Everyone can spot an email phishing scam: spelling mistakes, “Dear Sir/Madam," “Please deposit $100,000 today to (offshore bank account) — we've all gotten savvy to the telltale signs. But when it comes to spotting a smishing attack, how smart are we?
Lack of awareness surrounding SMS phishing scams makes companies more vulnerable to attacks. Hackers are smart to this gap in knowledge, and they're using it to their advantage in increasingly clever ways.
In this article, we'll explain exactly what smishing is, how it works, and what security managers, CFOs, and CEOs can do to stop it from happening.
What is a smishing attack?
Smishing combines SMS with phishing. Attackers send fraudulent text messages to trick recipients into clicking malicious links, handing over credentials, downloading malware, or authorizing fake financial transfers.
The key distinction from email phishing is that there are no spam filters, and no email gateways to hurdle — the message lands directly in their messaging app. The same app people use to text family, friends and colleagues.
The increase in mobile-first work habits means employees are approving invoices, accessing HR portals, and resetting passwords from their phones. Attackers exploit this, knowing that people make decisions faster over SMS than they ever would over email. For example, SMS open rates are around 98%, compared to roughly 20% for cold emails.
Smishing is not new, but it is becoming more common – especially because AI tools are now helping scammers craft convincing lures. In fact, smishing rates have tripled in recent years, and now accounts for 35% of all phishing attacks. This gap in trust is exactly what smishing exploits, and companies need to invest in security awareness to avoid an attack on their financial systems.
What it feels like to fall for a smishing attack
Imagine: It's 7:45 on a Monday morning. Max, a new starter at a growing tech start-up, rolls out of bed to check his phone. The first text he reads says, "Hi, it's Sarah from IT. Due to a serious data breach, we're forcing a password reset today before 9am. Please click here to verify your account. Thanks so much!"
Max hasn’t even had his first coffee yet, so his judgment is impaired. But it sounds urgent, and the page even looks exactly like the company portal. So, he clicks the link and enters his credentials…
Unfortunately, by the time the real IT team arrives in the office, an attacker has full access to the company's system – including sensitive customer data, financial records, and more.
This is the element managers need to understand: smishing preys on human vulnerabilities. SMS phishing targets employees at vulnerable times, on their personal devices, with extreme urgency: exploiting trust and a lack of awareness of the threat an SMS can pose.
How smishing attacks work: The anatomy of a modern lure
Let’s dig deeper on how smishing works, starting with the basics.
The four psychological triggers smishing exploits
Effective smishing relies on four triggers that bypass rational thinking:
Urgency: "Your account will be suspended in 2 hours." Time pressure short-circuits deliberate decision-making.
Authority: Messages impersonating IT helpdesks, HR, or executives carry implicit trust. Employees are conditioned to respond to requests from people with greater seniority.
Fear: "Unusual login detected on your account." Fear of consequences overrides caution.
Personal gain: "Your expense reimbursement is ready to process." The promise of something positive lowers defenses just as effectively as a threat.
Link obfuscation on mobile: why you can't vet a URL before you click
On a desktop, hovering over a link reveals the destination URL. On mobile, that's not always so easy to do. Shortened URLs, bit.ly, t.co, and company-branded redirects give employees no way to vet a link before tapping it. By the time they realize something is wrong, the damage may already be done.
Smishing-to-vishing escalation and callback scams
Some attacks use SMS only as the first touch. After an initial text establishes rapport or creates urgency, a follow-up phone call extracts more sensitive information. In "callback scams," victims are prompted to call a number listed in the text, which connects them to the attackers themselves, usually posing as a fake helpdesk. The combination of text and voice makes the deception far more convincing, as targets are duped into feeling like they’re in control.
The BYOD blind spot: why personal devices bypass your security stack
When an attack arrives on a personal device, your security stack is effectively blind. There's no mobile device management (MDM) alert, no endpoint agent, no corporate visibility. The employee's personal phone sits entirely outside your detection perimeter, and that's exactly where the message just landed.
Why finance and executive teams are prime smishing targets
Modern finance functions increasingly happen over SMS: payment approvals, wire confirmations, and vendor communications. Attackers know this. A well-crafted text targeting a CFO or AP clerk doesn't need to be sophisticated. It just needs to look like a routine message arriving through a channel where the recipient's guard is already down.
Business Email Compromise (BEC) has long targeted finance teams via email — now, smishing is applying the same playbook in a channel with fewer defenses and higher trust. As more companies have hardened their email controls, scammers have followed the path of least resistance to the least guarded place they can find: SMS.
