Click, Reply, Lose: Understanding How Scammers Lure Users into Smishing Attacks

Abstract: Recently, there has been a surge in SMS scams affecting users globally. Scammers send text messages impersonating well-known brands or individuals, luring victims into clicking malicious URLs, calling fraudulent phone numbers, or replying via text or email. In this talk, I present findings from my PhD research, which provides a comprehensive categorization of SMS scams and an in-depth analysis of two major types: the Hi Mum and Dad scam (a conversational scam) and delivery scams (URL-based smishing). While conversational scams often lead to Authorized Push Payment (APP) fraud, URL-based smishing scams typically result in unauthorized fraud, such as Card-Not-Present (CNP) fraud. The outcomes of these three research projects have been published or accepted at ACM IMC 2024, USENIX Security 2025, and NSPW 2025, respectively.

Bio: Sharad Agarwal is a final-year PhD candidate at University College London (UCL), where he specializes in combating online financial fraud. He studies cybercrime longitudinally using a data-driven approach. His research has been published at top academic venues like USENIX Security and Financial Cryptography and has been cited in major news outlets such as The Times. Alongside his Ph.D., he works as a Product Analyst at Stop Scams UK, helping translate research into real-world impact.