How the SmishAlert platform works (capture, correlate, report)
The three jobs SmishAlert does: capture every suspicious message, correlate it into campaigns, and produce audit-grade reporting.
SmishAlert is built around three jobs.
1. Capture
- iOS: a native Message Filtering extension reviews SMS and iMessage from unknown senders on-device—MDM-deployable, with no carrier forwarding.
- Android: an enterprise app distributed via MDM with in-app reporting, Share Sheet, and screenshot upload (unknown-sender filter parity tracks platform APIs).
- Employee-initiated reporting on both platforms: Report Junk, Share Sheet, screenshot upload, and in-app.
2. Correlate
- Fingerprint-grade telemetry links lookalike messages across employees and devices.
- Campaign clustering surfaces multi-employee, multi-channel waves while they're still live.
- In Workforce mode, coverage spans every unknown sender across the managed fleet—not just what employees voluntarily report.
3. Report
- A web admin dashboard for SecOps day-to-day.
- An executive PDF readout for the board and audit committee.
- SIEM/SOAR routing (Standard tier and above) for teams that want the signal in their existing stack.
On-device classification is the first verdict in every mode. In Workforce and Compliance modes, the iOS Message Filter network-defer API sends unknown-sender content to SmishAlert for second-pass classification and campaign correlation. For the full data-flow detail, see Deployment modes and the Trust, Privacy & Security section.