Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Social Engineering Glossary

Smishing (SMS Phishing)

Phishing attacks via text message or messaging apps. Smishing messages contain fake links to phishing sites or directly ask recipients to disclose sensitive information—often under the guise of package notifications, bank alerts, or official government communications.

Smishing (SMS + phishing) is the fastest-growing form of social engineering after vishing. While email phishing is increasingly being intercepted by spam filters, SMS messages reach the recipient unfiltered—with an open rate of over 95%.

Why Smishing Is So Effective

Email phishing has an average click-through rate of 3–5%. Spam filters intercept many attacks, users have become more skeptical due to years of awareness campaigns, and the desktop context allows more time to think.

Smishing, on the other hand, achieves click-through rates of 8–10%. There are hardly any SMS spam filters (except for a few carrier filters), users are significantly less aware of SMS scams, and the mobile context—on the go, under time pressure—encourages impulsive behavior. Short URLs are difficult to verify on a mobile device.

> The real danger: Mobile banking combined with smishing enables direct account access in a single step.

Common Smishing Scenarios

A typical message reads: "Your DHL package (No. 4823847) could not be delivered. Please confirm address: [Link]"

This method works because almost everyone is waiting for a package, DHL, Amazon, and UPS are frequently exploited for such attacks, and a sense of urgency is implied ("Pickup expires tomorrow"). On the phishing site, users are either asked to pay a "confirmation fee" of €1.95—which leads to credit card data theft—presented with an address form for PII harvesting, or offered a malware APK disguised as a "DHL app."

2. Bank Alert

Template: "Sparkasse: Unusual transaction detected! Account locked. Unlock: [Link]"

These attacks leverage a sense of urgency ("Account locked"), well-known brands (Sparkasse, ING, Commerzbank), and a professional layout for the phishing page. An OTP relay is often used: The attacker logs into the real bank at the same time and forwards the SMS TAN in real time.

3. Government Agency / Tax Office

Example: "Your tax refund of €847 is waiting! Enter your IBAN now: [Link]"

> Warning: German tax offices never contact you via SMS and never request IBAN details via a link.

4. Two-Factor Authentication Manipulation

Example: "Apple: Your account has been locked. Verify your identity: [Link]"

The goal is to gain access to Apple ID and iCloud—for stolen photos and data or device ransomware.

5. CEO Fraud via SMS

Example: "[Boss's Name]: Hi, can you make an urgent transfer right now? I’m in a meeting and my PC is locked."

This variant is particularly dangerous in finance teams and is a classic form of employee fraud.

Technical Aspects: How Smishing Campaigns Are Structured

Number Acquisition

Attackers use various methods to obtain target numbers: SMS gateway APIs (e.g., Twilio misused), prepaid SIM cards purchased anonymously in bulk, SMS spoofing via SS7 vulnerabilities (rare, expensive), or fake alphanumeric sender IDs such as "DHL".

> Important: Alphanumeric sender IDs can be faked. "DHL" in the SMS does not mean the message is from DHL.

Smishing links are obfuscated using URL shorteners (bit.ly, t.co), typosquatting (dh1.de instead of dhl.de), subdomain manipulation (dhl.fake-domain.de), or HTTPS certificates that appear trustworthy.

> Important: HTTPS does not mean secure. Anyone can obtain a free Let’s Encrypt certificate.

Phishing kits

Pre-configured packages are available on the dark web: “DHL Kit,” “Sparkasse Kit” with an exact replica of the real site, real-time relays for MFA tokens (Evilginx, Modlishka), and fully automated processing. The price for a ready-made kit ranges from €100 to €500.

Distribution

Mass mailings are sent to lists of stolen or leaked phone numbers. Targeted attacks use OSINT to target specific individuals.

Real-Time OTP Relay (Advanced Technique)

The fully automated smishing attack with MFA bypass proceeds in nine steps:

  1. Victim receives SMS: "Sparkasse: Login attempt detected. Confirm: [Link]"
  2. Victim clicks the link and opens the phishing page with the identical Sparkasse design
  3. Victim enters username and password
  4. Attacker’s server immediately forwards the data to the real Sparkasse
  5. Sparkasse sends a genuine SMS TAN to the victim
  6. The phishing page prompts the victim to enter the TAN
  7. Victim enters the TAN
  8. Attacker uses the TAN within 30 seconds
  9. Transaction completed – account emptied

The time window for the relay is 30–60 seconds; the entire process runs fully automatically without human intervention.

Protective Measures

For Employees (Security Awareness)

Three questions to ask yourself before responding to any SMS:

  • Was I expecting this SMS?
  • Do I click on links in SMS messages? (Answer: No!)
  • Am I being asked for a password, TAN, or card details? If so, it’s a scam.

Verify through an independent channel:

  • DHL tracking: Enter the package number directly on dhl.de; never follow the link
  • Bank: Call the number on the back of the card
  • Tax office: Check your tax ID number and tax assessment notice directly

> Basic rule: Genuine banks, DHL, and government agencies never ask for passwords, PINs, TANs, credit card details, or IBANs via text message for a "refund."

For businesses

  • Use FIDO2/Passkeys instead of SMS-TAN for banking—SMS-TAN is inherently vulnerable to phishing
  • MDM: Block dangerous app installations (APK sideloading on iOS/Android)
  • Include smishing in phishing simulations with separate metrics distinct from email phishing and mobile security awareness training
  • Mobile Threat Defense (MTD): Solutions like Lookout or Microsoft Defender for Endpoint (mobile) detect suspicious URLs in SMS

For Banks and Service Providers

  • SMS spoofing protection: Allow only registered sender IDs
  • Phase out SMS TANs in favor of FIDO2 authenticators
  • Introduce out-of-band verification for large transactions

Criminal Liability for Attackers

  • § 263 StGB: Fraud (up to 5 years’ imprisonment)
  • § 263a StGB: Computer fraud
  • § 202a StGB: Data espionage
  • § 303a StGB: Data tampering
  • For organized criminal groups: § 263(5) – up to 10 years

As a victim

  • Immediately: Block your card (116 116), notify your bank
  • File a criminal complaint: With the police (can be done online)
  • Consumer protection agency: smishing-check.de for current campaigns
  • Chargeback: Often possible with credit cards (chargeback); more difficult with debit cards or bank transfers – notify the bank immediately

Smishing by the Numbers (2025)

According to BSI figures and current industry reports:

  • Smishing attacks in Germany: +340% since 2022
  • Average loss per victim: €1,200–4,500
  • Click-through rate for mobile phishing links: 4× higher than on desktop
  • 67% of victims were unaware that sender IDs can be forged

Most Common Smishing Scenarios in 2025

  1. Package notifications (DHL, Amazon, UPS)
  2. Banking alerts (Sparkasse, ING, Commerzbank)
  3. Apple ID / Google account locked
  4. Tax refunds (fake tax office)
  5. COVID-19 aftermath (fake refunds)

AWARE7 Services on This Topic

Phishing-Simulation Security Awareness Training
Back to Glossary Book a free consultation