Smishing, what you need to know with advice from Iberdrola

Digital security: understanding smishing with Iberdrola

Internet Informatics Cybersecurity

Mobile phone scams are becoming more frequent and the methods used to carry them out are becoming more complex. Smishing is a type of text message scam. Find out what it involves, what types exist and how to avoid falling victim to this scam.


Smishing cybercriminals use fake stories to gain the trust of victims and obtain their private data.

Smishing can sneak into your mobile phone in a number of ways. A text message from a bank warning us that they are going to block our account. Another from a courier company asking us to pay to receive a package. A WhatsApp from a supposed relative who has lost their luggage at an airport and needs our financial support to be able to travel. 

These cyber scams are becoming increasingly common. Although the motivations are the same, they vary in form and complexity in an attempt to capture the attention and trust of the targeted users. But what does smishing involve and how do cybercriminals execute it? Can we avoid falling victim?

What is smishing?

The term smishing comes from the combination of the words "SMS" and "phishing" and involves social engineering to commit fraud via text messages. It is a type of phishing and is similar to other varieties such as vishing, where the deception is based on a phone call. It is one of the favourite strategies of online criminals to try to gain access to our confidential information or steal our money.

The criminals behind these cyber-attacks impersonate official bodies, businesses and companies. Sometimes they even impersonate family and friends to commit smishing based on a certain degree of trust on the part of the user. These scams can be carried out by SMS, although WhatsApp is increasingly being used.

Attackers ask the victim to access a link on a fake website or to provide sensitive data such as users, online passwords, phone number, email, social security number or credit card details, for example. Sometimes they urge the user to make a bank transfer with a false claim or entice them to download an attachment that infects their device with malware. 

Examples of smishing

As with other cases of social engineering, smishing attacks are based on excuses or pretexts. Cybercriminals use fake stories to play on victims' trust and emotions and trick them into taking their private data. Here are some of the most common types of smishing attacks:

 Financial institution.

Fraudsters pose as a spokesperson, representative or employee of the victim's bank and alert the victim that there is a problem with their account. In order to solve the problem, the attackers ask the victim to follow a link or access a fake application or website where they must provide sensitive financial information: passwords, bank account or credit card numbers. With this data they can make purchases or transfer money to other accounts.

 Representative of the Administration.

Criminals pose as police officers, employees of tax collection institutions or other government officials. Smishing messages inform the victim that he or she must pay a fine or take action to claim a state benefit. When users follow the links to which they are redirected, the fraudsters steal their social security number and other information that can be used to impersonate them.

 Customer support.

Attackers impersonate support or customer service agents of well-known brands or even Internet providers. They inform the victim that there is a problem with their account or that they have not claimed any compensation or refund. Again, these messages refer the victim to a fake website that steals their credit card or bank account information.


This type of smishing is one of the most common. The messages report an alleged problem with the delivery of a parcel. The victim is asked to pay an amount of money as a delivery fee or to log into their account to fix the problem. The scammers take the money or private information and disappear. Attacks under the guise of parcel delivery are common during holiday or Christmas periods, when many people are expecting parcels.

  Work context.

Hackers pose as the victim's boss or a colleague in the company and claim they need help with an urgent task. In this case, they use SMS or WhatsApp messages, although it also happens through other channels such as email. The victim may end up sending money or private information.

 Wrong number.

The cybercriminal pretends to send a text message to the wrong number. When the victim corrects the mistake, the scammer engages in a conversation to gain the victim's trust. Sometimes this situation continues over the long term, for months or even years. The attacker may even pretend to have romantic feelings for the victim. The goal is, once again, to steal money from the victim through loans or investment opportunities, among others.

 Social networks.

The offender pretends to be a friend of the victim and tells them that they cannot access their social media accounts such as Instagram or Facebook. To fix this, he pretends to need the user to receive a code on his behalf. When the victim opens it, they allow the hacker access to their own account.

  Downloading fake applications.

Some smishing scams trick victims into downloading fake applications that are actually malware or ransomware. These apps may appear to be genuine, but in reality, they allow the user's confidential data to be stolen.

What do I do if I have been a victim of smishing?

All users are at risk of falling victim to smishing. If you think you may have fallen for this type of scam, it is important that you take action as soon as possible through a series of measures:

  • Icon

    Identify what information you have put at risk in this scam.

  • Icon

    Scan your phone with an antivirus to look for any signs of hacking.

  • Icon

    Remove any content you have downloaded from links or attachments from your device.

  • Icon

    Change the passwords of all accounts that may have been affected.

  • Icon

    Enable two-step verification to prevent account access and identity theft.

  • Icon

    Block your bank card if you think it may have been threatened and cancel any unauthorised payments that have been executed.

  • Icon

    Contact the impersonated company/institution or your banking institution.

  • Icon

    Gather as much evidence as possible and report the incident to the State Security Forces and Corps.


Source: The Cyber Helpine

 SEE INFOGRAPHIC: What do I do if I have been a victim of smishing? [PDF]

Tips to avoid becoming a victim of smishing

Any person or organisation, public or private, is susceptible to this type of cyber-attack. The most important thing is not to respond to or ignore any message asking for personal or financial information. Here are some steps to avoid being scammed by text messages:

  • The best advice is never to give out personal or banking information over the phone.
  • We should be wary of unknown senders or even block phone numbers that we think may be a threat. 
  • Ideally, the identity of the person sending the message should be verified. In the case of a company with which we have contracted certain services, we can ask for information and then contact the company to verify it.
  • We should not click on attached links or access any unknown application or page to make payments.
  • It is important to keep the operating system and applications up to date to ensure that minimum security standards are in place.

  • We must store passwords and banking information through encryption.
  • Finally, it is worth remembering that entities such as banks or large companies never call to ask for confidential data such as account numbers or passwords to access online banking.