Have you been getting a lot of texts about unpaid tolls, expiring offers, or freelance job opportunities lately? You're not alone. Those messages are part of a massive wave of smishing attacks—phishing via text message—and they're working better than anyone wants to admit.
Here's the uncomfortable truth: we treat our phones differently from how we treat our computers. On your laptop, you'd never click a suspicious link from an email. But on your phone? That same skepticism vanishes. We check texts while distracted, while walking, while half-asleep. We store passwords in our Notes app. We click first and think later.
Hackers have figured this out.
According to Verizon's 2025 Mobile Security Index, 80% of organizations report that smishing attacks have targeted their employees. But here's where it gets worse: while employees fail email phishing tests about 10% of the time, smishing test failures are dramatically higher. In two out of five companies, between 25% and 50% of employees fell for fake text messages. In some companies, more than half failed.
Why does smishing work so well? Text messages lack context. When you get an email, you can see the sender's address, look for formatting issues, and check for red flags. A text message? It's just a number and a brief message. Even poorly written smishing attempts look believable because we're not trained to scrutinize texts the way we scrutinize emails.
The problem compounds when we use personal phones for work. Seventy percent of mobile cyberattacks reported in the survey affected personal devices, not work phones. But the consequences don't stay personal. One compromised phone can serve as a gateway into company systems, client data, or sensitive transactions.
And even work phones aren't safe. You carry them everywhere—on vacation, during happy hour, while running errands. Attackers can reach you at any time, often when your judgment is impaired by distraction or exhaustion.
Takeaways
- Treat text messages like suspicious emails: Before clicking any link in a text, ask yourself: Was I expecting this? Does the sender make sense? When in doubt, don't click—go directly to the company's website or call them
- Never store passwords on your phone: Not in Notes, not in photos, not anywhere. Use a dedicated password manager with strong encryption and multi-factor authentication
- Verify unexpected requests: If you get a text about an unpaid toll, a package delivery, or a job offer, verify it through official channels before responding. Scammers count on urgency to override your judgment
- Be especially careful when distracted: If you're off hours, on vacation, or dealing with other stressors, you're more vulnerable. Pause before acting on any message that asks for action or information
- If your company offers mobile device management, use it: Yes, it means your employer can manage certain aspects of your phone. But it also means you're protected by enterprise-level security that blocks many attacks before they reach you
Your phone isn't just for personal use anymore. It's a gateway to your work, your clients, and your company's systems. The criminals know this. It's time we all treated mobile security with the same seriousness we give to everything else.
#ALTACyber
-------------------------------------------
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------