Learn more: Cybersecurity Leadership is Crucial – So Where Are All the C-Suite CISOs?
Common real-world smishing lures targeting organizations
Smishing attacks can take many forms – here are some of the most common ones to look out for.
CEO fraud and executive impersonation via SMS
"Hey, I'm in an urgent board meeting for the next 2 hours! Can you handle an urgent wire transfer? We’ll check in later." This form of smishing requires no malware, no technical sophistication, just the name of a senior executive and a sense of urgency.
IT helpdesk spoofs and fake MFA reset messages
Fake MFA reset messages sent to employees during high-traffic login windows: typically Monday mornings, right after an announced system update, moments when employees are more likely to comply without questioning.
HR and payroll smishing: redirecting direct deposits
Attackers impersonate HR to redirect direct deposit information. No malware is involved, and no credentials are technically "stolen"; the employee volunteers the information, believing they're updating their own payroll details. They comply without question, just like Max did before his morning coffee.
Supply chain and vendor impersonation attacks
A text impersonating a known supplier with a payment link is particularly effective because recipients aren't expecting threats to come via SMS – especially if they match typical formats. Supplier communications feel routine. That's the point.
Real-world smishing breaches: Coinbase & Twilio
These aren't theoretical scenarios. In 2024, a social engineering campaign targeted Coinbase employees used fake texts from company IT to successfully breach internal systems. In 2022, the Twilio breach began with an SMS sent to employees that impersonated their IT department. In both cases, attackers obtained credentials that allowed them access to sensitive customer data.
Why do so many smishing attacks slip through security defenses?
Email security tools don't touch SMS: SEGs, DMARC, and sandboxing are email-layer controls. A text message doesn't pass through any of them. Your security stack can be best-in-class and still have zero visibility into what's being sent to your employees' phones.
Security awareness training has an SMS blind spot: Most phishing simulation programs train employees to spot malicious emails. They're rarely trained to apply the same skepticism to a text message because, until recently, most programs didn't simulate smishing attacks.
Mobile devices are under-monitored: Many organizations have robust EDR on laptops and workstations. Mobile visibility, especially on personal devices used for work, is far more limited and less practiced.
The trust asymmetry of SMS: People have been conditioned over the years to treat email with suspicion. SMS still feels personal and immediate. The skepticism and saviness that employees have built for recognizing email phishing simply hasn't transferred to mobile.
MFA doesn't fully save you: Some smishing campaigns are specifically designed to harvest one-time passcodes in real time using reverse proxy attacks. MFA raises the bar significantly, but it's not a complete defense against a determined attacker operating at the speed of a live social engineering attempt.
Learn more: 5 Best Practices to Increase Your Employees’ Cybersecurity Awareness
How to prevent smishing attacks: 5 steps for security leaders
- Extend security awareness training to include smishing simulation: Employees need to develop the same skepticism on mobile that they've built up for email. That requires practice, specifically, realistic simulations that train the reflex before an attacker triggers it for real.
- Establish and communicate clear SMS policies: Define explicitly what your IT team, HR department, and executives will and won't ask employees to do via text message. If employees know "IT will never ask for your password by SMS," they have a baseline to measure suspicious messages against.
- Enforce phishing-resistant MFA where possible: Passkeys and hardware security keys are significantly harder to defeat than SMS OTP or TOTP codes. Where you can eliminate SMS-based authentication entirely, do so.
- Address the BYOD risk. Whether through MDM policy, acceptable-use agreements, or workforce education, you need a deliberate strategy for personal devices that sit outside your visibility. Ignoring the problem doesn't eliminate the risk; it just means you won't see it coming.
- Build a reporting reflex, not just a detection reflex. Employees who receive a suspicious text should know exactly who to forward it to, and they should feel safe doing so without fear of embarrassment. A culture where people report near-misses is more valuable than one where they stay quiet.
Key takeaway: You can't afford to ignore smishing attacks
Smishing attacks have grown from a niche scam technique to an every day threat. For CISOs and security leaders, this is a growing blind spot: employees are working more on mobile, but most security programs still treat it as an afterthought, not a priority.
The truth is, awareness programs haven't caught up. The organizations that close that gap are the ones that stop treating security awareness training as an email-only problem and start treating mobile as the high-value target it's become.
Smishing simulations with Riot help build those defenses systematically across your whole team. Keen to start protecting your business? Book a free demo with one of our experts today.
