Home
Blog
Phishing and Smishing: How they work and what to do about them (Part 1 of 2)

Phishing and Smishing: How they work and what to do about them (Part 1 of 2)

Paul Ducklin
Paul Ducklin
04/28/2025
Share this article:

Phishing and its companions-in-crime

We’ve all seen and heard the word phishing, a cybercrime by means of which attackers try to trick us into giving away data that we’re not supposed to share with them.

Typically, they’re after information such as payment card details, usernames and passwords, or even those multi-factor authentication (MFA) codes that are supposed to keep us safe because they’re valid for one use only.

But if you type your password and your current MFA code into a fake website by mistake, you provide attackers with a short window of opportunity to masquerade as you.

So, adopting MFA doesn’t magically solve all your phishing problems, not least because today’s crime gangs either automate attempts to login as soon as a stolen MFA code arrives, before it expires, or have a “call center” of human operators working shifts to abuse those codes by hand, or both.

Although having humans on call to process stolen MFA codes manually takes a bit more organization than just using automated scripts, it’s still worth it for the criminals.

Their crooked shift workers only get notified when a potential victim has already dug themselves in deep, and they can apply human levels of intelligence and insight to adapt fluidly to any changes in the login process that the target site might have implemented to throw fully automated tools off the scent.

Just to be clear: MFA does improve your cybersecurity situation, not least because it makes your password alone insufficient for attackers. They need to get your password, and then also to get hold of an MFA code that they typically only have a few minutes to abuse. That does make things harder for them, so don’t let the fact that MFA isn’t a “silver bullet” security solution put you off using it.

The psychology of phishing

Phishers typically use one or more of a number of psychological tricks to lure you into handing over information, such as:

  • Pitching a get-rich-quick scheme such as a bogus cryptocurrency.
  • Appealing to your helpful side by pretending to need assistance from you.
  • Telling you that you’ve been shortlisted to apply for what sounds like a dream job.
  • Saying they’re from your bank and are investigating a scam against you. (They’re the scammers, of course.)
  • Threatening you with trouble from bailiffs, from the police, or from the courts for unpaid debts or unspecified crimes.
  • Pretending that you need to pay an often-modest and therefore unalarming fee for a missed home delivery.
  • Warning about one of your online accounts by insisting it requires “re-confirmation” to avoid being shut down.
  • Linking to a bogus cloud-shared document that requires you to log in.
  • Inviting you to an online meeting that looks genuine but isn’t.
  • Presenting you with an online link to claim a bogus tax refund or some sort of official-sounding windfall payment.

Criminal automation

Most phishing attacks arrive by email, because that’s the online communication tool that’s easiest to abuse in bulk, allowing attackers to send millions or even tens of millions of manipulative messages all around the world in just a few minutes, at a cost that’s close to $0.

These fraudulent emails usually include a clickable web link that lands you on a bogus web page, where the crooks put you in front of a genuine-looking login page or payment screen, and then lure you into filling in personal information such as card numbers or passwords before you realize that it’s not the real deal.

Web pages are a popular destination for what’s known as the call-to-action in a phishing attack, because new websites are cheap and easy to set up, and can automatically fleece hundreds of potential victims at the same time.

Also, easy-to-use open-source tools exist that can create clones of legitimate sites in just a few seconds.

These tools automatically copy fonts, logos, graphics, stylesheets, scripts and content to produce pixel-perfect replicas of the real site, while also inserting hard-to-spot booby traps to catch out the unwary.

They are generally pitched as “for research purposes only,” or for use by corporate security teams looking to test their staff with simulated phishing attacks, but they are just as useful for greedy cybercriminals who don’t have the technical ability or the inclination to do the job themselves.

Phishing and Smishing: How they work and what to do about them (Part 1 of 2) - SolCyber

Phishing without websites

Not all phishing attempts rely on rogue websites, of course, not least because some criminals are determined to avoid asking you to click on a link at all, in a deliberate effort to seem “unphishy” simply by doing something a bit different.

Some scammers may urge you to call a phone number instead, or to reply to an instant message for further information.

They may even play a much longer game by joining an online forum to which you belong, building up a measure of trust within the group, and then pitching the “good services” of someone who is part of their scamming gang, as we reported recently in our article IC3 scam-reporting service abused by scammers.

Phishing and Smishing: How they work and what to do about them (Part 1 of 2) - SolCyber

Phishing without email

As the above IC3 scam shows, given that it starts with online forum posts, not all phishing attacks are initiated by email.

After all, email is comparatively easy for companies to filter or to quarantine (meaning that it’s delayed to give time for it to undergo more careful checking) before it lands in the inboxes of their staff.

And we’ve become so used to email as vehicle for spams, scams and phishing campaigns that other forms of contact somehow feel safer in comparison, even though scammers know how to abuse them, too.

In fact, phishing scams that rely on alternative forms of initial contact have led to a slew of punning names that remind you how they are conducted.

