Smishing - Social Engineering
2025-08-13

Overview

Smishing (SMS Phishing) is a social engineering technique in which attackers send SMS or messenger messages
to trick recipients into disclosing confidential information or visiting malicious websites.
The messages often reference alleged delivery problems, outstanding fees, or urgent account security issues
to create a sense of urgency.

Typical Scenario

An attacker sends a text message appearing to come from a delivery service, bank, or online platform.
The message typically contains a shortened link (e.g., bit.ly/...) or an unfamiliar domain
that leads to a fake login or payment page.

Example:

"Your package cannot be delivered. Please pay the outstanding €3.99 customs fee via the following link: bit.ly/xyz"

Once payment or login details are entered, they are sent directly to the attacker.

Risks and Impacts

A successful smishing attack can lead to:

  • Theft of bank or credit card information
  • Compromise of online accounts
  • Installation of malware on mobile devices
  • Financial loss and identity theft
  • Exposure of personal information to third parties

Preventive Measures

  1. Verify links – Do not open unknown or shortened URLs, especially from unsolicited messages.
  2. Check authenticity – Use official service apps or known hotlines to confirm messages.
  3. Technical controls – Implement mobile security solutions with SMS filtering and link analysis.
  4. Awareness training – Regularly inform staff and users about current smishing tactics.
  5. Do not share sensitive data – Never enter personal or financial details via SMS or messenger links.

Standards and Best Practices

  • ISO/IEC 27001 – Annex A.12 & A.13: Communications Security
  • NIST SP 800-53 – Awareness and Training (AT), System and Communications Protection (SC)
  • BSI IT-Grundschutz – Module CON.1 “Email and Messaging Usage”

Conclusion

Smishing exploits the high credibility and immediacy of SMS and messenger platforms
to pressure recipients into taking hasty, ill-considered actions.
Effective protection requires a combination of technical safeguards,
clear verification processes, and ongoing awareness initiatives.