Why is smishing so successful?
Discover why smishing is a growing threat and how it exploits mobile device limitations.
- Click rates for general smishing campaigns are between 8.9% and 14.5%
- People fall for smishing due to technical limitations of mobile devices and human behavioral factors
- Smishing is growing threat in the Nordics
Smishing, short for SMS phishing, is a form of social engineering in which attackers use fraudulent text messages to trick recipients into clicking malicious links or providing sensitive information. These messages often impersonate trusted sources such as banks, tax authorities, or logistics providers. They create urgency to provoke quick, emotional reactions.
Higher clickrate
Why smishing achieves higher click rates than email phishing
Smishing has proven particularly effective due to the nature of SMS communication. According to industry data from IBM, click-through rates for smishing are significantly higher than for email phishing. General smishing campaigns see click rates of 8,9 to 14,5% while emails attacks have an average click rate of 2%. This stark difference underscores the urgency of addressing smishing as a distinct and dangerous threat vector.
Nordics
Why does smishing work in the Nordics?
Smishing is different from other phishing types because it exploits the inherently personal and trusted nature of SMS communication. Unlike emails, text messages are often read immediately, and recipients tend to assume legitimacy, especially if the message appears to come from a known brand or authority figure.
Smishing also leverages behavioral traits unique to mobile usage. People tend to react quickly to SMS messages, especially when multitasking. They are conditioned to trust texts from services they use regularly, like two-factor authentication systems. Furthermore, it’s more difficult to verify links or inspect sender details on mobile devices. These factors significantly reduce scrutiny and increase the likelihood of being tricked.
The threat has grown rapidly in the Nordics. In Sweden, more than 18 million scam SMS messages were blocked by Tele2 in the first nine months of 2024 alone. These spikes do not include major shopping periods like Black Week and Christmas, when scam messaging usually peak. Telia Sweden projected up to 33 million fraudulent calls were blocked in the first half of 2024.
In Norway, Telenor reports their internal systems block up to 45,000 false or malicious text messages a day. Denmark has also seen a rise in digital fraud. In July 2024, a breach of SMS providers exposed 700,000 Danish phone numbers and message content, enabling hyper-personalized attacks.
Smishing remains highly successful because it combines trusted communication channels, human behavioral tendencies, and technical limitations of mobile devices. Messages are read quickly, often without careful scrutiny, and attackers exploit urgency and familiarity to trigger immediate responses.
As smishing techniques continue to evolve, organizations must treat SMS-based attacks as a major security risk rather than a minor variation of phishing. Effective defenses require a combination of technical protections, regulatory improvements, and ongoing security awareness training that helps users recognize and report suspicious messages.
This article concludes our series on smishing trends, tactics, and defenses in the Nordic region. If you would like to explore the complete research and recommendations, you can download the full report.
