The small form factor and inability to easily distinguish between real and fraudulent Short Message Service (SMS) messages has led to an entire new genre of crime. In many cases, the insecurity of SMS makes multifactor authentication (MFA) solutions that rely on it even less safe than simple logon names and passwords. This chapter describes what SMS is and why it is abused. Many companies and organizations use SMS‐based MFA solutions because they are fairly easy to deploy and often use “out‐of‐band” channels for authentication. The chapter presents real‐world examples of various vendors using SMS messages as part of MFA solutions. It discusses some popular SMS attack methods that can bypass SMS‐based MFA solutions, including subscriber identity module (SIM) swap attacks, SMS impersonation, SMS buffer overflow, and cell phone user account hijacking. The chapter suggests steps that developers and users of SMS‐based MFA solutions can take to minimize risk.