Short Message Service (SMS) Phishing Attacks and Defenses: A Systematic Review

TL;DR

This systematic review analyzes SMS phishing (smishing) attacks, defenses, user perceptions, and datasets, highlighting current research and proposing future directions to mitigate this rapidly evolving cyber threat.

Contribution

It provides the first comprehensive systematic overview of smishing research, including attack characterization, defenses, user susceptibility, and datasets, and suggests future research directions.

Findings

Smishing caused $470M losses in the US in 2024.

Research on smishing covers user perception, attack methods, defenses, and datasets.

The landscape is rapidly evolving, requiring ongoing research and adaptation.

Abstract

SMS Phishing (also known as 'smishing') is a growing deceptive social engineering (SE) attack that leverages mobile SMS to conduct cybercrimes such as stealing sensitive information or spreading malware by tricking users into interacting with attackers' messages (e.g., responding to or clicking URLs). This threat has increased rapidly in recent years, causing $470M in financial losses for United States users in 2024 alone. This threat is also evolving rapidly, meaning that attackers continually adapt their tactics, reshaping the landscape. There is a significant body of literature on investigating smishing attacks and defenses. However, there is no systematic review that reflects the current attack and defense landscape along with available resources (i.e., relevant datasets). This motivates us to systematize the current smishing research efforts, including the following four research pillars: (a) user perception and susceptibility, (b) attack characterization, (c) defense landscape, and (d) smishing datasets. This leads us to propose novel future research directions towards effectively mitigating smishing attacks.