Smishing, which is SMS phishing, exploits the immediacy and presumed trust of mobile communication and is therefore a significant and emerging cyber threat. It is of specific concern to public-sector organisations that are using the Short Message Service (SMS) channel to engage with citizens more frequently. The SMS channel also possesses inherent vulnerabilities, such as weak sender authentication procedures and an almost complete dependence on telecommunication operators to filter appropriately. They are security controls difficult for organisations to implement on their own with technical countermeasures, in contrast to their potential for email security. This research examines current smishing attack methods and potential countermeasures via a mixed-methods approach, involving a systematic literature review (SLR) and a qualitative case study of a Swedish public authority. SLR showed advanced attack methods taking advantage of user psychology and system weaknesses and a high number of theoretical technical countermeasures such as machine learning classifiers and human-centred ones. In spite of them, semi-structured interviews with five security professionals in the authority under the investigation showed a wide gap between such theoretical solutions and actual deployment. Findings show the authority uses mostly generalised user awareness campaigns and incident reporting mechanisms. Although the authority is aware of intrinsic SMS vulnerabilities, there is limited adoption by the authority of advanced technical defences or smishing-specific training. This seems primarily because of perceived technical constraints in safeguarding the SMS channel as opposed to email, a deficiency of telecom operators' defined role in channel security, possible under-reporting of attacks, and a persistent challenge with keeping up with the speedy evolution of smishing techniques. This research highlights the essential importance of a multi-stranded approach that actively accepts the inherent limitations of SMS security. In order to provide a sufficient level of protection of communications channels and preserve public trust, this approach will need to combine reasonable technical controls (frequently operator-specific), organisational policies that are explicit, and frequent intensive user education on both the particular vulnerabilities of SMS and human vulnerabilities being used by these threats in the public arena.