Smishing - SMS Phishing Attacks
About 2 min read
Smishing is a general term for phishing attacks that use SMS (Short Message Service). A portmanteau of "SMS" and "Phishing," it sends fraudulent SMS messages to lure recipients to malicious websites and steal their personal information and credentials. Compared with email phishing, its open rate is overwhelmingly higher (the open rate of SMS is said to be around 98%), and it cleverly exploits the characteristics of mobile environments, where it is hard to verify whether a URL is genuine.
Differences from Email Phishing
| Aspect | Email phishing | Smishing (SMS) |
|---|---|---|
| Open rate | Approx. 20-30% | Approx. 98% |
| URL verification | Verifiable by hovering | Hard to verify before tapping |
| Filtering | Spam filters are mature | Carrier filters are still developing |
| Sender spoofing | Verifiable with DMARC, etc. | Sender ID is easy to spoof |
| Psychological trust | Awareness of "suspicious emails" is widespread | SMS tends to be trusted more readily |
Unlike email, SMS has an immature sender authentication mechanism. While domain authentication such as DMARC exists for email, there is no equivalent standard for SMS. Attackers can send large volumes of SMS at low cost using SIM farms and VoIP services, and it is also technically possible to disguise the sender name as a legitimate company name.
Delivery Failure Notice Scams - A Rampant Tactic in Japan
The smishing tactic that causes the most damage in Japan is SMS disguised as delivery failure notices for parcels. A shortened URL is sent along with a message such as "We came to deliver your parcel but took it back because you were absent. Click here for redelivery," and tapping it lures the recipient to a fake site that closely resembles a legitimate courier company. Android users are prompted to install malicious apps, and once infected with malware, their device begins automatically sending large volumes of smishing SMS, turning the victim into a "perpetrator." For iOS users, there are many reported cases of Apple ID or carrier-billing credentials being stolen.
Legitimate courier companies do not send redelivery URLs via SMS. If you receive a delivery failure notice, do not tap the link in the SMS; instead, check directly through the official app or official website.
The Flow of a Smishing Attack
The Spread of RCS Messaging and New Risks
The spread of RCS (Rich Communication Services), the next-generation messaging standard that replaces conventional SMS, has brought a new dimension to smishing. RCS supports rich media (images, videos, carousels), read receipts, and typing indicators, making it possible to craft sophisticated fake messages that are hard to distinguish from official corporate messages. If the brand logo display feature is abused, it becomes even harder to visually distinguish messages from legitimate companies.mobile security guides on Amazon are helpful for keeping up with the latest threats in mobile environments.
Carrier Filtering Technology and Its Limits
Japan's major carriers (NTT Docomo, KDDI, and SoftBank) provide spam SMS filtering features, but their effectiveness has limits. Because filtering is based on known patterns and blocklists, it responds slowly to new wording and senders. In addition, smishing SMS sent from infected devices originates from legitimate phone numbers, so it cannot be detected by sender-based filtering. In attacks combined with SIM swapping, the victim's own phone number is hijacked, so even an SMS from an acquaintance is not necessarily safe.
Smishing can be called the mobile version of social engineering. Be sure to also review countermeasures against spam messages, the phishing protection guide, and the traps of free Wi-Fi to comprehensively strengthen the security of your mobile environment.
Was this article helpful?