks you to share private information and data. The website might be clearly fake, but it might also be well-designed to mimic a legitimate site to make you more likely to trust it.
  • Ask you to share details via message. Some smishing messages pretend to be from your bank, HMRC, or a delivery company and request you to send personal or financial information or demand that you make a payment.

In every instance, the criminals behind the smishing attacks use a false identity that you are more likely to trust and share information with. The attacker may use number spoofing to hide their real number behind a more formal and legitimate-looking alternative.

The attacker may also use a situation that feels specific to you to make the message appear more personal and legitimate. For example, they might send hundreds of smishing messages to different numbers asking for payment for the delivery of a package. While the majority of recipients will not be expecting such a delivery, there may be a few who are and then feel that the message has been personally written for them.

The final method a cybercriminal may use when smishing is to encourage an urgent response to scare you into action. They may say that if you don't make payment within 48 hours, you will be taken to court or something similar.

Phishing is a cybercrime that involves the criminal sending a fraudulent email to trick the recipient into clicking on dangerous links that will infect your computer system. Smishing is the same, but it is done via text rather than email.

Smishing is particularly effective because phone users have more confidence in text message security than email. Most people are aware of the risks of email fraud and phishing but are far less wary when using their phones.

People often use their smartphones on the move and when they are distracted. This makes it more likely that they will lapse in judgment and can be caught distracted.

Smishing targets are chosen in many different ways, and the process is often random. However, some targets are selected based on their affiliation with an organisation or network that the cybercriminals have hacked, their regional location, or their demographic.

Elderly and vulnerable people are often the targets of scams as they are less likely to be attuned to the dangers and threats posed by cybercriminals.

Although most smishing attacks work in a similar way, the way in which they are presented can vary widely. There is no definitive list of the identities smishers may adopt, as there are new ones emerging all the time to fit whatever can appear as legit and remain fresh.

Common smishing attacks include:

  • COVID-19 smishing. COVID-19 smishing scams have been particularly effective as they take advantage of the general sense of uncertainty created by the pandemic. They are often based on legitimate financial support schemes set up by the government. For example, victims may receive a message from a number claiming to be HMRC, saying their financial details are needed to process a rebate they are owed.
  • Banking and financial services smishing. These are smishing attacks from criminals posing as a bank or other financial institution that says they need your account details to process a payment or to unlock your account.
  • Gift smishing. Gift smishing offers free products from a well-known retailer as a shopping reward or competition prize. The message will either direct you to a malicious site or require you to download an e-gift card that asks for your personal details.
  • Customer support smishing. In this style of attack, the smisher pretends to be a customer support worker from an established company. They will then claim there is an error with your account and ask for your login details to recover it.

The best way to protect yourself against smishing attacks is to do nothing. The message is harmless as long as you don't take its bait. The problem is, this is easier said than done because, as we have seen, some smishing messages can be very convincing.

So, to ensure your best chance of being protected against smishing, stick to the following advice:

  • Do not respond. If you receive a promotional message or contact from an institution such as your bank, don't reply to their message via text. If you feel any suspicion or doubt regarding a message, communicate with the sender through other means, such as a phone call or email. That way, you can both check if the message is legit and protect your number from being identified as active.
  • Take a moment to check the authenticity of a message if it is urgent. If a message demands you make a quick payment or asks for your details urgently, then approach it cautiously and inspect it for any red flags. There can be a temptation to respond quickly to such messages, given their urgency, but the best thing to do is to act with care and caution.
  • Don't follow links. If you receive a message that asks you to follow a link, go to the official contact channels rather than follow the link.
  • Look at the number. Although smishers may use number spoofing if they have not concealed their number, you may be able to tell it is suspicious. For example, if you receive a message from HMRC and it is sent from a personal mobile phone number, then that is a major red flag!
  • Install anti-malware. There are plenty of anti-malware apps you can download from the Google Play or Apple Play stores. These will protect your phone from viruses and should alert you to anything suspicious.

If you are the victim of a smishing attack, take the following steps to ensure the damage is limited and that other people are protected from similar attacks in the future:

  • Freeze any account or card details you shared.
  • Change all your passwords and pin numbers where possible.
  • Monitor your accounts and finances.
  • Forward any malicious messages free to 7726. This reports the message to your phone provider.
  • Contact Action Fraud. You can either do this online or by calling 0300 123 2040

Smishing text messages are phishing attacks that target mobile phone users via SMS. A smishing text message will typically attempt to get you to download malicious software, link to a dangerous website, get you to share your personal details, or demand that you make an immediate payment to a fraudulent account.

The best way to protect yourself against smishing attacks is to not respond or engage with any messages that look suspicious. If you receive a message you are unsure about, do not reply or follow any links or demands. Instead, follow up by engaging with a different communication channel from the same organisation. If you continue to be suspicious of the message, forward it to 7726. Remember, it is best to exercise caution, so even if a message appears legitimate, think twice before taking it at face value.