Some commentators object to these names because they think they sound corny and “made up,” though of course that’s exactly what they are, with the intent of providing a short, memorable, and self-descriptive reminder of how they work:

  • Vishing. This is phishing by voice or voicemail, where the scammers call you up and talk you handing over data, visiting their rogue website, or letting them get remote access to your computer for unnecessary “technical support.” You’ve probably had dozens of calls like this yourself, with themes such as a “suspicious order” on your Amazon account, a “dangerous virus” on your computer that needs immediate attention, or a threat of “forthcoming arrest” from a self-styled law enforcement “agent.”
  • Quishing. This is phishing that makes use of QR codes. Rogue codes sometimes show up stuck on top of legitimate QR codes at public locations such as bus stops, train stations, or parking payment machines. Occasionally, email-based phishing messages use QR codes as a secondary lure, instead of a regular web link, thereby hoping that if you are reading email on your work laptop, you’ll switch to your phone to scan in the call-to-action. This means the scam will continue via your phone, where your level of anti-scam protection is almost certainly lower, and where suspicious web addresses are harder to see due to the narrower, smaller screen.

Phishing and Smishing: How they work and what to do about them (Part 1 of 2) - SolCyber

  • Smishing. This refers to phishing lures that arrive as phone messages, usually as a plain text messages via SMS (the mobile network’s old-style short message service). SMSes are widely used for everyday real-time notifications by courier companies, visiting tradespeople, doctors’ surgeries and even by mobile phone stores letting you know that your promised technical support slot is coming up. This makes them an ideal vehicle for criminals to hijack for scamming purposes, because we’re used to seeing them used legitimately.

Phishing and Smishing: How they work and what to do about them (Part 1 of 2) - SolCyber

Less can be more

Smishing is not as prevalent as email-based phishing, primarily because sending tens of millions of unwanted text messages takes more work (and costs more money) than sending unsolicited bulk emails, but that’s cold comfort to people whose mobile numbers have found their way onto smishing lists that are readily available to cybercrime gangs.

Nevertheless, despite (or perhaps because of) its old-fashioned simplicity, smishing can be surprisingly effective.

Firstly, all mobile phone numbers can receive SMSes, whether the user has the latest messaging or social media apps installed or not.

Secondly, the routine use of SMSes for legitimate notifications has led us to accept them as expected, and even as useful, in our everyday lives.

Thirdly, SMSes are of necessity short, and therefore commonly follow an abbreviated, easy-to-copy style that criminals can imitate believably. Text messages generally don’t sweat the small stuff that non-native language speakers often struggle with, such as business greetings, pleasantries, and sign-offs.

Fourthly, again thanks to the “short” in SMS, text messages that include web links very commonly use link shorteners that we have become accustomed to accept and use, even though they obscure the true destination of the link.

Fifthly, and perhaps most significantly, smishing attacks – like the quishing tricks we mentioned above – inevitably unfold on your mobile device. Any links you tap on are opened in the cramped confines of your mobile browser, where security warning indicators are simply not as easy to see and take account of as they are in a laptop or desktop browser.

Learn more

Now read 🔗Part 2, where we dive into a real-world smishing scam that we received ourselves, on a personal mobile phone.

We start with the SMS that contained the web-based lure, go under the hood to observe the machinations of the data-stealing website that the criminals set up, and see how they got hold of personal data, potentially including payment card numbers, and multi-factor authentication (MFA) codes.

You’ll learn about a range of tricks that the criminals use, including:

  • How they choose server names that don’t obviously look like rip-off sites, yet look realistic when viewed on a cramped mobile phone screen.
  • How they apparently innocently stop you visiting their “phone-friendly” scam site on your laptop, where you may be more like to spot the subterfuge.
  • How they capture your data field-by-field, so they end up with some spoils even if you get suspicious and bail out half way.
  • How they stop you revisiting the site later on if you suspect you were scammed and want to get screenshots to help you report it.

What to do?

  • If in doubt, don’t give it out. Whether it’s a voice call, an instant message or a friendly post in an online forum, don’t let yourself be talked into handing over personal data just because someone is flattering, cajoling, threatening, or pressurising you.
  • Go beyond the advice that “if it looks phishy, it probably is.” A simpler and stronger rule is that if it LOOKS phishy, it IS phishy.
  • Build a strong, human-centric security culture. This means cybercriminality of any sort is more likely to be spotted and reported. Signing up with SolCyber will actively help you to do this.
  • Avoid using contact details provided by the sender of a message. Get together a reliable list of important web addresses and phone numbers, such as from printed account statements, original contract documents, or the back of your credit card.
  • Stop, think, and check carefully whenever you are asked for an MFA code. Better to have a failed legitimate login attempt than to let a valid one-time code leak to someone else. Never send or tell an MFA code to anyone else, no matter how convincing they sound.
  • Add an extra layer of security to your mobile devices, which are typically protected only by basic MDM (mobile device management) tools. Signing up for SolCyber Mobile Protection brings your mobile threat response to a new level, including blocking phishing attempts and messaging scams that specifically target phone users.
  • Aim for prevention, because it’s better than cure. Sign up with SolCyber for proactive threat detection and prevention so you don’t have to build a 24/7 SOC of your own.

You can find plenty more helpful advice by clicking on the images that link to the previous articles we mentioned above․․․

․․․and don’t forget to head to 🔗Part 2 to learn more about online scams and how to avoid them!


Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

Phishing and Smishing: How they work and what to do about them (Part 1 of 2) - SolCyber


More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!


Featured image of crocodile by Shelly Collins via Unsplash.

Paul Ducklin
Paul Ducklin
04/28/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

11512