Smishing attacks can spoof just about anyone. Banks, package deliveries, government offices... the list goes on. In 2024, tax-related smishing scams cost victims an average of $8,199 per person, with messages like "IRS ALERT: You are owed a $969 refund."

One of the most common smishing lures is fake package tracking messages. “Package delivery delayed, confirm address here,” or “Delivery attempted. Reschedule here.” The link either downloads malware or is a credential harvester.

Banking or payment confirmations leverage the threat of money loss: “Suspicious activity detected on your account. Verify here to avoid suspension.” The fear factor causes immediate stress reactions, and people enter their credentials before thinking.

Password reset texts create a false sense of urgency. The text message says someone is actively attacking your account, and you need to “secure it” by clicking their link and resetting it.

HR/IT/management impersonation targets employees directly. These texts exploit workplace trust and authority:

• “Hey, this is David from IT. Your email password expires today. Reset it here: [link]”

• “This is Sarah from leadership. I need your help with something urgent. Can you handle a task for me really quickly?” 

These workplace smishing attacks are dangerous because they steal credentials that can lead to full corporate breaches.

Smishing uses both technological vulnerabilities and human psychology. For starters, bad threat actors take advantage of SMS spoofing to fake sender IDs. Suddenly, smishing texts appear to come from your bank's number, or your UPS tracking number, or, in some cases, your CEO's actual phone number. Since SMS was not architected with sender validation in mind, these fraudulent messages arrive directly in your trustworthy notifications inbox, indistinguishable from every other message.

Mobile screens hide another vulnerability. Shortened links (bit.ly, tinyurl) obscure destinations. For example, you can't hover to preview like on a desktop. Combined with one-handed scrolling while multitasking, critical thinking drops. Urgency bias ("Account suspended NOW") and authority bias ("This is your bank") trigger snap decisions.

Sophisticated attacks target SMS-based two-factor authentication. Attackers with your password trigger a login, then pose as "security" requesting your MFA code. Authenticator apps or hardware keys resist this social engineering.

Attackers constantly refine their tactics, but they always leave tells behind. The challenge is that most people struggle to distinguish legitimate texts from fakes, and with the FTC reporting $330 million in losses to text scams in 2022, the consequences are real. Watch out for these:

• Suspicious links shortened with bit.ly, tinyurl, or unusual domains. Real companies use their branded domain names. 

• Requests for login credentials, payment information, or MFA codes almost never come from real companies. Don't use the link in the text.

• Urgent language like "immediate action required" or "account will be suspended" tries to short-circuit your rational thinking. 

• Grammar errors or odd phrasing appear even in sophisticated attacks. Sometimes it's subtle, like "We has detected" instead of "We have detected." 

• "Reply STOP to unsubscribe" is extremely clever social engineering. Replying to a smishing message doesn't unsubscribe you, but flags your number as active and reachable. 

Recognizing smishing attacks is step one. Here are six more:

1. Pause and check before clicking. Make sure no one clicks on a link from an unexpected SMS message. Instead, open the relevant app or company website in a browser. Received a “bank alert?” Don’t click the link! Open your banking app first.

2. Verify via a different channel. If your manager or executive asks you to wire money via text, call them back using a number you already have to verify it was really them.

3. Switch to a stronger factor. SMS codes are better than nothing, but an authenticator app or hardware security key is much more secure. SMS-based multi-factor authentication (MFA) can be socially engineered, while hardware keys can’t.

4. Report to security immediately. Smishing attempts should be forwarded to your IT or security team without delay. Reporting suspicious messages allows them to detect attack campaigns, develop protections, and warn others before more people are compromised.

5. Invest in ongoing training. Huntress Managed Security Awareness Training keeps security top of mind through regular security awareness training with smishing simulations that reduce the number of employees who click on malicious messages.

6. Apply identity threat detection. Huntress Managed Identity Threat Detection and Response (ITDR) detects misused credentials and abnormal authentication attempts after someone falls for a phishing text. 

Your phone will buzz again. You’ll get another package delivery notification, another urgent bank alert, and another "Click here now." The difference is what happens next.

Humans make mistakes. Someone will eventually be distracted while checking their phone, or the attacker will be that good at convincing someone to click. Even with perfect prevention strategies, an SMS phishing attack will eventually succeed, and that's when your second line of defense matters most.

Your credentials are worth the 30 seconds it takes. Book a Huntress demo and see how to stop attackers even after someone clicks.