Skip to content Skip to navigation Skip to footer

What is Smishing?

Smishing Definition

Smishing is a form of phishing, which uses social engineering to trick someone into revealing private information. However, the attack is executed using a text message. In many cases, the smisher poses as someone you know or authorized to ask you for sensitive information, such as tech support staff, government workers, a bank, or another financial institution.

Another common smishing definition is an attack that leverages trust to get people to divulge sensitive data. Some people are more likely to provide personal information over a text message than via email or another form of communication. Smishermen abuse this trust and are often able to get away with stealing highly valuable data.

To avoid smishing, it is important to understand not only the smishing meaning but how it works. It also helps to recognize what is in it for smishermen. Once you know how to spot the signs of a smishing attack and how it is different from vishing and regular phishing, you can better prepare yourself and those in your organization to spot and stop it.

What Is a Smishing Text and How Does it Work?

A smishing text is a text message sent to your phone worded in a way that makes you feel comfortable sharing personal information. Often, these “texts” are actually emails sent to your phone. The attacker never has your phone number in the first place. A smishing text may also contain a link to a site that looks legitimate. However, once you enter your personal information, it is captured by a smisher and either used by them or sold to someone who seeks to abuse your credentials.

Smishing attacks often work by combining two or more steps, with the end objective of stealing your information. The first step is to get you to feel obligated to take action. This can be for legal reasons, to make money, or to “save” money that you do not want stolen. The second step is to get you to a legitimate-looking site designed to look nearly identical to the kind of site you expect to see. 

For example, if it is a government site, it will have the appropriate crest or insignia that corresponds with the agency you expect the site to belong to. If it is a financial institution, the site may have fonts, logos, and color schemes you will normally see on a site run by that institution.

The final step is to get you to enter your personal information. The request can be something as straightforward as asking you to enter your account name and password. Once you provide the information and submit it, the attack succeeds.

Smishing can also be executed using fewer steps. For instance, the original text may contain a link that, once tapped, downloads malware that can be used to steal your information.

What Do Smishing Attacks Yield for Smishermen?

Smishermen are just like other cyber criminals—they want to steal your personal data. If a smisher does a good job of impersonating a website for a financial institution, for instance, they can get you to provide your login and then use it to pretend to be you. They may take a large sum of money in a one-time attack or several small amounts over a period of time. Doing this to enough people yields a sizeable income for the smisherman.

However, an attacker does not necessarily need to log in to a specific financial institution to make a profit off your personal information. Many people tend to reuse usernames and passwords on several accounts. For instance, their email address can be their username, and although their password may not be easy to guess, they may use the same one again and again. Hence, a smisher only needs to grab your password once to access several other sites and services.

How To Know if You Are Being Smished

Once you know the signs of smishing, it is not hard to spot an attack. When a text tries to get you to reveal credentials, download malware, or send someone money, you are likely being smished.

Request To Reveal Credentials

A smisher may attempt to get you to provide your username and password, which they will use to access the site they are trying to emulate or another kind of account. Often, smishers pretend to be a bank that, for one reason or another, needs you to enter your information. The reasons the attacker will provide to necessitate information input vary, but anytime someone asks you for login credentials over a text message, that should raise a flag.

This holds true even if the request seems legitimate. For instance, someone may send you a text message warning you about your account being compromised. Purportedly, this is because someone has initiated a large transaction or a payee has been added to your account. The attackers then hope you will click a link so you can “remedy” the situation. 

However, in reality, no one has infiltrated your account or added a new payee. Despite how good the website they take you to looks, it is fake. When you enter your credentials, you are not preventing money from being taken from your account, you are facilitating it.

In a slightly different type of smishing attack, the goal is not to get you to manually enter your information. Rather, the attackers present you with a phone number to call to remedy the situation. When you call, someone on the other end may sound like a legitimate customer support representative. They then ask you for your credentials to verify it is you or so that they can take a look at your account to investigate the issue. When you provide that information, the attack has succeeded.

These kinds of attacks are usually successful, not just because they use social engineering to fool people into acting out of fear but also because many institutions, financial and otherwise, do use text messaging to communicate with customers. Also, it is common for people to type in their usernames and passwords—or to provide them over the phone—so the smishing attack method may not stand out as suspicious in and of itself. Therefore, it is crucial to know what a legitimate request for information from online service providers looks like. When a text message is different in wording or format, it should be viewed with suspicion.

Requests To Download Potential Malware

Malware, once installed on your device, can accomplish several nefarious objectives. Malware is software designed to work within the operating system of specific devices. Once inside the device, the malware can control specific functions or collect critical information.

