Phishing Report: Fake SMS Texts or "Smishing"

by Jon Lober | NOC Technology

Is that a real text from your boss?

 

Smishing, vishing, quishing—at some point, the list of phishing attack vectors starts to sound like a bad joke. Unfortunately, these forms of cyberattack are very real—and their results are anything but funny.


SMS Phishing Scams: An Overview of “Smishing”

Smishing is the term that cybersecurity experts use for social engineering scams carried out through SMS texts. The word itself is a portmanteau of “sms” and “phishing.” SMS is the attack vector; phishing is the attack method.


Despite the prevalence and importance of email, SMS (or “short message service”) text is the backbone of global communication. Around the world, more than 23 billion text messages are sent every day. Links sent through SMS have the highest click-through rate of any communication method, between 8.9 %and 14.5%, roughly ten times the average rate of email clicks.


Aware of these remarkable statistics, cybercriminals have proven eager to exploit unsuspecting victims through a wide variety of smishing attacks. IBM reports on several of the most common social engineering techniques used by smishers.


  • Financial institution impersonation. Victims receive a fake text from their bank alerting them to a problem with their account. Once the victim clicks the link, they are routed to a fake website that directs them to enter sensitive information like sign-in, payment, or account details, which are then stolen and abused by the scammers behind the attack.


  • Customer support impersonation. Very similar to bank impersonation attacks, scammers impersonating customer support from trusted companies send a link to victims asking them to sign-in to their account on a fictitious website or app, where their information is summarily stolen.


  • Government impersonation. By abusing the fear of legal mis-steps that many of us quietly carry, scammers impersonate government entities like the IRS or FBI and threaten the application of fines or legal penalties if the victim fails to comply. Once the victim clicks the compromised link, they are often directed to enter personal information—including their social security numbers—that scammers can use to wreak havoc.


  • Shipper impersonation. Popular around holidays. Fake texts from Amazon, FedEx, and UPS fill the inboxes of potential victims, prompting them for delivery fees, address corrections, or account updates.


  • Wrong number scams. As your own SMS inbox might reveal, these scams are skyrocketing in popularity. “How have you been during this time?” “Hey, how are you?” “I’m Susan and you?” currently populate my own text inbox. Although these may seem amongst the simplest and least nefarious of the smishing attack vectors, in fact they can have some of the most damaging outcomes. These personalized texts can lead to a type of financial attack known as “pig-butchering,” a term derived from the fattening of the victim’s bank account before the fatal blow. The Wall Street Journal’s podcast “The Journal” profiled one such attack in their recent episode “Pig-Butchering: A Texting Scam With a Crypto Twist.”  


  • MFA / 2FA fraud. Multifactor authentication is one of our simplest, but most effective, tools against modern cybercrime. However, smishers can occasionally outwit unsuspecting victims by pretending to be a friend or family member that is locked out of their account without access to their phone. When the victim sends their “friend’s code” to their “friend” they are actually sending a hacker the MFA code needed to access one of their own accounts.


  • Boss or colleague impersonation. Smishing is not confined to a victim’s personal life—it often enters the professional realm as well. Similar to business email compromise (BEC) and gift card scams, smishers will often abuse work relationships in order to achieve their desired ends. Read on to learn about a real attack that smishers recently attempted on one of our own employees.  


Our Example: Smishing Attacks at Work

As we have shared before, not even IT support companies are spared from phishing attacks. One of our employees was recently targeted by a smisher impersonating NOC Technology’s CEO.



Although simple, this is precisely the type of attack that can easily ruin a career or even sink a small business if not treated with extreme caution.


How does this method achieve its goal?


  • Simplicity: It looks like a normal text.
  • Authority: Even if the targeted employee would not normally fall for such a scheme, when a boss is involved, they may override normal caution just to make sure that they do not ignore their supervisor.
  • Implicit trust of vector: Although many of us have become accustomed to phishing emails, we still often perceive personal-looking SMS texts as potentially legitimate.
  • Personalization: The text starts off by directly addressing the recipient by their first name and closes with the full name of the (fake) recipient.

 

Red Flags: How to recognize this text as a scam.


Although the smishers did a pretty good job, there are still several signs that this text is a scam.


  • Unsolicited communication: This is the hallmark of all phishing scams. Always ask yourself, “Was I expecting this?” If the answer is “no,” hit the brakes and calculate the possible risks before proceeding—especially if the sender is requesting something.


  • Unknown sender: Identifying a sender as “unknown” can be a bit more complicated than it is with email, since you cannot hover over the sender’s address like you can in email. However, in our specific example, the victim was already personally acquainted with the sender and knew that the unknown number was indeed unknown.


