Scammy, Sloppy, and Surprisingly Successful = Smishing
Everyone has received one, sometimes more than one a day. Your phone lights up with a notification that you’ve received a text from an unknown number matching your area code, piquing your curiosity to open it immediately only to be greeted with yet another $6 unpaid toll bill from Massachusetts. It’s your fourth one of the month, and it has more typos and poor grammar than the last.
“Pleas pay your FastTrak Lane tolls by June 8, 2025. To avoid fine and keep your license, pay at thetollroadsp.icu/C98oQHaExw. (Please reply Y, then exit the text and open it again to activate the link, or copy the link in to your Safari browser and open it)” from phone number +63 9655192314
Yikes. Remember back when phishing scams used to at least try to be clever? Attackers would take the time to purchase old passwords on the dark web and fit them in to targeted messages before sending to try and trick their victims. Now it feels like our phones are flooded with texts daily that read like they were written by a five year old with very basic conversation and spelling skills still trying to learn from the environment around them, and to be fair that’s not very far off.
Thanks to the rise of free AI tools without safeguards, such as WormGPT, potential scammers no longer need to be criminal masterminds or Penelope Garcia-level hackers. Anyone with a Wi-Fi connection, access to a computer, and a questionable moral compass can now crank out hundreds of phishing texts in minutes. While this technology could be used to create very personalized and convincing smishes, instead it mostly seems to be used to target large amounts of individuals in very short amounts of time.
Yet despite the typos, missing context, and obviously fake links, these smishes are catching more people off guard than you’d expect. Why? Because they’re EVERYWHERE ALL THE TIME.
You wake up in the morning? “Your PAKAGE is on hold with USPS.”
You’re juggling lunch, an important teams meeting, and eight mental tabs of open stress? “We noticed suspicious loggin on ur account. Click here 2 secure.”
Feeling lonely? “My name is Alyssa. You seem nice. Are you busy?”
Just kidding about that last one, only kind of. But you know the irony about all of these? The worse the messages seem to be, the more people seem to fall for them. It’s like the cybercrime version of clickbait – so bad it works.
So what are we as cybersecurity professionals supposed to do to combat this in our companies? We are responsible for educating everyone, regardless of their job titles, as cybersecurity is no longer just a concern of IT departments. Yet we’re competing against the literal definition of ADHD in technological form – it demands your attention, interrupts everything, thrives on impulse, and you’ll regret responding (ever followed an ADHD distraction? Say goodbye to an entire afternoon.) So I decided to finally put that Psychology Master’s Degree that’s been collecting dust on my wall to work and look at smishing in an entirely new light, and it’s led me to three simple words = less is more.
Those of us in the technology field tend to overexplain everything and let’s be real, we’ve all seen the eyes glass over before we’ve finished talking. Important messages get buried in unnecessary details and people walk away feeling more confused than when the conversation started. So let’s look at something called Cognitive Load Theory. This theory, coined in 1988 by John Sweller, basically explains how little information our working memory can hold at any given time. If you overload someone with too much unfamiliar or complex information at once, their brain is going to shut down and not remember a single thing you said. Attention spans are already short enough, especially in busy workplaces, so it’s about time we start meeting everyone where they are instead of expecting them to meet us.
So how does CLT work in practice? Keep it short, simple, and repeat! A non-tech professional doesn’t need to understand how ransomware encrypts files at a system level, they just need to know not to click on suspicious links. Don’t teach them to be “aware of DNS spoofing redirecting traffic,” teach others that if a link looks off to pause and verify before clicking it. Use real life stories and analogies to keep someone’s attention that doesn’t involve teaching technical jargon that they’ll never use again in their life. Call out how stupid some of these smishes are (not the person themselves) when reminding people what to look out for. “Yes, you received a message about unpaid toll and police being contacted and that’s nerve wracking. But look! This idiot misspelled please and said the toll is from Massachusetts. You were just telling me the other day you’ve never been to the east coast…” Make people see the funny side so the lesson will stick and they’ll remember to pay attention to these smaller details in the future. We as professionals need to switch to focusing our teaching on behavior, not technology.
With the continued rise of AI these texting scams aren’t going to stop. And even though they can feel like they’re written after playing a round of Mad Libs with fifth graders, they are tricking people out of money, personal information, and peace of mind with an alarming amount of success. Threat actors don’t need to be original, educated, or even coherent anymore. They just need to keep spamming someone with messages until they catch them at just the right time – when they’re tired, distracted, or over an hour into that “could’ve been an email” meeting. That’s the moment when even the dumbest text can do real, lasting damage. So let’s start focusing on simplicity, relevance, and behavior when training employees so we can actually change how people think and act without overwhelming, and then maybe we can put a dent in these phishing trends and keep people from taking the bait (get it? Phish taking the bait? I’ll see myself out.)
