Smishing attack themes and psychological hooks

Key takeaways 

• There are clear trends in smishing themes
• COVID, family emergency and bank impersonation all appear in scam texts
• Technology alone won’t address the problem

How smishing tactics evolved from generic scams to psychological manipulation

The psychology behind smishing evolved considerably between 2020 and 2025. Early campaigns leaned heavily on generic “you missed a package” messages, a tactic that flourished during COVID lockdowns and the online shopping surge. The FluBot malware campaign epitomized this phase by prompting users to install a “tracking app.” Attackers hijacked Android devices, stole credentials, and spread the malware via infected phones. 

By 2022, attackers shifted to more emotionally manipulative scams like the “Hi Mom” or “family emergency” texts. These messages impersonated children in distress and requested urgent bank transfers, preying on empathy and fear. Swedish police and media reported waves of such attacks in 2022 and 2023. 

In parallel, bank impersonation scams became more convincing. Smishing messages displayed spoofed sender names like “Swedbank” or “Nordea” and warned recipients of suspicious account activity. Often, the SMS was followed by a vishing call from someone impersonating fraud prevention staff. Victims were coaxed into revealing BankID or MitID credentials. 

Crucially, the tone of smishing shifted from poor grammar and vague threats to flawless native-language texts referencing real institutions and regional current events. These attacks made it difficult for people to tell the difference between scams and legitimate communication. 

Human behavior

Why human behavior remains the primary target of smishing attacks

Despite increased investment in cybersecurity tools, human error remains the most exploited vulnerability in smishing campaigns. Attackers understand that the weakest link in any security chain is often the individual recipient. Employees under time pressure, distracted by mobile multitasking, or unfamiliar with smishing tactics are more likely to click suspicious links or enter sensitive data on spoofed websites. 

Security awareness training provides a critical defense. According to aggregated data from Nimblr, employees exposed to ongoing training and simulated phishing scenarios showed markedly improved detection rates over time. The majority of Nimblr customers see an 80 percent reduction in clicked simulations within three months. 

Among the most common user errors are: 

• Trusting familiar brand names without verifying links or message content

• Misinterpreting shortened URLs (e.g., bit.ly or t.co) as legitimate 

• Responding to urgent messages without verification 

• Using the same credentials across multiple services, increasing compromise  

Training programs

Training programs that integrate smishing awareness into daily activities, such as inbox warnings, mobile app alerts, and embedded micro-training, are more effective than static e-learning modules. Employees benefit most from interactive, scenario-based learning that mimics real-world attack methods. 

Equally important is the ability to report suspicious SMS messages easily. Organizations with clear protocols for reporting potential threats, through IT helpdesks, security apps, or even SMS forwarding, see faster response times and lower risk exposure. 

In short, behavioral change requires repetition, relevance, and reinforcement. Simulations should be part of a broader strategy that builds confidence, encourages vigilance, and reduces the stigma around reporting suspected attacks. 

In the next article, we’ll explore how smishing campaigns actually operate behind the scenes and how attackers scale these scams across countries and organizations. If you’d like to explore the full research now, you can download the complete whitepaper here. 

Download the whitepaper here →