Smishing: How It Works, Red Flags, and How to Detect It

What is Smishing?

Smishing is a social engineering fraud technique in which attackers send fraudulent SMS messages to trick recipients into disclosing financial credentials, authorizing payments, or installing malware on their devices. The name combines "SMS" and "phishing." It belongs to the fraud category of financial crime and is one of the most common delivery vectors for account takeover and authorized push payment fraud.

The scale matters. UK Finance's Annual Fraud Report 2023 shows impersonation fraud, with smishing as the dominant delivery mechanism, cost UK consumers £177.6 million in that year alone. Europol's Internet Organised Crime Threat Assessment (IOCTA) 2023 names SMS-based social engineering among the most widespread fraud delivery mechanisms across EU member states. The Anti-Phishing Working Group (APWG) documented a 400% rise in smishing incidents between 2019 and 2022.

Banks and fintechs are primary targets because they legitimately use SMS for authentication: one-time passcodes, fraud alerts, and transaction confirmations. Criminals exploit that conditioned trust. A text appearing to come from a victim's own bank carries instant credibility, and that credibility is the only tool the attack needs.

The pattern also feeds downstream laundering. Stolen funds move through money mule networks within hours of the initial fraud, following layering patterns across multiple accounts before reaching criminal beneficiaries.

How does Smishing work?

The attack sequence is predictable. That predictability is both its strength for criminals and its weakness for detection teams.

Criminals first acquire target lists from data breaches, dark-web marketplaces, or phone number scraping services. Lists targeting customers of a specific bank are common; criminals match leaked data (phone number, partial account number, name) to make the message more convincing. Bulk SMS is cheap. A campaign hitting 100,000 numbers costs a few hundred dollars using commercial SMS platforms or SIM farms.

Step 1: Lure delivery. The victim receives a text impersonating their bank, a payment platform, a courier service, or a government agency. The mechanism is urgency. "Your account has been suspended." "We've detected unusual activity. Verify now or your account will be locked." "A parcel is held at customs. Pay £1.49 to release." The goal is to get the victim to act before they think.

Step 2: Credential harvesting. The message contains a link to a spoofed site, visually identical to the real institution's login page. The victim enters their username, password, and OTP. The attacker receives those credentials in real time and uses them live to log into the genuine banking portal. The real portal triggers a second OTP, which the victim has already been conditioned to enter on the fake site.

Step 3: Fraudulent transaction. With live access, the attacker adds a new payee and initiates a transfer to a mule account. The victim may receive a second SMS asking them to "confirm" a security check. That confirmation is the OTP authorizing the fraudulent payment.

Step 4: Proceeds dispersal. Funds arrive in a mule account and move rapidly to secondary accounts, cryptocurrency exchanges, or overseas remittance services. The full chain often completes within 24 hours of the initial SMS.

Illustrative scenario: A retail banking customer receives a text from what appears to be their bank's shortcode, warning of a suspicious login from a new device. The link resolves to a domain registered 48 hours earlier, visually identical to the real banking site. The customer enters credentials and is prompted for an OTP to "cancel" the suspicious activity. The attacker uses those credentials live, adds a new payee, and initiates a £9,800 transfer. The entire session takes under eight minutes. The customer doesn't contact the bank until the following morning, after checking their balance.

Red flags and indicators

No single indicator is conclusive. The detection power comes from correlating signals across session, account, and network dimensions simultaneously.

Transaction-level signals

• Outbound transfer initiated within minutes of a password reset or contact-detail change in the same session
• New payee added and used in the same session, with no prior transaction history to that beneficiary
• Transfer amount is a round number and a significant outlier relative to the customer's 90-day history
• Recall or dispute filed within 24 hours of an outbound transfer the customer says they didn't authorize

Account-level signals

• Phone number or email changed, and a payment initiated, within the same authenticated session
• PIN reset followed immediately by a high-value transfer to a first-use payee
• Login from an unrecognized device or IP immediately before a transaction that exceeds the customer's normal range
• Account dormant for 90 or more days, then suddenly active with a large outbound transfer

Network-level signals

• Beneficiary account receiving inbound transfers from multiple unrelated senders within 48 hours
• Beneficiary account opened within 30 days of receiving the transfer, with no prior transaction history
• Transaction chain from victim to mule account to cryptocurrency exchange completed within hours

Behavioral signals

• Customer contacts fraud line within hours reporting they acted on a text from the "bank"
• Session navigation goes directly to transfer screens with no browsing consistent with legitimate use
• Login time inconsistent with the customer's historical pattern by several hours
• Customer uses specific phrases verbatim from known smishing scripts during the fraud report call

