Text Messaging Scams: How Smishing Attacks Target Your Employees and Clients

Email phishing receives the majority of attention in security awareness training programs — and for good reason. But SMS-based phishing, known as smishing, is receiving significantly less organizational attention despite growing in both volume and sophistication. The threat landscape has shifted, and most organizations' defenses haven't kept pace with where attackers are increasingly active.

The attack surface is fundamentally different from email: employees' personal phones, personal carriers, and a communication channel that carries an implicit trust signal that corporate email doesn't. Most corporate security controls don't touch it at all.

What Smishing Attacks Look Like

Smishing messages are designed to trigger an immediate action before the recipient applies critical scrutiny. Common scenarios include:

• Package delivery notifications with fraudulent tracking links — UPS, FedEx, and USPS impersonation is among the highest-volume smishing categories, exploiting the ubiquity of e-commerce deliveries
• Bank fraud alerts asking the recipient to verify a transaction or confirm account access — often paired with a spoofed phone number that appears legitimate
• Payroll or HR notifications about direct deposit changes or W-2 issues — particularly effective because employees don't expect these communications to be fraudulent
• IT help desk messages requesting credential verification, MFA reset, or device enrollment — exploiting the fact that employees are conditioned to respond to IT requests
• Executive impersonation requesting gift card purchases, wire transfer authorization, or confidential information — the SMS variant of business email compromise

Why SMS Works Better Than Email for Social Engineering

Attackers have shifted attention to SMS because the channel offers several advantages over email:

• No spam filter. Text messages arrive in the primary inbox without any filtering layer. There's no equivalent of an enterprise email security gateway for SMS.
• The personal device channel carries more trust. Employees are conditioned to treat SMS as a more direct, personal communication than email. That trust transfer is exploited by smishing attackers.
• Short messages don't contain phishing indicators. Email phishing is often identifiable by poor formatting, suspicious sender domains, and other tells. A text message with a short sentence and a link provides far less signal to scrutinize.
• Mobile users are less likely to inspect URLs carefully. On a mobile device, URLs are truncated and harder to evaluate. Hovering to preview a destination — a common email phishing defense — doesn't apply.
• Urgency framing is more effective via text. "Your account will be suspended in 24 hours" reads differently in SMS than in email. The channel creates a sense of immediacy that reduces deliberate decision-making.

The Business Wire Transfer and Payroll Redirect Variant

The most financially damaging smishing variant targets financial transactions directly. An attacker impersonating a CEO, CFO, or HR system contacts an employee via text, requesting wire transfer authorization, a payroll direct deposit change, or vendor payment redirection.

The FBI Internet Crime Complaint Center (IC3) reported $2.9 billion in Business Email Compromise losses in 2023 [1]. SMS is increasingly the initial contact channel for these schemes — attackers use text to establish contact before escalating to other channels, or to bypass email security controls that would flag the same message as suspicious.

The defining characteristic of these attacks is that they exploit process gaps, not technical ones. When an organization doesn't have a documented out-of-band verification procedure for financial transactions, a convincing text message from an apparent executive is sometimes all it takes.

What Organizations Should Have in Place

• Security awareness training that specifically covers SMS phishing. General phishing training that focuses on email is not sufficient. Employees need to see smishing scenarios, recognize the patterns, and understand what the appropriate response is.
• Out-of-band verification procedures for financial transactions. Any request to transfer funds, change banking information, or authorize a payment that arrives via text or email should require a verification call to the requester at a known, previously verified phone number — not a number provided in the message itself.
• Clear policy on what IT and HR will and will not request via text. Employees should know that IT will not ask for passwords, MFA codes, or device access via SMS. HR will not request direct deposit changes through an unsolicited text. Make the policy explicit and reinforce it in training.
• MDM policies that separate personal and work data on BYOD devices. Mobile Device Management solutions can create a separation between personal and work environments, limiting the blast radius if a personal device is compromised through a smishing attack.

Geographic Targeting: Why Georgia Businesses Are Seeing More Smishing

Atlanta's position as a major financial services, logistics, and technology hub makes Georgia organizations disproportionately attractive targets for business-oriented smishing campaigns. Metro Atlanta hosts the headquarters or significant regional operations of major financial institutions, logistics companies, and healthcare organizations — exactly the profile that generates high-value business transactions and makes executive impersonation financially rewarding for attackers.

Organizations in metro Atlanta, Macon, and surrounding areas should treat smishing awareness as a specific and recurring training requirement — not a footnote in a general phishing module. The threat is real, it's targeted, and the financial consequences of a single successful attack can be severe.