Get a Quote

What the Heck Is Smishing?

Wooden Dice

Text-Based Scheme Tries to Sneak Malicious Links Onto Mobile Devices

Cybersecurity experts are raising alarms about “smishing,” a unique form of phishing that attempts to deliver malicious links or infected applications to cell phones via text or SMS messages.

The challenge with these types of cyberattacks is that a text or SMS message cannot be authenticated beyond the phone number it’s sent from. Hackers have started using illicit tools that allow them to send legitimate-looking SMS messages from spoofed or stolen telephone numbers.

A recent text-based scheme targeting Android devices purports to be from a delivery company like UPS or FedEx. When unsuspecting users click the supposed package tracking link included in the message, it automatically installs a malicious application that can steal banking credentials and other personal information.

Adding to the challenge is the fact that text messages aren’t nearly as easy to track and prevent as, say, malicious emails. URL (Uniform Resource Locator) links sent via text or SMS message are more difficult to inspect for security issues without completely loading the web page the link points to.

Often, these links will be shortened to an innocuous-looking address that is hard to discern—think, which in this case redirects to But hackers can easily change one character in those shortened URLs to point somewhere illicit. In addition, mobile users can’t hover over a message-based web link to see where it actually points, which means smishing attempts delivered via text or SMS message require extra attention.

Cybersecurity experts at CMIT Solutions echo the following recommendations from the federal Cybersecurity and Infrastructure Security Agency (CISA) to combat smishing schemes:

1. Only download applications from official stores, such as the Android Play Store or Apple App Store.

Take this security check a step further by scanning the name and description of any app before downloading it—look for misspellings, grammatical mistakes, and other telltale signs of any problems. Also, read app reviews carefully to see if they seem like real people wrote them. If you see multiple five-star reviews composed with misspellings, poor grammar, and improper syntax—or worse, no reviews at all—use caution.

2. Beware of unsolicited texts that use high-pressure tactics.

These can include urgent prompts like “Don’t let your account lapse!” or “Are your funds safe?” along with more benign push notifications like the aforementioned package tracking link. When in doubt, visit a company’s website by typing in the URL address yourself and then check your messages and notifications there.

3. Be even warier of text messages that ask you to enter information.

It should go without saying that any request for financial information, login credentials, or private details should be ignored and deleted. Don’t be tempted by “something for nothing” messages or other too-good-to-be-true offers.

4. Think you’ve accidentally clicked a malicious link?

Quit all applications immediately and power your device off. If your phone seems to be working fine when you restart it, log out of any accounts that were open when you clicked the malicious link, and DO NOT log back in on your mobile device. Instead, log in to the account on a desktop or laptop computer to review recent activity and look for any suspicious behavior.

5. Consult with a trusted IT provider to discuss cybersecurity and security awareness training for mobile devices.

Comprehensive managed IT services automatically deploy security patches and software updates for mobile and desktop machines, maintaining a constant watch on day-to-day operations and Internet traffic. These kinds of solutions help keep devices running and employees working while strengthening cybersecurity protection for all types of apps and devices.

Smishing, phishing, spearfishing, and countless other cybersecurity issues can create serious problems for business owners and employees concerned about the integrity of their systems and critical data. At CMIT Solutions, we go the extra mile to keep your laptops, mobile devices, and desktop computers safe from scammers, spammers, and digital criminals of all types.

If you want to prevent smishing and other IT issues, contact CMIT Solutions today. We keep track of digital threats and proactively protect your business, your employees, your data, and your devices.


We can help. Whatever your technology problem is, chances are, we've seen it before.