Cybercriminals are shifting their focus from emails to text messages, using mishing — a more deceptive form of phishing — to target mobile users and infiltrate corporate networks, according to new security research by Zimperium.
The research found a sharp rise in mobile phishing attacks, with cybercriminals moving away from traditional email scams in favor of SMS-based attacks. Zimperium found that mishing activity peaked in August 2024, with over 1,000 daily attacks recorded. As businesses rely more on mobile devices for authentication and communication, these evolving threats are slipping past conventional security defenses, putting corporate networks at greater risk.
What is mishing?
Mishing is a phishing attack that uses SMS messages instead of emails to deceive victims into revealing sensitive information or clicking malicious links. Cybercriminals disguise messages as urgent notifications from banks, government agencies, or corporate IT teams, tricking users into providing credentials or downloading malware.
Mishing is part of a broader trend of mobile-targeting phishing, which includes:
- Smishing: Typical phishing via SMS, where attackers impersonate trusted entities to steal login details or personal information.
- Quishing: A newer method that uses QR codes to direct users to fraudulent websites, often bypassing traditional security filters.
- Vishing: Also known as voice phishing. This is where attackers call victims pretending to be from legitimate organizations to manipulate them into sharing sensitive information.
Mishing attacks surge, threatening global mobile security
Cybercriminals are intensifying their focus on mobile phishing, with smishing now making up 37% of phishing attacks in India, 16% in the U.S., and 9%in Brazil. Meanwhile, quishing is also gaining traction, particularly in Japan, the U.S., and India.
Zimperium’s research underscores why mishing is even more dangerous than classic phishing. Unlike email-based attacks, SMS phishing is harder to detect, evades security measures, and preys on users’ tendency to trust text messages. And without the same level of built-in protections found on desktops, mobile devices are left more vulnerable to these attacks.
How to protect your organization against mishing attacks
Companies can’t ignore the rising threat of mobile-based attacks. Mishing exploits gaps in conventional defenses, targeting employees where they are most vulnerable — on their phones. A single compromised device can expose an entire network, leading to data breaches, financial losses, and operational disruption.
To stay ahead, organizations must bolster mobile security by deploying threat intelligence solutions to identify and block malicious domains and invest in SIEM tools to detect patterns of mobile phishing attacks. Strengthening mobile security also requires enforcing strict access controls to limit exposure and continuously educating employees on the latest social engineering tactics. As cybercriminals refine their methods, companies that fail to adapt risk being the next target.