ELI5: What is Smishing?
It’s a scam text message on your phone that pretends to be from your bank or a delivery company, trying to get you to click a bad link. “Smishing” is just “phishing” but through text messages instead of email.
Definition
Smishing (SMS phishing) is a social engineering attack that uses text messages (SMS or messaging apps) to deceive recipients into clicking malicious links, calling fraudulent phone numbers, or revealing sensitive information. Like email phishing, smishing messages typically impersonate trusted entities—banks, delivery companies, government agencies—and create urgency to prompt immediate action.
Key Details
- High read rates: SMS messages have ~98% open rate vs. ~20% for email—attackers exploit this for higher click-through rates.
- Common pretexts: package delivery notifications (fake UPS/FedEx), bank fraud alerts, prize notifications, government benefit claims.
- Malicious links in SMS lead to phishing sites or drive-by download sites that exploit mobile browser vulnerabilities.
- Harder to identify as fraudulent on mobile screens—phone numbers and short URLs are less transparent than email headers.
- Mitigation: do not click links in unsolicited SMS messages; verify by contacting the sender through official channels; call blocking apps.
Connections
- Parent: social-engineering — SMS-based social engineering attack
- See also: phishing, vishing