Expanding channels: alongside traditional SMS come RCS, WhatsApp, Telegram and iMessage. Attackers rotate channels to dodge filters: when carriers block fraudulent SMS senders, the campaign migrates to end-to-end encrypted messaging, where no network filter can inspect it.
What is smishing
Smishing is phishing delivered over SMS and messaging apps such as RCS or WhatsApp. The attacker sends a short message impersonating a trusted entity — the courier, the bank, the tax office, even a family member — and pushes the victim to tap a link, call a number back or send money. The name blends "SMS" and "phishing", but the channel is no longer limited to classic text messages: any messaging app will do. Because the phone is simultaneously a personal device, the second authentication factor and, increasingly, a work tool, a message that succeeds there can open the door to the employee's bank account and to the company network alike through social engineering.
Why it matters
Users have spent years learning to distrust email, but text messages retain an aura of legitimacy: they are the channel through which genuine bank codes and delivery notifications arrive. The lures are well rehearsed: a parcel held pending a small customs fee, an "unrecognised charge" from the bank asking you to verify your account, an outstanding traffic fine, a payment received "by mistake" that must be returned, or the classic "Mum, I broke my phone, message me on this number". On a small screen, the signals that would give the fraud away disappear: the URL shows shortened or truncated, there is no mouse to preview the destination, and the context of use — walking, in a hurry, between notifications — works in the attacker's favour. For a business the risk goes beyond employee fraud: corporate smishing hunts for access credentials and OTP codes to defeat multi-factor authentication, and the personal phone on which that text is read usually sits outside the reach of corporate security tooling.
Key points
Finely tuned lures: courier messages (customs fees pending on a parcel), banks flagging suspicious charges, traffic authorities chasing fines, instant payments received "by mistake", and the new-phone family scam. They work because they replicate legitimate messages the victim genuinely receives all the time.
Mobile strips away visual defences: shortened or truncated URLs, no hover to reveal the real destination, browsers that hide the address bar, and cloned pages that on a small screen are indistinguishable from the original.
Corporate smishing: messages impersonating the IT team or the company's identity platform to steal credentials and the OTP code in real time, or bombarding the user with fake prompts until they approve an access request. It is the mobile counterpart of spear phishing and often pairs with vishing: first the text, then the call that "confirms" the story.
OTP theft is the star objective: the cloned page asks for username, password and the one-time code, and the attacker replays them against the legitimate site within seconds. SMS-based or typeable-code MFA does not survive this scheme; passkeys and FIDO2 do.
Defences for businesses: phishing-resistant MFA, mobile device management policies, a single official channel for IT communications (never SMS), training with smishing simulations and a clear, blame-free procedure for reporting suspicious messages.
Example: the courier text that reached the business bank account
Friday afternoon. The managing director of a small accountancy firm receives a text: "DPD: your parcel is on hold. Pay a £1.99 handling fee to schedule delivery". She is genuinely expecting a parcel — office supplies ordered on Tuesday — so she taps the link on her phone. The page, identical to the courier's, asks for card details to settle the "fee". Once entered, a second screen requests the code "your bank will send to confirm the operation". The code arrives as a genuine text from the bank, because at that very moment the attackers are enrolling the victim's card in a digital wallet on their own device; the confirmation code she types is exactly what they need to complete the enrolment.
Over the weekend, in-person payments with that card follow in another city. On Monday, reviewing the statement, she discovers a second problem: the compromised card was the company card, linked to the business account. The bank refunds part of the charges, but the claim gets complicated because the payments were "correctly" authenticated with the code. A policy as simple as paying supposed fees only on the courier's official website — typing the address, never following the link in a text — would have cut the chain at step one.
Common mistakes
- Treating smishing as a personal problem rather than a corporate one. The same phone that receives the fraudulent text holds company email, the authenticator app and client conversations; compromising the employee compromises the organisation.
- Trusting SMS-based MFA to protect the account. It is precisely the factor smishing knows how to steal: the cloned page asks for the code and the attacker replays it in real time. If the MFA can be typed, it can be phished.
- Tapping the link 'just to have a look'. Modern smishing pages do not need the victim to type anything to be useful: they confirm the number is live, fingerprint the device and in some cases exploit outdated browsers.
- Giving employees no clear reporting channel. If reporting a suspicious text is cumbersome or feels like admitting a mistake, nobody flags it, and the same lure one employee dodged hooks the next.
- Messaging staff by SMS from ever-changing numbers. If IT or HR send legitimate notices by text with no fixed sender or consistent format, employees have no way to tell the real message from the fraudulent one. The official channel must be single and predictable.
Related services
This concept may be related to services such as:
Frequently asked questions
Why does smishing work better than email phishing?
Channel and context. Text messages retain credibility because genuine bank codes and delivery notices arrive through them; there is hardly any filtering comparable to email; and the phone screen hides the fraud signals: URLs appear shortened, destinations cannot be previewed and the cloned page fills the whole screen. On top of that, phones are checked in a hurry, between notifications, with one's guard down.
What should I do if an employee has already tapped the link?
Act fast and without blame. If they entered corporate credentials, change them immediately and revoke active sessions; if they typed an OTP code, assume the account or card is compromised and block it. Review recent access on the affected platforms, notify the bank if payment details were involved, and log the incident. The sooner it is reported, the more room there is to stop fraud in progress.
Do WhatsApp or RCS messages also count as smishing?
Yes. The term was coined around SMS, but today it covers any mobile messaging: WhatsApp, RCS, Telegram or iMessage. Attackers actively migrate to those apps because end-to-end encryption prevents carriers or network filters from inspecting content, and because they allow sustained conversations — useful for long-running scams such as the new-phone family fraud or investment schemes.
How do I protect my business from smishing aimed at employees?
Combine technology and habit. Phishing-resistant MFA (passkeys or FIDO2) so a stolen code is worthless; mobile device management on phones with corporate access; a single, predictable official channel for IT communications; and periodic smishing simulations that train the right reflex: never tap the link, and verify through the official channel by typing the address yourself.