Smishing is a social engineering attack carried out through SMS or text messages, where an adversary uses psychological tactics like urgency or intimidation to trick a target into revealing sensitive information, clicking a malicious link, or downloading malware.
Smishing is phishing that comes to your phone as a text message. The name is a mashup of "SMS" and "phishing." The attacker sends a text designed to manipulate you into doing something risky, like clicking a fake link, handing over a login code, or coughing up personal details.
Under the CED (EK 1.1.A.1), social engineering attacks use psychological tactics to get users to reveal sensitive information, download a malicious file, or click a malicious link. The CED specifically calls out text message as one of the main delivery channels, alongside email and social media. So smishing is just the text-message flavor of that same playbook. A classic example: a text claiming your bank account is locked, with a link to "verify" it. That link is fake, and the urgency is the trap.
Smishing lives in Unit 1: Introduction to Security, under Topic 1.1 Understanding Social Engineering. It directly supports three learning objectives. AP Cybersecurity 1.1.A asks you to identify common indicators of social engineering tactics, and a suspicious text demanding fast action is a textbook indicator. AP Cybersecurity 1.1.B asks you to explain how those tactics influence victims, which is where urgency and intimidation come in. AP Cybersecurity 1.1.C asks you to describe the impacts, like a stolen one-time password or installed malware. Knowing smishing means you can recognize the channel and name the psychological lever behind it, which is exactly what the exam wants from you in this unit.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryPhishing (Unit 1)
Phishing is the umbrella attack delivered by email. Smishing is the same trick over text. If you can explain why a fake email link is dangerous, you already understand smishing, just swap the inbox for a text thread.
Urgency and Intimidation (Unit 1)
Smishing almost always rides on urgency ("act now or your account closes") or intimidation ("you owe a fine or face arrest"). These tactics, from EK 1.1.B.2 and 1.1.B.3, pressure you to react fast so you skip the moment of "wait, is this real?"
Elicitation (Unit 1)
The goal of a smishing text is often elicitation, getting you to volunteer sensitive info. A text asking you to confirm your birthdate or pet's name is harvesting answers to your security challenge questions (EK 1.1.C.1).
One-Time Passwords as a Target (Unit 1)
A common smishing move is tricking you into texting back a one-time password (OTP) or login code. Per EK 1.1.C.2, handing that over lets the adversary log in as you, defeating two-factor authentication entirely.
Expect smishing in multiple-choice questions that hand you a scenario and ask you to identify the attack type or the psychological tactic at work. A stem might describe someone receiving an unexpected text with a link and a deadline, then ask what kind of social engineering this is or which principle (urgency, intimidation) the attacker is using. You should be able to name the channel (text message), label the tactic, and predict the impact on the victim. No released FRQ has used "smishing" verbatim, but it fits the kind of free-response prompt that asks you to analyze a social engineering scenario and explain the indicators, the influence tactic, and the potential consequences.
Both are social engineering attacks that try to trick you into giving up info or clicking a bad link, and they use the same psychological tactics. The difference is the delivery channel. Phishing comes by email; smishing comes by SMS text message. If the question describes a text, it's smishing; if it describes an email, it's phishing.
Smishing is a social engineering attack delivered through SMS or text messages, blending "SMS" and "phishing."
The CED (EK 1.1.A.1) lists text message as a primary social engineering channel alongside email and social media.
Smishing usually relies on urgency or intimidation to pressure you into acting before you think it through.
A successful smishing attack can lead to stolen personal info, a handed-over one-time password, or malware installed on your device.
The only real difference between smishing and phishing is the channel: smishing uses text, phishing uses email.
Smishing is a social engineering attack sent by text message, where the attacker uses tactics like urgency or intimidation to get you to click a malicious link, reveal sensitive information, or download malware. It appears in Unit 1, Topic 1.1.
No, but they're close cousins. Both use the same psychological manipulation, but smishing arrives by SMS text message while phishing arrives by email. The attack type is named after the channel, so a malicious text is smishing.
Look at the delivery channel in the scenario. If the message comes as a text, it's smishing; if it comes as an email, it's phishing. The tactics (urgency, intimidation, elicitation) can be identical, so the channel is your tell.
Most often urgency and intimidation. Urgency (EK 1.1.B.3) pressures you to respond fast so you don't stop to question it, and intimidation (EK 1.1.B.2) uses fear of negative consequences to push you into acting.
Per EK 1.1.C, you might give up personal info used for identity verification, hand over a one-time password that lets the attacker log in as you, or click a link that installs malware on your device.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.