Subscribe to the Non-Human & AI Identity Journal

How should organisations reduce the success of SMS phishing campaigns?

Reduce the attack surface where trust is easiest to abuse. Use stronger step-up verification for account recovery and high-risk changes, validate domains and brand handoffs, and make sure fraud, IAM, and abuse teams share telemetry. SMS awareness training helps, but technical controls and channel assurance do more to stop repeat victimisation.

Why This Matters for Security Teams

SMS phishing succeeds because it targets a channel people already trust for urgent, time-sensitive actions: account recovery, password resets, one-time passcodes, and support callbacks. That makes the problem bigger than awareness alone. The practical issue is channel assurance, not just user judgment. If a fraudster can steer someone into a fake login, a malicious callback, or a branded message thread, the organisation has already lost the trust boundary. Guidance in the NIST Cybersecurity Framework 2.0 points teams toward stronger identity verification and response coordination, but SMS remains inherently hard to authenticate end to end.

For NHI Management Group, the lesson is that phone-number based trust behaves like a weak shared secret. Attackers can replay branding, impersonate help desks, and harvest credentials or recovery tokens with very little friction. Real-world campaigns often pivot from the first text to wider identity compromise, especially when SMS is used as a fallback for privileged changes. In practice, many security teams encounter the blast radius only after account takeover has already spread through support workflows and recovery channels.

How It Works in Practice

The most effective way to reduce success is to remove SMS from the highest-risk decisions and add stronger proof for anything that changes identity state. That means treating SMS as a low-assurance notification channel, not a primary authenticator for recovery, password reset, or MFA bypass. For sensitive actions, use step-up verification that is resistant to SIM swap and message interception, such as phishing-resistant authentication, verified help-desk workflows, or device-bound approval paths. Where SMS must remain, make it one signal among several rather than the deciding factor.

Operationally, the controls that matter most are the ones that make impersonation harder and detection faster:

  • Validate domains, sender IDs, and brand handoffs so users can distinguish official journeys from lookalike flows.
  • Restrict account recovery to high-confidence paths, with manual review for privileged accounts and high-impact changes.
  • Correlate telco, IAM, fraud, and abuse telemetry so suspicious resets, failed logins, and message-driven traffic spikes can be linked quickly.
  • Use short-lived, purpose-specific verification rather than static fallback codes that can be replayed later.

Public reporting on incidents such as the Poland Military Breach shows why SMS-assisted impersonation becomes dangerous when identity workflows are too permissive. The same logic appears in CoPhish OAuth Token Theft via Copilot Studio, where trust in a familiar interaction path is exploited to move into token theft and downstream access. These controls tend to break down when recovery teams are under pressure and approve exceptions faster than verification can keep up.

Common Variations and Edge Cases

Tighter anti-phishing controls often increase friction for legitimate users, so organisations need to balance conversion, support load, and attack resistance. That tradeoff is especially visible in consumer services, telecom-heavy markets, and high-volume support environments where SMS remains the lowest-friction option. Best practice is evolving, but there is no universal standard for when SMS should be eliminated entirely versus retained as a notification-only channel.

Edge cases matter. Some users do not have reliable app-based authenticators, and some regions still rely heavily on SMS delivery. In those environments, the safer path is to narrow SMS use to low-risk alerts and require stronger proof for recovery or privilege escalation. Organisations should also watch for social engineering that starts outside the message thread, such as a follow-up phone call or help-desk impersonation. The DeepSeek breach is a reminder that once trust is abused in one channel, attackers often use the resulting access to expand quietly into broader credential and data compromise.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, CSA MAESTRO and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-05 SMS fallback and recovery flows are common NHI takeover paths.
NIST CSF 2.0 PR.AC-7 Phishing-resistant access and step-up verification reduce SMS abuse.
CSA MAESTRO IAM Highlights identity assurance and cross-team telemetry for agentic workflows.
NIST AI RMF GOVERN Useful where AI-assisted fraud detection and response need accountability.
OWASP Agentic AI Top 10 A01 Applicable when AI assistants or agents can trigger identity workflows.

Define ownership for detection, escalation, and review of SMS phishing events.