Smishing: How Text Message Phishing Is Hitting Small Businesses in 2026

Ulises Paiz

Ulises Paiz, Founder of Ghosxt, has 10+ years in IT infrastructure and cybersecurity, an Active Top Secret Clearance, and 9 certifications including CySA+, Security+, and AZ-104. Before founding Ghosxt, he served as a Senior Solutions Consultant for the DoD and built security programs for 40+ Central Coast businesses. More about Ulises →

Every small business has spent years training employees to squint at a suspicious email: check the sender address, hover over the link, don't trust urgent requests. That training was worth the effort, and it's working well enough that attackers have shifted a growing share of their volume to a channel with none of that scrutiny built in: the text message. A smishing text doesn't pass through a spam filter, doesn't get flagged by an email security gateway, and shows up on the exact same phone screen as a text from a spouse or a coworker.

Why a text message beats an email at getting clicked

Email security has genuinely improved. Spam filters, sender authentication, and security awareness training have made a fake login email a harder sell than it was five years ago. None of that infrastructure exists for SMS. Mobile carriers do limited, inconsistent filtering, and there's no equivalent of a "this sender failed authentication" banner on a text message. On top of that, texts read as more urgent and more personal than email, and most people have never been told a text can be faked at all. The result is a channel that's newer to attackers, cheaper to run at scale with disposable numbers, and far more likely to get a click.

What these messages actually look like

The most common versions right now impersonate a package delivery ("your shipment is on hold"), a toll road account like FasTrak ("pay your unpaid toll to avoid a penalty"), or a bank ("we've locked your card, verify your identity"). A newer and more targeted version impersonates HR or payroll, asking an employee to "confirm" direct deposit details through a link that leads to a convincing fake login page. Every version follows the same shape: manufactured urgency, a legitimate-looking link, and a page built to capture a password, a card number, or a one-time passcode the moment it's entered.

The blind spot: personal phones and SMS-based MFA

Most small businesses never issue company phones, so employees check work email, approve MFA prompts, and receive one-time SMS codes on the same personal device that's also the primary target for smishing. That overlap matters: if someone's used to tapping links on their phone all day, a fake delivery text and a fake "your Microsoft 365 account needs verification" text look identical in format and urgency. And if MFA for a business account is still set to send codes by text, a well-timed smishing message aimed at that exact moment can trick someone into forwarding the code straight to an attacker.

Closing the gap without banning personal phones

  • Name it directly in training. Most phishing awareness training still focuses entirely on email. Add smishing by name, with real examples of delivery and toll-bill texts, so employees recognize the pattern instead of just the word "phishing."
  • Move MFA to an authenticator app. Wherever a service supports it, switch from SMS codes to an authenticator app or a hardware key, closing off the one-time-code interception path entirely.
  • Set a verification habit, not a rule to memorize. For any text asking to "verify" a delivery, toll, or account, go to the company's app or website directly instead of the link in the message.
  • Report and block. Forwarding a smishing text to 7726 helps carriers flag the sending number, and blocking it takes ten seconds.

None of this needs a mobile device management platform or a locked-down company phone fleet. It needs the same shift in habit that email phishing training already built, pointed at a channel most small businesses haven't thought to cover yet.

Where this fits

  • The MFA fatigue post, for another way attackers route around multi-factor authentication instead of through it.
  • The SIM swapping post, for how the personal details gathered through smishing can be used to hijack a phone number outright.
  • The QR code phishing post, for the closest cousin of this attack on a different low-scrutiny channel.
  • The OAuth app phishing post, for how attackers get into an account without ever touching a password or MFA code.
  • The BYOD policy post, for securing the personal devices that smishing is built to target.
  • The cybersecurity page, for the underlying identity and awareness training that reduce this exposure overall.

FAQs about smishing

Why do smishing texts get through when our email spam filter catches most phishing?

Because there isn't an equivalent filter. Your email provider scans every message against spam and phishing signatures before it reaches an inbox. Carriers do very little of that for SMS, and phones don't run anything like it locally, so a smishing text reaches an employee exactly as easily as a message from a coworker.

Is SMS-based MFA still worth using if it can be targeted by smishing?

SMS-based MFA is still meaningfully better than no MFA at all, but it's the weakest form available, since a well-timed smishing text can trick someone into forwarding a one-time code. Where an account supports it, an authenticator app or a hardware security key removes that risk entirely and should be the default for anyone with access to email, banking, or financial systems.

Should we block personal phones from being used for work if we can't fully control what's on them?

For most small businesses, an outright ban isn't realistic and just pushes work onto unmanaged personal accounts anyway. A more workable approach is requiring an authenticator app for MFA instead of SMS, keeping business email and file access inside managed apps rather than the native mail app, and covering smishing explicitly in security awareness training, which is the same approach our BYOD policy post walks through in more detail.

Not sure if your team could spot a smishing text?

30 minutes with a DoD-cleared engineer. We'll review your MFA setup, flag any accounts still relying on SMS codes, and build a security awareness plan that actually covers text-based phishing.

Book your free security assessment
Call (831) 204-0501 Book free assessment