The psychological manipulation of smishing

Key takeaways 

Despite increased investment in cybersecurity tools, human error remains the most exploited vulnerability in smishing campaigns. Attackers understand that the weakest link in any security chain is often the individual recipient. Employees under time pressure, distracted by mobile multitasking, or unfamiliar with smishing tactics are more likely to click suspicious links or enter sensitive data on spoofed websites 

Psychologically, attackers exploit urgency, authority, curiosity, and fear. A typical message might claim that: 

• A package couldn’t be delivered

• A tax refund is available 

• A bank account has been locked 

• An invoice is overdue 

• A relative is in urgent need of help 

• A supervisor at work needs assistance 

• Telephone-oriented attack delivery 

TOAD

Telephone-oriented attack delivery (TOAD)

This social engineering is designed to bypass rational scrutiny. In advanced campaigns, the SMS is followed by a phone call from a scammer posing as a person of authority, such as a bank representative. This is known as the TOAD method. TOAD stands for telephone-oriented attack delivery. 

Once on the phone, the victim is deceived into downloading malicious software, granting remote access, or revealing sensitive information such as login credentials or financial data. Unlike traditional phishing, TOAD attacks combine digital and voice-based deception, making them harder to detect and block using standard security tools. 

These attacks rely heavily on social engineering and create a false sense of legitimacy through urgency and impersonation. TOAD tactics exploit human trust rather than technical vulnerabilities. 

Mobile behavior

Why mobile behavior increases smishing risk

Smishing attacks are successful because of how people use their mobile devices. SMS is perceived as more personal and urgent, often tied to trusted services like two-factor authentication. Many users are multitasking when reading messages, reducing their ability to assess credibility. And because the format is short, there is less room for the typos or grammatical errors that often expose phishing emails. 

A key vulnerability lies in how mobile devices display SMS. They often truncate sender information, obscure URLs, and allow deep-linking into apps, making it difficult for users to judge legitimacy. Attackers exploit this behavior by crafting SMS messages that link to malicious sites mimicking login portals for services like BankID, Klarna, or PostNord. Click-through rates for smishing, especially when localized and personalized, are significantly higher than for email, reinforcing the need for mobile-specific safeguards. 

In Sweden, police have reported a growing trend of SMS messages, appearing to come from the police, warning of fraud and asking recipients to verify their identity by clicking a link and logging in with BankID. In many cases, this leads directly to full account takeovers or the signing of fraudulent transactions. Similar patterns are reported in Norway and Denmark. 

While these examples point to smishing leading to a direct fraud, smishing can also be used as the entry point for broader fraud. Stolen credentials may later be used in business email compromise (BEC), CEO fraud, or direct theft. Some criminals even use AI-generated content or deepfake voices to enhance the credibility of follow-up interactions.

Understanding these psychological tactics is essential for building effective defenses. Organizations must combine technical safeguards with ongoing security awareness training that helps users recognize manipulation techniques and respond appropriately. 

In the next article, we will explore where smishing is headed and how emerging technologies like AI, voice cloning, and new messaging platforms may shape the future of these attacks. If you want to explore the complete research now, you can download the full report. 

Download the full report →