What is Smishing? SMS Phishing Explained

How Smishing Works

Smishing messages impersonate trusted organizations: banks alerting customers to suspicious activity; delivery services notifying of package issues; government agencies demanding urgent action; employers sending urgent communications; and two-factor authentication messages requesting code verification. The messages include links to phishing pages that steal credentials or install malware, or phone numbers connecting to fraudulent call centers that extract information through social engineering.

Package delivery smishing is among the most effective because it aligns with a realistic expectation — most people are expecting deliveries at any given time. A text claiming a package requires address confirmation, from a familiar shipping carrier brand, with a link to a convincing carrier login page, captures credentials from a meaningful percentage of recipients who happen to be expecting a delivery.

Corporate Smishing Risks

Enterprise smishing attacks target employees with messages impersonating IT support, HR, and executive leadership. A text appearing to be from IT requesting MFA code confirmation, or an HR notification about urgent payroll issues, creates urgency that bypasses normal skepticism. Corporate smishing is particularly effective because employees' personal phones typically lack the mobile device management and security controls that protect corporate endpoints.

Defending Against Smishing

Technical defenses against smishing are less mature than email security controls. Mobile network operators offer spam filtering that catches known malicious numbers. Mobile security products for managed devices provide link reputation checking. The primary defense remains user awareness: understanding that legitimate organizations do not request credentials or codes through text links; using verified app or website access rather than links in unexpected messages; and reporting suspicious messages rather than engaging with them.

Real-World Example: Twilio Smishing Attack 2022

In August 2022, Twilio suffered a breach after attackers sent smishing messages to employees impersonating IT, claiming their passwords had expired and directing them to a convincing Twilio SSO phishing page. Multiple employees clicked the link and provided credentials, giving attackers access to Twilio's internal tools. The attackers used that access to reach customer accounts, ultimately affecting Signal, Okta, and other Twilio customers. The attack demonstrated that even sophisticated technology company employees are vulnerable to well-crafted smishing attacks targeting their personal phones.