smishingSMS phishingsocial engineering

    July 7, 2026 · 5 min read · By Fensivo Team

    Smishing: the phishing that now arrives by SMS

    Leer en español

    The bottom line: SMS reaches the personal device, outside the email perimeter

    When we think of phishing, we almost always picture an email. That is where the security team placed its filters, its rules and its alerts. But a growing share of deception no longer passes through the inbox: it arrives as a text message on the employee's phone. That is smishing, and its advantage for the attacker is simple. The SMS lands on a device the company rarely controls, on a channel with no gateway to inspect it, and at a moment when the person's guard is down.

    Cisco's 90-5-5 framework, which estimates that around 90 percent of breaches involve a human factor, helps explain why this matters. The problem was never only email: it was the person under pressure. If we move the same deception to a more personal and less monitored channel, the human factor is left even more exposed. That is why smishing is not a technical curiosity, it is a shift of risk toward where we are least watching.

    What smishing is and why it is growing at work

    Smishing is phishing over text message (SMS). The name blends SMS and phishing, and it describes the same goal as always: to get a person to click a link, hand over a credential or approve an action they should not. The only thing that changes is the channel. Instead of an email with a bank's logo, a short and urgent text arrives on the phone, often with no recognizable sender, just a number.

    Human risk is managed automatically.

    Turn human risk into your first line of defense.

    Book a demo

    Free demo · 30 minutes · No commitment

    It is growing for several reasons that feed one another. The first is work from the phone: today employees read notifications, approve access and reply to messages from their device, so the attacker goes where the person is. The second is the economics of the attack. Sending text messages at scale is cheap and the tools to do it circulate freely. The third is the most uncomfortable: corporate email has years of accumulated defenses, while SMS has almost none. CISA's canonical figure, that more than 90 percent of successful cyberattacks begin with a phishing email, describes the historical starting point. Smishing is, in large part, the attacker's answer to that starting point becoming harder: if email defends itself better, they look for another door.

    Why the phone lowers a person's guard

    The phone is a territory of trust, and that is exactly the vulnerability. We associate it with family, friends and personal messages. When a text arrives, the reflex is not the same as facing a work email: we read it quickly, in the middle of other things, sometimes while walking or in a meeting. Divided attention is deception's best ally.

    On top of that, the small screen hides the signals that jump out on a computer. A web address shows up truncated, the sender is only a number, and there is no comfortable way to hover over a link to check it before opening it. The device's design, built for immediacy, works against verification. And the tone of these messages is calculated to close that window of doubt: they are short, urgent and pose an immediate consequence. A package that will not be delivered, an account that will be blocked, a code that expires in minutes. The rush is not a detail, it is the mechanism. When the person acts by reflex, not by judgment, the attack has already won. It is not a personal failing, it is a predictable human reaction the attacker designed to provoke.

    Typical cases: parcels, banks, IT support and access codes

    Smishing pretexts repeat because they work, and teams should learn to recognize them by their shape, not only by their content. The most common is the parcel pretext: a supposed delivery notice with a link to "confirm the address" or "pay a fee", which actually leads to a fake page that captures data. The bank pretext imitates a security alert or a suspicious charge and pushes the person to "validate" their account on a cloned site.

    In the corporate environment, two more dangerous variants appear. One is impersonating IT support: a message claiming to come from the technical team asking to install something, change a password or confirm access, sometimes as a follow-up to an earlier call. The other is hunting for access codes: the attacker already has the person's password, tries to log in, the second factor fires, and then they send an SMS posing as the platform to request that one-time code. The person hands it over believing they are protecting themselves, and in reality they complete the intrusion. This last case connects smishing with the world of leaked credentials and approval attacks, and it shows that it is rarely an isolated incident: it is usually a link in a longer chain. It is worth remembering that other emerging vectors, such as QR code phishing, follow the same logic of leaving email to reach the person through a less monitored channel.

    Defenses: realistic simulation on the right channel and later validation

    Defense against smishing cannot live only in the email filter, because the attack is precisely built to avoid it. It starts with a verification principle people can apply under pressure: no text message, however urgent it seems, is a reason to hand over a password, a one-time code or a payment. When in doubt, the person cuts the channel and verifies through a known route, not through the link or the number that arrived. That habit, put that simply, prevents most cases.

    But a habit is not installed with an annual talk. It is installed by practicing it on the channel where the attack happens. Training against emails is of little use if the deception arrives by SMS: realistic and personalized simulation, like the kind covered in AI phishing and deepfakes, has to arrive on the right channel and with the right pretext for each person's role, because the risk of a cashier is not the same as someone in finance. And here is the point most often neglected: training someone after they fall does not prove they learned. What proves the change is exposing them again, weeks later, to an attempt of the same kind on the same channel, with a different pretext, to see whether this time they resist. That idea, validating behavior by testing it again rather than assuming the lesson stuck, is the difference between supposing the team is ready and knowing it.

    Midsize companies in the region face this at a concrete disadvantage: much of the awareness content is built for email and in English, while smishing arrives in Spanish and on the phone. Closing that gap is not optional, it is where the real risk sits today.

    At Fensivo we approach this use case by treating the phone as one more testing channel, not as an exception. We send realistic simulations through the channel where the attack actually happens, deliver short training at the moment of failure and, weeks later, validate with a new simulation whether the person changed their behavior. You can see how it works in our use cases. The question we leave open is uncomfortable on purpose: if tomorrow one of your employees gets an SMS that sounds like their bank while crossing the street, what do they lean on to not click?

    Human risk is managed automatically.

    Turn human risk into your first line of defense.

    Book a demo

    Free demo · 30 minutes · No commitment