Notable real-world cases

FCA Consumer Advisory (ongoing). The UK Financial Conduct Authority maintains a dedicated warning page on smishing and vishing, documenting the impersonation of FCA-regulated firms via SMS as a persistent threat pattern. The FCA's ScamSmart campaign has logged thousands of reports of bank-impersonation SMS fraud. FCA: Smishing and Vishing

UK Finance Annual Fraud Report 2023. UK Finance reported that impersonation scams, where smishing is the primary delivery channel, caused £177.6 million in losses to UK consumers in 2023. The report specifically calls out SMS-based bank impersonation as the most reported fraud contact method. UK Finance Fraud Report

FATF: Detecting and Disrupting Financial Flows from Fraud (2023). FATF's typologies report on fraud identifies smishing as a key enabler of authorized push payment fraud and documents how proceeds consistently follow layering patterns through mule account chains before reaching criminal beneficiaries. The report includes specific red flags and calls on member states to strengthen real-time transaction monitoring obligations. FATF Fraud Typologies 2023

Europol IOCTA 2023. Europol's Internet Organised Crime Threat Assessment identifies SMS-based social engineering as one of the most widespread fraud delivery mechanisms across EU member states, and documents organized criminal groups operating smishing campaigns as a service, with dedicated call center support to increase victim conversion rates. Europol IOCTA 2023

How to detect Smishing

Detection requires coverage at both the originating institution (where the victim banks) and the receiving institution (where the mule account sits). Most smishing proceeds don't stay at the victim's bank for long.

Session-level behavioral monitoring is the fastest signal. A session that involves a password reset, a new payee addition, and an outbound transfer in under 10 minutes is statistically rare in legitimate customer activity. Threshold-based rules on that specific sequence catch a significant proportion of attacks. Adding a device fingerprint check (unrecognized device on the same session as a high-value transfer) tightens detection further without generating excessive false positives.

Real-time OTP correlation identifies credential harvesting in progress. An OTP consumed in under two seconds, or used from a different IP than the session that requested it, is consistent with a live attack. Some institutions implement out-of-band voice confirmation for high-value transfers as a secondary friction control. This adds latency to legitimate transactions, but the accuracy improvement justifies it at certain risk thresholds.

Beneficiary-side network analysis is where graph-based detection earns its return. Mule accounts receiving smishing proceeds show distinct patterns: rapid inbound from multiple unrelated victims, immediate outbound in smaller amounts to secondary accounts or crypto exchanges, and a receiving account with no transaction history prior to the fraud date. A beneficiary account appearing in three unrelated fraud reports within 72 hours is a clear signal. Industry-level data sharing, as implemented under the UK Payment Systems Regulator's fraud data initiatives, accelerates this detection across institutions.

Peer-group comparison catches high-value outliers. A customer whose average monthly transfer is £400 suddenly initiating a £14,000 payment to a first-use payee is a strong statistical signal relative to their demographic cohort.

The most effective detection architectures combine session-level behavioral scoring, real-time transaction monitoring, and beneficiary network analysis, running in parallel rather than sequentially, to minimize the window between fraud initiation and intervention.

Which regulations cover Smishing

Smishing sits at the intersection of fraud prevention obligations and AML reporting requirements.

UK and EU: The Payment Services Regulations 2017 and the UK Payment Systems Regulator's mandatory reimbursement regime (effective October 2023) create direct financial liability for payment institutions that fail to detect APP fraud enabled by smishing. The UK's Money Laundering Regulations 2017 require institutions to identify and report fraud proceeds passing through their systems. Under AMLD6, fraud is explicitly listed as a predicate offence for money laundering, meaning smishing-facilitated theft followed by laundering falls squarely within scope.

US: The Bank Secrecy Act and 31 CFR Part 103 require SAR filing on smishing-related fraud when suspected proceeds meet the reporting threshold. FinCEN's 2022 advisory on elder financial exploitation specifically flags text-message-based bank impersonation as a primary method and documents the associated SAR red flags in detail.

FATF: FATF Recommendation 20 (suspicious transaction reporting) and the 2023 fraud typologies report directly address smishing as a SAR trigger. Member states are expected to apply these standards in their national frameworks.

Institutions building detection controls should also be aware of typologies that frequently co-occur with smishing, including synthetic identity fraud used to open mule accounts and bust-out fraud patterns seen in accounts recruited as mule hosts.

How FluxForce detects Smishing

FluxForce's Nova Sentinel agent monitors session-level behavior in real time and flags anomalous sequences (credential reset, new payee, transfer) against each customer's historical baseline. Aiden Flux applies network graph analysis to beneficiary accounts and identifies mule clusters receiving proceeds from multiple unrelated victims within short time windows. When behavioral, transactional, and network signals converge above threshold, the platform drafts a SAR automatically for analyst review. Both agents share signals in real time, so a flagged mule account informs risk decisions across institutions. Want to see it on live data? Book a demo.