Smishing: The Invisible Cyberthreat and How Small Business Can Stay Protected

SCAM on a cellphone

That familiar buzz of an incoming text message is one many of us are used to receiving. But what may seem like a simple enough request from what looks like a legitimate source, perhaps a request to update your password quickly or verify information, can turn into a cyber nightmare.

These types of cyber attacks that use traditional phishing methods sent via SMS text message are known as smishing.

In fact, in 2023 the service RoboKiller tracked 12.4 billion spam texts sent just in the month of September alone.The top three texting scams: fraudulent delivery, banking and travel notifications. The smart phone scammers behind this type of phone phishing are only increasing their frequency. Unfortunately, smishing is just one of the many types of cyberthreats that use sophisticated forms of social engineering to trick users into giving information to criminals.

No small business owner is immune but it is important to educate yourself, your employees and clients on what to look out for and how to safeguard against these cyberthreats.

Common red flags and what to watch out for

The Federal Trade Commission has logged over 125,000 text fraud (or smishing) complaints resulting in an estimated $180 million in losses so far in 2023. As the volume of smishing attempts increases, cybercriminals are more clever and also use spoofing, a method that tricks your phone's Caller ID into believing that a text or call is coming from a trusted contact you know. Spoofing is a way that the bad players masquerade their bad intentions and heightens the risk for compromised security.

  • Requests for Information: If you receive an unexpected SMS asking for personal or business information, be wary. Legitimate organizations usually do not ask for sensitive information via text message.
  • Urgency: If the message creates a sense of urgency, suggesting dire consequences if you don't respond immediately, beware. Scammers use this tactic to rush you into making a mistake.
  • Unknown or Suspicious Senders: If the sender's number isn't familiar or if it doesn't match the official contact number of the organization it claims to represent, it's cause for concern.
  • Spelling and Grammar Mistakes: Professional organizations typically proofread their messages. If a message is full of errors, it's likely not legitimate.
  • Links: Be cautious of any text messages that include links, especially if they are shortened URLs. These can lead to fraudulent websites designed to steal your information.

Safeguarding your small business against attacks

Small business owners are advised to take two important steps to protect their business and mitigate risks: step up training of employees and find an experienced Managed Service Provider familiar with working with software tools that test for security awareness among employees. A businesses’ employees are the first--and best--line of cyber defense.

Simulated Phishing Campaigns: A managed IT provider can perform automated phishing emails to routinely test both the strength of your systems and your employees' awareness to report suspect emails to prevent a security breach from occurring.
Targeted Training: Routine employee training is important as more phishing attempts – including smishing and spearphishing targeting
DNS filteringDomain Name System filtering actually checks the website you or your employee are directed to and can prevent you from reaching a website.
Mobile Device Management: If you or your employee have a company phone for business, a MSP can provide MDM to restrict certain applications that could be potential entry points for scammers and provide ongoing monitoring of the device meant solely for business. 

An expert IT support provider like NerdsToGo i offers essential cybersecurity solutions for ongoing threats that exist anywhere digitally you or your business operate. The experts at NerdsToGo can help protect your business, educate and train your employees on the risks and provide the local, 24-hour IT support small businesses increasingly need.


Smishing -Smishing is a type of fraudulent activity where a scammer tries to trick you into giving them your private information. The term is a combination of "SMS" (short message service, a common format for text messaging) and "phishing." In smishing, the scammer typically sends a text message that appears to be from a reputable source, like a bank or credit card company. The message often contains a link to a fake website or a phone number to call, where you'll be asked to provide personal information like your account numbers, passwords, or Social Security number. This information can then be used for identity theft or other fraudulent activities.

Social Engineering - Social engineering is a strategy used by cybercriminals that involves manipulating individuals into revealing confidential information, which can be used for fraudulent purposes. It's a method of tricking people into giving up sensitive information or breaking normal security procedures, often by exploiting human psychology and curiosity. This can take many forms, such as phishing emails, scam phone calls, or even in-person impersonation.

Spoofing - Spoofing is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. This is usually done by hiding or falsifying information such as a phone number, IP address, or email address. The main purpose of spoofing is to trick the recipient into trusting and engaging with the communication, which can lead to the theft of data, money, or sensitive information, or the spread of malware. Spoofing can occur in various forms, including email spoofing, caller ID spoofing, and IP spoofing.

Managed Service Provider (MSP) - A Managed Service Provider is a company that remotely manages a customer's IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model. This can include services such as network management, cybersecurity, data backup, and system updates.

Domain Name System - DNS stands for Domain Name System. It is a system used to translate domain names, which are easy for humans to read and remember, into numerical IP addresses, which are used by computers to identify each other on the network. Essentially, DNS serves as the phone book for the internet, making it easier for us to access websites without having to remember complex numbers.