← Blog

Smishing: the scam hiding in a text message

Tenant Strike3 min read

We trust our text messages more than our inboxes, and attackers have noticed. Smishing is phishing by SMS — short, urgent, and surprisingly effective. Here is how to recognize it.

Most of us treat our text messages as a trusted space. Emails get a second look; texts get a tap. That gap in our instincts is precisely what attackers exploit with smishing — phishing delivered by SMS. It's short, it's urgent, and it lands on the device you're least suspicious of.

Why a text gets past your guard

A text message is stripped down. There's no sender address to inspect, no signature, no formatting to look wrong — just a line or two and a link. That simplicity works in the attacker's favor, because there's almost nothing to evaluate. The message looks like every other text you get.

Phones make it worse in small ways. Links are often shortened, so you can't see where they actually go. The screen is small, so a fake site looks convincing. And we read texts on the move — in line, between meetings, half-distracted — which is exactly when we're most likely to tap without thinking.

The texts to watch for

Smishing recycles a few reliable hooks:

  • The delivery. "Your package couldn't be delivered. Pay a small fee / confirm your address here." The amount is tiny on purpose; the goal is your card details or a login.
  • The bank or payment alert. "Suspicious transaction detected. Verify now or your account will be locked." Fear plus a link.
  • The account problem. A message claiming your Microsoft, Apple, or streaming account has an issue and needs you to sign in — on a page that harvests your password.
  • The boss text. "Hi, it's [owner's name], I'm in a meeting — are you free? I need a quick favor." It starts harmless and builds toward a gift-card purchase or a transfer.
  • The wrong number that turns friendly. A stray "Hi, is this Sarah?" that, if you reply, becomes a long con.

In a business, these matter because the phone in someone's pocket is often signed in to work email, work files, and work accounts. A personal-feeling scam can become a company problem fast.

How to handle a suspicious text

The rules are refreshingly simple:

  1. Don't tap links in unexpected texts. If a message claims to be from a company you use, open their official app or type their website address yourself. Never use the link provided.
  2. Treat urgency as a warning sign, not a reason to hurry. Real delivery companies and banks don't lock your account because you didn't tap a text in five minutes.
  3. Verify the "boss text" the boss didn't send. A request for gift cards, a transfer, or secrecy by text is a scam until confirmed by voice or in person.
  4. Don't reply, even to say "wrong number" or "stop." A reply tells the attacker your number is live and you'll engage.
  5. Report and delete. Most phones and carriers let you report junk or spam texts, which helps block the campaign for others too.

None of this requires technical skill. It requires the same calm pause that defeats every social-engineering attack: if a message wants you to act now, that's the reason to slow down.

When a tap does happen

People will occasionally tap a bad link — it happens to careful people on a busy day. If someone entered a work password on a fake page, the response is quick: change that password immediately, sign the account out everywhere, and make sure multi-factor authentication is on so a stolen password isn't enough by itself. Then mention it; the worst outcome is a compromised account that nobody flagged because they were embarrassed.

That last layer — the settings that decide whether a tapped link becomes a real breach — is where a quick check pays off. Tenant Strike connects to your Microsoft 365 in read-only mode and confirms the things that contain the damage: multi-factor authentication actually enforced, no quiet forwarding rules, no single click that could approve too much access. Five minutes, no changes, and a plain-English list of what to shore up.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.