Malware can also be abused in an attempt to use your device’s resources to help the attacker. For example, phones have been hijacked to leverage their processing power to mine cryptocurrencies. Once the malware has been installed, the phone’s computational resources are repurposed to mine digital assets. Some hackers use a smaller portion of your device’s power so you do not notice it has been hijacked. 

In some cases, however, your device is run past its limit, resulting in it malfunctioning or even melting. One of the easiest ways to get this and other kinds of malware on a device in the first place is to initiate a smishing request.

Requests For Money

You should view any request for money via a text message with utmost suspicion. Perhaps a flag goes up when you see a request from a “prince” who needs to access a foreign bank account. But not all scams are as obvious. For example, it is possible for a smisher to gather a list of your friends and family members’ names from social media sites like Facebook. Then, if they are able to get a message to you, they can pretend to be one or more of your close associates. 

Gaining trust in this way is a crucial component of many smishing attacks. Even if the attacker convinces you to send just a small amount of money, they may be doing the same with dozens—or hundreds—of other people, which can add up to a significant payday.

Another method of getting money from people is for a smisher to act like a legitimate charity. Playing on the goodness of people’s hearts, the attacker may pretend to be someone from a local or national church or another charitable organization. Using convincing graphics and marketing copy, it is easy to make the request look believable. However, when you send the money, it does not help the less fortunate but goes straight into the attacker’s pocket.

How To Protect Yourself from Smishing Attacks

One of the most effective tools to help people in an organization avoid smishing attacks is education. Attackers may use several methods to trick their targets, but many of the attacks have similar signatures. Making sure all employees and executives know what the different kinds of smishing attacks look like can equip them to spot and stop them. 

Here are some things you can do to prevent smishing attacks:

  1. Anything that demands you act quickly or with a sense of urgency should be questioned.
  2. Never click on links embedded inside text messages.
  3. Check the number that sends a message asking for information or to click a link inside it. If it looks suspicious, it is possibly a smishing attack.
  4. Never keep your banking or credit card information on your phone. Malware can be used to access it.
  5. If you do not know who is texting you, do not reply to the message or click anything inside it
  6. Report smishing attempts to the Federal Communications Commission (FCC) to help other potential victims.
  7. Do not respond to requests to change or update account information via text message.

Pharming vs. Phishing vs. Vishing vs. Smishing

Phishing is different from pharming in that it uses email messages to get people to divulge private information or download malware. In a phishing email, the attacker makes it seem imperative that the target enter personal data to solve a pressing problem or obtain money. After the victim clicks on a link or types in information, the phisher uses or sells their credentials. Pharming, on the other hand, uses fake websites to get targets to enter their credentials, which attackers then "farm" and collect to use for illicit activities.

Vishing attempts to accomplish the same objective through voice calls. If you get a call from a suspicious number, you can do a quick internet search to gain more information about it. Often, legitimate numbers associated with known or respected businesses usually come up easily in searches. Suspicious numbers may appear in a search as well, but in a directory-style list or even in a list of numbers used by cyber criminals.

Smishing, like its rhyming counterparts, intends to accomplish the same kinds of theft—but using text messages instead. Therefore, pharming, phishing, vishing, and smishing are all different methods used to scam unsuspecting individuals and organizations.

Differences between Pharming vs. Phishing vs. Vishing vs. Smishing

How Fortinet Can Help?

With the Fortinet FortiProxy, you get a proactive web address filtering (WAF) solution that can protect your organization from smishing attacks. Using a WAF, only approved websites are accessed within your network. Even if a team member falls for a smishing bait, they will not be allowed to proceed to the banned site.

With FortiProxy, you can protect your entire organization from malicious websites, traffic, and malware. Because it has Uniform Resource Locator (URL)-filtering capabilities, FortiProxy also helps enforce internet policies—not just for smishing sites but any site you do not want employees to visit.


What is a smishing attack?

A smishing attack is a cyber threat that uses a text message to try to get someone to enter or provide sensitive information.

What is a smishing text?

A smishing text is a text message designed to lure a target into going to a site to enter personal information, call a number and then provide private information, or click on a link that leads to malware.

What is an example of smishing?

One example of smishing is a text message that appears to come from a friend asking for money. The smisher is a complete stranger but is using your connection to a friend—whose name they likely obtained through Facebook—to compel you to send them money.

Can you get hacked by responding to a text?

Yes, you can get hacked if you respond with personal information or click on a link.