  • Warning banner: Most smart phone operating systems now automatically flag unsolicited texts from unknown numbers as a potential threat. Do not ignore such warnings.


  • Mix of personal and formal conventions: This is where the smisher overcooked their scam a bit. Most people do not start their text off with “Hey _____!!!” and end it with their full name. Unless the purported sender is communicating cross-culturally, unusual combinations of social conventions should always sound an alarm.


What to do if you encounter a fake text.

Once you have identified a fake SMS text, take the following steps.


  1. Do not respond in any way. Resist the urge to take vigilante justice by messing with the sender. Your response will simply indicate to the scammer that they have hit on a legitimate phone number that they can sell to another cybercriminal or attempt to compromise in a future attack.
  2. Block the number. Most operating systems offer you the opportunity to block the sender directly from the text screen. Block the number immediately.
  3. Delete the text. Eliminate the text from your inbox to prevent a future accidental reply should you happen to forget why you did not take action originally.
Missouri Sheltered Workshops can empower human potential through AI
By Jon Lober April 24, 2025
Embracing the potential of both AI and humans
Tech upgrades that will boost employee safety in sheltered workshops
By Jon Lober April 15, 2025
At NOC Technology, we've worked with Missouri sheltered workshops for over seven years, and I've witnessed firsthand how the right technological implementations can transform sheltered workshop environments. Today, I'd like to share some insights on leveraging modern technology to create safer workspaces while maintaining the dignity and privacy of all participants. The Unique Safety Challenges of Sheltered Workshops Sheltered workshops provide valuable employment opportunities for individuals with disabilities, but they also present unique safety considerations. Workers may have varying levels of physical mobility, cognitive processing, and sensory perception—all of which can impact how they respond to traditional safety measures. Additionally, the production environments often involve machinery, tools, and materials that require careful monitoring and management. The Role of Smart Technology in Safety Advancements in smart technology provide real-time safety monitoring, immediate alerts for potential hazards, and improved emergency response times. Let’s explore some key technologies and their benefits in sheltered workshop environments. Personalized Alert Systems Traditional emergency alarms can be overwhelming for individuals with sensory sensitivities. Smart alert systems can deliver personalized notifications through: Vibrating wristbands that alert workers without auditory overload Visual notification systems with customizable colors and patterns Tablet-based communication for workers who benefit from visual cues Location-specific alerts that only notify those in affected areas We recently implemented a multi-modal alert system at a workshop in central Missouri that reduced anxiety-related incidents during emergency drills by 65% . Environmental Monitoring Maintaining optimal environmental conditions is crucial for both safety and productivity: Temperature and humidity sensors that automatically adjust HVAC systems Air quality monitors that detect potentially harmful particulates Noise level monitoring to prevent sensory overload Automated ventilation systems that activate when chemical levels exceed thresholds These systems not only protect workers but also provide documented compliance with OSHA regulations. Enhanced Supervision through Smart Cameras Security cameras have evolved beyond simple surveillance. Modern systems can: Detect unusual patterns that might indicate a worker in distress Monitor restricted areas without constant staff presence Identify when machinery is being used incorrectly Alert supervisors to potential safety hazards Important note: All camera systems should be implemented with strict privacy protocols and transparent policies. Workers and guardians should be fully informed about what is being monitored and why. In many cases, audio cannot be recorded, and the camera system must be configured to meet this requirement. Wearable Safety Technology Wearable devices offer personalized safety monitoring without stigmatization: Fall detection pendants that automatically alert staff Location tracking that helps locate workers in emergency situations Biometric monitoring for workers with health conditions Proximity sensors that prevent accidental entry into hazardous areas These wearables can be designed to look like standard ID badges or watches, preserving dignity while enhancing safety. Implementation Best Practices Successfully integrating smart technology into sheltered workshops requires careful planning: Involve all stakeholders: Workers, guardians, and staff should participate in selecting and implementing new technologies. Prioritize simplicity: Choose solutions that require minimal training and maintenance. Phase in gradually: Introduce new technologies in stages to allow everyone time to adapt. Balance automation with human oversight: Technology should supplement, not replace, trained staff. Respect privacy: Collect only essential data and maintain strong security protocols.
Could your sheltered workshop benefit from grant funding for new technology?
By Jon Lober April 7, 2025
As a sheltered workshop, you play a crucial role in providing meaningful employment opportunities for individuals with disabilities. However, like any organization, securing funding for technology upgrades can be a challenge. While investing in the right tools can improve efficiency, security, and overall productivity—that’s all only if you can afford the tools in the first place.
More Articles