Smishing

What is Smishing? 

Smishing is a deceptive technique used by malicious actors to trick individuals into revealing sensitive information such as passwords, credit card numbers, or personal data by posing as a trustworthy entity via text messages. It exploits cognitive biases like authority and urgency to bypass rational decision-making and prompt quick, often risky, actions. In the digital landscape, phishing also undermines user trust and can significantly impact website credibility and SEO performance.

The Basic Idea

The other day, I got a text that said: “Your package is arriving! Track it here,” along with a very suspicious link. The thing was, I had actually ordered something. Though I feel like I do a good job of not over-ordering things online, in retrospect, the odds that I’m waiting for a package at any given time—whether it’s a postcard, a prescription, or my monthly delivery of vegan protein powder—are higher than not. At that moment, I felt like it must be about the package I was waiting on; I had just been wondering when it would arrive, so it was probably a sign! I nearly clicked, but something stopped me. That second of hesitation is exactly what scammers count on. In a world where our phones buzz constantly with updates, alerts, and appointments, a well-timed text message can slip through our mental defenses and lead us somewhere dangerous before we’ve even had breakfast.

Welcome to the world of smishing, a word which mashes together “SMS” and “phishing,” and describes a form of cybercrime that uses text messages to deceive recipients into revealing personal information, clicking malicious links, or downloading harmful software. Smishing is a social engineering tactic, meaning it exploits human psychology rather than technical vulnerabilities. Much like phishing emails, smishing messages are designed to appear urgent, trustworthy, or enticing, often mimicking banks, delivery services, tech companies, or government agencies to manipulate the recipient into taking immediate action.

Smishing attacks have grown rapidly in recent years, driven by the ubiquity of smartphones and the increasing reliance on SMS for tasks like two-factor authentication, appointment reminders, and customer service interactions.1,2 These scams often exploit the intimacy and immediacy of text messaging—most of us check and respond to texts far faster than emails, and we tend to trust them more. Scammers take advantage of this speed and trust, crafting texts that blend seamlessly into the flood of legitimate messages we receive every day.

Unlike spam emails, smishing often escapes detection by traditional filters and firewalls, and because it targets individuals directly, it can be harder to identify and block in advance. What makes smishing especially dangerous is how it blends the personal with the technical. A convincing smish can trick even tech-savvy users if it appears at the right time, like during a service outage or a busy holiday season, and asks just enough to trigger concern, curiosity, or compliance. Understanding smishing isn't just a matter of cybersecurity, it's a matter of digital literacy, public policy, and consumer protection.2 As attackers continue to evolve their tactics with AI-generated texts, spoofed phone numbers, and fake apps, the need to educate and empower users is more urgent than ever. 

“Phishing remains unsolvable—there’s no patch for human gullibility.”


― Mike Danseglio, Security Program Manager, Microsoft

About the Author

A smiling woman with long blonde hair is standing, wearing a dark button-up shirt, set against a backdrop of green foliage and a brick wall.

Annika Steele

Annika completed her Masters at the London School of Economics in an interdisciplinary program combining behavioral science, behavioral economics, social psychology, and sustainability. Professionally, she’s applied data-driven insights in project management, consulting, data analytics, and policy proposal. Passionate about the power of psychology to influence an array of social systems, her research has looked at reproductive health, animal welfare, and perfectionism in female distance runners.

About us

We are the leading applied research & innovation consultancy

Our insights are leveraged by the most ambitious organizations

Image

I was blown away with their application and translation of behavioral science into practice. They took a very complex ecosystem and created a series of interventions using an innovative mix of the latest research and creative client co-creation. I was so impressed at the final product they created, which was hugely comprehensive despite the large scope of the client being of the world's most far-reaching and best known consumer brands. I'm excited to see what we can create together in the future.

Heather McKee

BEHAVIORAL SCIENTIST

GLOBAL COFFEEHOUSE CHAIN PROJECT

OUR CLIENT SUCCESS

$0M

Annual Revenue Increase

By launching a behavioral science practice at the core of the organization, we helped one of the largest insurers in North America realize $30M increase in annual revenue.

0%

Increase in Monthly Users

By redesigning North America's first national digital platform for mental health, we achieved a 52% lift in monthly users and an 83% improvement on clinical assessment.

0%

Reduction In Design Time

By designing a new process and getting buy-in from the C-Suite team, we helped one of the largest smartphone manufacturers in the world reduce software design time by 75%.

0%

Reduction in Client Drop-Off

By implementing targeted nudges based on proactive interventions, we reduced drop-off rates for 450,000 clients belonging to USA's oldest debt consolidation organizations by 46%

Let's chat

Read Next

See All
Notes illustration

Eager to learn about how behavioral science can help your organization?

Contact us