Back to blog
    Phishing

    What is Smishing?

    Sectricity Security TeamApril 16, 2026

    Smishing is phishing via SMS or WhatsApp. This article explains what smishing is, why it works so well, typical attack scenarios, and how companies protect their employees with simulations, processes and awareness training.

    smishingphishingsocial engineeringmobile securitysecurity awareness trainingsmishing simulationsCEO fraudMFAWhatsAppSMS

    What is smishing? Phishing via SMS and WhatsApp that increasingly targets companies

    Smishing is the fastest-growing social engineering technique of recent years. While email filters keep getting better at blocking phishing, SMS and WhatsApp have largely remained an open channel. Attackers know this and are shifting campaigns to mobile at scale. For companies this means a new threat: employees receiving a message on their personal phone that appears to come from IT, the CEO or a supplier, and deciding in seconds whether to click.

    This article explains what smishing is, why it is so effective, what typical examples look like, and how companies make their people resilient.

    TL;DR

    Smishing is phishing via SMS or WhatsApp. It works effectively because mobile filtering is weaker than email filtering, because senders and URLs are harder to verify on a phone screen, and because people read their phone less critically than their work inbox. Companies reduce smishing risk by training employees with realistic smishing simulations, setting up processes to verify high-risk requests, and a reporting culture where doubt can be raised without shame.

    What smishing actually is

    Smishing is a blend of SMS and phishing. The attacker poses as a trusted party: a bank, a courier, the government, a colleague, the CEO. It is a form of social engineering. The message is short, urgent and usually contains a link or a prompt for action: click here to track your parcel, confirm your identity, process this payment, forward this MFA code.

    Unlike email phishing, which has existed for decades, smishing is relatively new as a mass attack channel. The technique is simple: SMS gateways are cheap, WhatsApp enables easy international communication, and spoofing sender names is still possible on many networks.

    The goal of smishing varies:

    • Steal credentials via a cloned login page
    • Install malware on the device via a download
    • Trigger a payment or transaction
    • Intercept MFA codes to take over an account
    • Collect personal data for identity theft

    Typical smishing scenarios

    Smishing attacks follow a limited set of patterns. Below the most common ones that hit both individuals and business users.

    Fake parcel messages

    “Your parcel could not be delivered. Confirm your address and pay GBP 1.99 in redelivery fees.”

    The link leads to a cloned Royal Mail, DPD or DHL page where the victim enters card details. Once entered, those go straight to the attacker.

    Fake bank alerts

    “Suspicious transaction detected on your account. Click here to confirm or cancel.”

    The link leads to a cloned bank page that harvests credentials and MFA codes. This attack is dangerous because it exploits the natural reaction to act fast on potential fraud.

    Fake government fines

    “You have an outstanding traffic fine. Pay within 48 hours to avoid extra costs.”

    Police or HMRC never send fines by SMS with a payment link. Yet the trick works, especially with people unsure whether they committed a recent offence.

    Fake IT helpdesk

    “This is IT. Your Microsoft 365 password expires today. Click here to renew.”

    In companies this is a growing threat, especially when employees use a corporate SIM or BYOD device. The attacker often knows which software the company uses, making the message extra credible.

    CEO fraud via WhatsApp

    “Hi, I need something urgently. Can you quickly buy GBP 500 in gift cards and forward the codes? I’ll explain later.”

    This variant usually targets finance or executive assistants. It works because WhatsApp feels more personal than email and the recipient has no time to verify.

    MFA fatigue via SMS

    The attacker already has credentials and tries to extract an MFA code.

    “Send us the code you just received to secure your account.”

    The victim thinks IT is helping and forwards the code. The attacker meanwhile logs in.

    Why smishing works so well

    Smishing has structural advantages for the attacker compared to email phishing.

    Weaker filtering

    SMS and WhatsApp messages pass fewer security layers than corporate email. Mail gateways, DMARC and sandboxing do not exist on SMS. Carriers filter some known spam numbers, but filtering is far from complete.

    Smaller screen, less context

    On a phone screen you usually only see the sender and the first line. Shortened URLs hide the real domain. Typos in a sender domain stand out less. Review capabilities comparable to a desktop mail client are absent.

    Personal context

    People associate SMS and WhatsApp with family, friends and colleagues. The mental mode is set to “personal”, not “business-critical”. Suspicion is lower.

    Time pressure feels natural

    SMS is designed for quick communication. An urgent message feels less noticeable in that channel than an urgent email.

    Mix of personal and work

    Many employees use personal phones for work or corporate phones for personal use. Context separation is unclear. A work-related smishing message arrives on the same device as family messages.

