Phishing attacks through text, also known as smishing, are a prevalent type of social engineering tactic in which attackers impersonate brands to deceive victims into providing personal information and/or money. While smishing awareness and cyber education are a key method by which organizations communicate this awareness, the guidance itself varies widely. In this paper, we investigate the state of practice of how 149 well-known brands across 25 categories educate their customers about smishing and what smishing prevention and reporting advice they provide. After conducting a comprehensive content analysis of the brands, we identified significant gaps in the smishing-related information provided: only 46\% of the 149 brands mentioned the definition of smishing, less than 1\% had a video tutorial on smishing, and only 50\% of brands provided instructions on how to report. Our study highlights variation in terminology, prevention advice, and reporting mechanisms across industries, with some brands recommending potentially ineffective strategies such as "ignoring suspicious messages." These findings establish a baseline for understanding the current state of industry smishing awareness advice and provide specific areas where standardization improvements are needed. From our evaluation, we provide recommendations for brands on how to offer streamlined education to their respective customers on smishing for better awareness and protection against increasing smishing attacks.

翻译：通过短信进行的钓鱼攻击，亦称短信钓鱼（smishing），是一种普遍存在的社会工程手段，攻击者通过冒充品牌来欺骗受害者提供个人信息和/或资金。尽管提高短信钓鱼意识和网络安全教育是组织传达此类意识的关键方法，但指导内容本身差异巨大。本文研究了来自25个类别的149个知名品牌如何教育其客户防范短信钓鱼，以及它们提供了哪些短信钓鱼预防和报告建议。通过对这些品牌进行全面内容分析，我们发现其提供的短信钓鱼相关信息存在显著缺口：149个品牌中仅46%提及短信钓鱼的定义，不到1%提供了关于短信钓鱼的视频教程，仅50%的品牌给出了报告方法说明。我们的研究揭示了不同行业在术语使用、预防建议和报告机制方面的差异，部分品牌甚至推荐了可能无效的策略，例如“忽略可疑信息”。这些发现为理解当前行业短信钓鱼意识建议的现状建立了基准，并指出了需要标准化改进的具体领域。基于评估结果，我们为品牌提供了如何向各自客户提供简明教育的建议，以提升他们对短信钓鱼的认知并增强对日益增长的短信钓鱼攻击的防护能力。