Attackers are targeting mobile devices with SMS phishing, or smishing. This tactic exploits trust in mobile messaging, and phishing controls are often bypassed. It uses a variety of identities and premises, making it difficult to distinguish malicious messages, but there are some characteristics to look out for.

The smishing SMS phishing protection is designed to trick recipients into divulging sensitive information or performing actions that put their security at risk. Attackers often impersonate trusted entities like banks or delivery services to create a sense of urgency and entice victims to act quickly. Messages also contain links to credential-harvesting sites or prompt victims to call fake support lines. Messages may be spoofed, and attackers use SS7 network weaknesses or over-the-top messaging APIs to inject deceptive sender IDs that bypass fraud detection and content filters.

In some cases, attacks are accompanied by voice phishing (or vishing), in which an attacker impersonates a trusted entity over the phone to extract credentials or MFA codes. In the enterprise, vishing often follows email or SMS lures, and targets help desk staff or IT admins to escalate privileges and initiate wire fraud. As a result, organizations need to adopt multiple layers of protection for their mobile devices. Train employees to be wary of unsolicited text messages, and insist that they never share Social Security Numbers, bank balances or other sensitive information over SMS. Encourage them to always verify the identity of a company via official channels before responding to any requests, and not to store banking information on their mobile phones.