    How to recognise smishing

    A few checkpoints before responding to a suspicious SMS or WhatsApp:

    1. Unknown sender: a completely unknown number, an international number or a short code without context.
    2. Time pressure: “within 24 hours”, “today”, “act immediately”.
    3. Shortened URL: bit.ly, tinyurl, t.co or other shorteners hiding the real domain.
    4. Requests for sensitive data: passwords, PINs, MFA codes, card numbers. No legitimate institution ever asks for this via SMS.
    5. Financial action: a payment, a gift card, a transfer.
    6. Outside your normal workflow: a request that does not match how this person or organisation usually communicates.

    When in doubt: never click the link in the message. Open the official app or website directly via your browser. Or call the known phone number of the supposed sender to verify.

    How companies protect their employees

    Smishing is hard to filter technically. Defence therefore sits mostly in exercise and processes.

    Smishing simulations

    Like phishing simulations, but via SMS or WhatsApp. A security partner sends realistic fake smishing messages to company devices or business numbers and measures response behaviour. Direct feedback after a click makes the experience stick. Smishing testing is part of a broader social engineering assessment.

    Processes for high-risk actions

    Payment instructions coming in via SMS or WhatsApp are never executed without verification through a second channel. Changes to supplier details, gift cards, urgent transfers: always call the known phone number to verify. A fixed process for this eliminates the majority of CEO fraud.

    Training in work context

    Generic awareness training rarely teaches people to recognise smishing specifically. Targeted security awareness training using mobile-first scenarios works better. The Swishing phishing game can include smishing scenarios as part of gamified exercise.

    Technical basics

    Multi-factor authentication based on authenticator apps or FIDO2, not SMS. SMS-based MFA is vulnerable to SIM swapping and interception. For critical accounts, SMS MFA is unacceptable.

    Reporting culture

    Employees must be able to report a suspicious SMS or WhatsApp without friction. A simple channel, for example a dedicated mailbox or Teams channel, lowers the threshold. Sharing reports with the rest of the organisation ensures everyone is warned when a campaign is active.

    What to do if you clicked on a smishing link

    1. Immediately close the page without entering any data.
    2. If you entered credentials: change the affected account password right away.
    3. Refresh MFA tokens and log out active sessions.
    4. Report to IT or the security department, even if you think you were in time.
    5. If you clicked on a work device: let IT check for malware.
    6. For financial action: contact your bank directly.

    The speed of reaction determines how much damage occurs. Reporting is never a sign of failure, it is protection for everyone in the company.

    Frequently asked questions about smishing

    What is smishing exactly?

    Smishing is a blend of SMS and phishing. It refers to phishing attacks sent via SMS, WhatsApp or other mobile messaging services. The attacker poses as a bank, courier, government service or colleague and tries to get the recipient to click a link, share personal data or make a payment.

    What is the difference between smishing and phishing?

    Phishing typically happens via email. Smishing uses SMS or WhatsApp. The underlying principle is the same: someone poses as a trusted party and tries to manipulate the recipient. However, smishing has a higher success rate because SMS messages are less filtered than email, and people read their phones more quickly and with less scrutiny than their inbox.

    Why does smishing work so well?

    Smishing is effective for three reasons. First, SMS filtering is weaker than email filtering, so more messages get through. Second, on a phone screen it is harder to spot sender anomalies or suspicious URLs. Third, people associate SMS with personal communication and read it with less suspicion than business email. Short messages with time pressure invite quick clicks.

    What are typical smishing examples?

    Common smishing scenarios include fake parcel deliveries (Royal Mail, DPD, DHL) asking for a redelivery payment, fake bank alerts about suspicious transactions, fake government or police fines, fake MFA codes asking to be forwarded, and so-called CEO messages via WhatsApp asking for urgent payments or gift card purchases. In corporate settings, fake IT helpdesk messages are a growing problem.

    How do you recognise smishing?

    Typical signals are an unexpected SMS from an unknown number or short code, time pressure to act quickly, shortened URLs that hide the real domain, requests for personal or financial data, and senders posing as official institutions. Real banks, couriers or government services never ask via SMS for passwords, PINs or MFA codes. When in doubt: open the official app or website directly, never click the link in the SMS.

    How do you test employees on smishing?

    Smishing simulations work similarly to phishing simulations, but via SMS or WhatsApp. A security partner sends realistic fake smishing messages to company devices or business numbers, measures click rates and response behaviour, and ties direct feedback to the results. Good smishing tests use scenarios from the recipient’s work context, not generic templates. After the test comes a short exercise on what went wrong.

    What should you do if you clicked on a smishing link?

    Report immediately to IT or the security department, even if you think nothing happened. Close the page without entering any data. If you did enter credentials: change passwords immediately, refresh MFA tokens, and monitor the affected account for suspicious activity. If you clicked on a link on a work device: inform IT so they can check for malware. The speed of reporting determines the eventual damage.

    Related services and resources

    Test your employees' resilience against smishing with Sectricity's smishing testing, broader social engineering assessments, phishing simulation and testing and vishing testing. Reinforce knowledge with security awareness training or the Swishing phishing game. Start with a free security scan to map your risk.