Smishing is a phishing fraud technique using SMS (Short Message Service). A portmanteau of "SMS" and "Phishing," it directs recipients to fake websites via links in fraudulent messages to steal personal and credit card information. According to the Anti-Phishing Council, SMS-based phishing reports increase annually, now accounting for approximately 20% of all phishing reports.
Typical techniques fall into 4 patterns. First, fake delivery notifications impersonating courier services ("We attempted delivery but you were out"). Second, security alerts impersonating banks ("Unauthorized access to your account detected"). Third, unpaid bill notices impersonating telecom carriers ("Your usage fees are overdue. Please pay today"). Fourth, refund notices impersonating government agencies ("You have a tax refund"). All use urgent language to override calm judgment, directing victims to convincing fake websites to enter IDs, passwords, and credit card numbers.
Smishing is more troublesome than email phishing because of SMS's high trustworthiness. While spam filters catch most email, SMS has nearly 100% delivery rate and over 90% open rate. Furthermore, caller ID spoofing technology can display legitimate company names or numbers as the sender, making it difficult for recipients to detect fakes. On Android devices, techniques have been confirmed where malware-laden apps from fake sites are installed, automatically sending similar SMS to all contacts - a "botification" technique.
The basic defense is to never tap links in SMS messages. For delivery notifications, check directly via the official app or website. For bank notifications, log in from your bookmarks. Ignoring and deleting unfamiliar SMS is the best approach. Enabling iPhone's "Filter Unknown Senders" or Android's "Spam protection" features can automatically sort suspicious SMS. Review how to identify spoofed SMS in caller ID spoofing risks.