The rise of ‘smishing’

The rise of ‘smishing’

It might not be a term you’ve heard before. In cyber security, smishing is a form of phishing attack used by cyber criminals in a text message to persuade you to click on a malicious link or send private information. The term is a combination of ‘short messaging service’ (SMS) and ‘phishing’.

Phishing attacks are on the increase, with criminals capitalising on recent events, including the coronavirus pandemic, rise in energy bills, and general cost of living crisis. Posing as well-known brands and organisations, criminals target individuals through email, social media, and SMS messaging. Text messaging scams, or ‘smishing’ scams, are becoming increasingly common, with research by Ofcom suggesting that in 2021, 7 in 10 people received a text messaging scam.

Smishing scams are favoured by attackers for a few different reasons:

  • Most people have their phones on them for most of the day.
  • Thousands of people use their smartphones to make payments every day.
  • Banks and other types of businesses often communicate through text messages.
  • It’s difficult to block scam text messages.

Examples of criminals exploiting current affairs

  1. Energy bills scam

The photographs below show two different scam campaigns both focussing on the rise in energy bills. Both text messages claim to be sent from the government, and both are attempting to get recipients to click on a malicious link.

The scammers are attempting to evoke quick reactions from recipients by offering a ‘discount’ and mimicking the language style of government communications. The numbers sending these messages are typically standard UK mobile phone numbers, starting in 07.

Image shows a text message from scammers posing as government officials to persuade reader to click on malicious link

  1. Fake delivery scam

One scam that increased during the coronavirus pandemic with the rise in online shopping were these fake delivery text messages, claiming to be from well-known delivery firms and encouraging recipients to click on a malicious link.

Image shows text message from scammers posing as trusted delivery sources to convince victim to click on malicious link


  1. COVID-19 scam

A worldwide pandemic opened up lots of opportunities for cyber-crime, and the NHS released multiple warnings about a text scam message notifying recipients they had been in close contact with a coronavirus variant. Other related scams told recipients they were due a payment from government. Both messages led to malicious links and were relying on evoking different emotional responses from readers (i.e. excitement and worry).

image shows text message from scammers posing as NHS exploiting the covid crisis to convince victim to click on malicious link


  1. Other text messaging scams

Text messaging scams don’t always claim to be from reliable sources, as some of the examples below demonstrate. They don’t always send malicious links, either. Some of the examples below ask recipients to contact a number on Whatsapp, whilst others impersonate relatives with the aim of convincing the recipient they know the sender.

Image shows examples of other scams encouraging victims to either click on a link or respond to message


What to do if you are the recipient of a smishing scam

Smishing scams are difficult to avoid and easy to fall for. Don’t ever click on links sent in text messages when you cannot be completely sure who the sender is.

According to the National Cyber Security Centre (NCSC), most phone providers are part of a scheme that allows customers to report suspicious text messages for free by forwarding them on to 7726. Your phone provider will investigate the origin of the text and arrange a block if it is malicious.

Why is this relevant to care services?

Your staff might use their own devices to deliver care. Its important that staff are briefed on the cyber security risks that can occur. If a staff member experienced a breach on their device, information they hold about clients and the business might not be secure.

As well as briefing your staff, it is your responsibility to ensure you have the correct processes and procedures in place so that if you did experience a cyber-attack, you would know what to do. Completing your Data Security & Protection Toolkit (DSPT) can help you with this. The DSPT is a self-assessment tool that all CQC registered providers need to complete once a year. There is a wide range of free support available to help you through the Better Security, Better Care programme.

People accessing your care service may also use technology to stay in touch with friends and family. These are usually vulnerable people who may be more susceptible to a text messaging scam. It’s important they understand the dangers and what to look out for. Whether it’s a member of your staff or a client who falls victim to a smishing scam, this can have a serious impact on their financial wellbeing and is ultimately a safeguarding issue.

If your clients are using technology, encourage staff to have open conversations on cyber security risks including text messaging scams. They can show clients examples and how to report a text messaging scam. Clients might not have awareness on these risks, and a simple conversation could go a long way in keeping them safe online.

Further information

Photo by Daria Nepriakhina 🇺🇦 on Unsplash

Back to News