IronSights

Threats & attacks

Smishing

A phishing attack delivered via SMS text message, typically impersonating parcel delivery services, banks, or government agencies to lure recipients into clicking malicious links.

Also known asSMS phishingtext phishing

In plain English

Smishing works just like email phishing but arrives as a text message. Common Australian lures include fake Australia Post delivery notifications, myGov account alerts, and bank fraud warnings — all containing links to credential-harvesting sites designed to look like the real thing.

Full definition

Why SMS bypasses your defences

SMS sits outside most corporate security filters. Emails get scanned, attachments get sandboxed, but a text message lands straight in your pocket with no inspection layer between sender and recipient. Attackers know this. A well-crafted smishing message impersonating Australia Post, CommBank, or the ATO can achieve a higher click rate than any email campaign because people are conditioned to act on texts quickly.

The mechanics are straightforward. The message arrives with a link, often shortened to hide the destination. Clicking it opens a page that looks like a legitimate bank login or myGov sign-in. Credentials entered there go directly to the attacker. Some campaigns skip the credential harvest entirely and push that installs quietly in the background, particularly on Android devices.

For Australian businesses, the risk extends beyond the personal. Staff using personal phones for work receive these messages too, and if they enter credentials on a harvesting page, that access becomes the attacker's foothold into your environment. Defending against smishing means training staff to treat unsolicited links in SMS with the same suspicion they apply to email. Where possible, configure so a harvested password alone is not enough to get in.

Keep learning

More terms in the IronSights Glossary.