What is smishing?

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there’s a new threat in town. ‘Smishing’.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here’s everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 


Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they’re unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity