Smishing is a type of phishing attack delivered through SMS text messages. Attackers send fraudulent texts impersonating banks, delivery services, or government agencies to trick recipients into clicking malicious links or sharing personal information. To protect yourself, never click links in unexpected texts — and use a reverse phone number lookup to identify unknown senders before responding. This guide explains exactly how smishing works, how to spot it, and what to do if you receive one.
Americans received billions of unsolicited text messages in 2024 — and a growing share were smishing attempts. According to the Federal Trade Commission, consumers reported losing more than $330 million to text message scams in 2024 alone. Smishing has surged because it works: text messages have open rates far higher than email, and people are less accustomed to treating texts with the same skepticism they apply to suspicious emails.
What Is Smishing?
The clearest smishing definition: it is a portmanteau of SMS and phishing. Like email phishing, smishing is a social engineering attack — it uses deception rather than technical exploits to steal information or money. The attacker sends a text message crafted to look like it comes from a trusted source, with the goal of getting the recipient to click a malicious link, provide personal data, or call a fraudulent phone number.
The term was coined in the mid-2000s as mobile phones became widespread, but smishing attacks have grown sharply in volume and sophistication in recent years. The Cybersecurity and Infrastructure Security Agency (CISA) identifies SMS phishing as one of the primary vectors used by threat actors to target both individual consumers and employees at organizations.
How Smishing Differs from Email Phishing
Email phishing and smishing share the same goal — tricking a victim into surrendering credentials or money — but the delivery channel changes the attack dynamics significantly:
- Higher open rates: SMS messages are opened at dramatically higher rates than email. Most people read texts within minutes of receiving them, giving attackers a narrow window of urgency to exploit.
- Weaker spam filtering: Email providers have decades of experience filtering phishing messages. SMS has far less mature filtering infrastructure, meaning more smishing texts reach the inbox.
- Shortened or hidden URLs: Mobile screens make long URLs difficult to inspect. Attackers exploit this by using URL shorteners that obscure the destination, making it harder to identify a malicious link before tapping it.
- Implied trust: Many people associate their phone number with personal, trusted contacts. A text from an unknown source can trigger urgency in a way that an email in the spam folder does not.
How Smishing Differs from Vishing
Vishing — voice phishing — uses phone calls rather than texts. A vishing attacker might call you pretending to be your bank’s fraud department. Smishing uses texts to accomplish the same goal. Many sophisticated fraud campaigns layer both: a smishing text first to establish urgency, followed by a vishing call to extract information.
How Smishing Attacks Work
Every smishing attack contains the same core ingredients: a pretext, a delivery mechanism, and a goal. Understanding the anatomy of a smishing message makes them easier to identify regardless of the specific scenario used.
The Pretext: Creating Urgency and Trust
Attackers choose a pretext — a believable reason for the text — designed to provoke an immediate emotional reaction. Common pretexts include:
- A bank fraud alert requiring “immediate verification”
- A package delivery problem needing a small customs fee or address confirmation
- An IRS tax debt or penalty requiring urgent resolution
- An account suspension or unusual sign-in on a popular platform
- A prize notification claiming the recipient has “won” something
The goal of the pretext is to bypass critical thinking. When someone believes their bank account is being drained or their package is stuck in customs, they are more likely to act before they think.
The Delivery: How Smishing Texts Reach You
Smishing messages arrive through several channels. Some come from spoofed phone numbers — the sender manipulates the displayed caller ID to appear to be a bank, government agency, or even a number already in your contacts. Others use short codes (5- or 6-digit numbers) that are harder to identify as suspicious because legitimate businesses use them for notifications too. Toll-free numbers with 800, 888, or 877 prefixes are also common in smishing campaigns because they appear authoritative.
The Federal Trade Commission notes that attackers rotate through large pools of phone numbers and short codes, making it difficult for carriers to block campaigns before many messages are delivered.
The Goal: What Attackers Are After
The malicious link in a smishing text typically leads to one of three outcomes: a credential-harvesting page designed to look like a legitimate login screen; a form collecting personal and financial information; or a drive-by download that installs malware on the device. Some smishing attacks skip links entirely, asking the recipient to call a number or reply directly with personal information.
Common Types of Smishing Scams
While attackers adapt their tactics constantly, certain smishing examples appear repeatedly in FTC consumer reports and advisories from the United States Postal Inspection Service. Recognizing these patterns helps you identify new variants before they cause harm.
Package Delivery Scams
Package delivery smishing is among the most-reported types. Attackers impersonate USPS, UPS, FedEx, or Amazon, claiming there is a problem with a delivery — a failed delivery attempt, a customs fee, or an address verification needed. The United States Postal Inspection Service specifically warns that USPS will never send consumers an unsolicited text asking for personal information or payment to release a package. Legitimate carriers send tracking updates through official apps and confirmation emails, not unexpected texts requesting payment.
Bank and Financial Institution Alerts
A text claiming your bank has detected suspicious activity on your account is among the most urgent-feeling smishing lures. The message typically includes a link to a convincing replica of a bank’s website and asks you to “verify” your login credentials, account number, or card details. Legitimate banks may send fraud alerts via text, but they will never include a link asking for your full password, account number, or card PIN.
Government Agency Impersonation
Smishing texts impersonating the IRS, Social Security Administration, Medicare, or state government agencies are designed to trigger fear of legal or financial consequences. They may claim you owe a tax debt, that your Social Security number has been “suspended,” or that you are entitled to a refund requiring verification. The IRS and Social Security Administration do not initiate contact with consumers via unsolicited text message or phone call to demand payment or personal information.
Account Verification and Security Alerts
Texts claiming your streaming service, email account, or social media profile has been compromised and needs immediate verification are designed to capture login credentials. The link leads to a fake login page. Entering your credentials gives the attacker access to that account — and because many people reuse passwords across services, potentially others as well.
Prize and Lottery Notifications
Texts informing you that you have won a gift card, sweepstakes prize, or cash reward are classic advance-fee fraud variants. To “claim” the prize, you will be asked to provide personal information or pay a small processing fee. The prize never materializes, and your information or money has been taken.
How to Recognize a Smishing Text
No single red flag definitively identifies a smishing text, but several warning signs commonly appear together. Developing the habit of checking for these cues before acting on any unexpected text can protect you from a wide range of attacks.
Red Flags to Look For
- Unexpected urgency: Phrases like “act now,” “your account will be suspended,” “respond within 24 hours,” or “immediate action required” are pressure tactics. Legitimate organizations communicate account issues through secure, measured channels.
- Unsolicited contact: If you did not request a verification code, order a package, or initiate contact with an organization, an unsolicited text about any of those things warrants skepticism.
- Links to unfamiliar domains: Before tapping any link, examine the URL. Legitimate USPS messages come from usps.com — not usps-delivery-confirm.net or similar lookalike domains. Shortened URLs that obscure the destination should be treated with extra caution.
- Requests for personal information: Legitimate organizations do not ask for your Social Security number, full account number, password, or card details via text message.
- Generic greetings: “Dear Customer” or “Valued Member” instead of your actual name suggests a mass-sent message, not a targeted alert from a company that has your account on file.
- Grammar or formatting inconsistencies: While sophisticated smishing texts can appear polished, many still contain awkward phrasing, unusual punctuation, or inconsistent capitalization.
How to Verify a Suspicious Message Without Clicking
If you receive a text that seems like it could be legitimate — for example, a fraud alert from your bank — verify it without using the link or number provided in the message. Go directly to the company’s official website by typing the address yourself, or call the number printed on the back of your card or listed on the company’s official website. You can also use Who Sent That Text Message to look up the sending phone number and check whether it is associated with known spam or fraud activity before deciding how to respond.
What to Do If You Receive a Smishing Text
The most important rule: do not click any link or call any number listed in the message. Clicking a link can expose your device to malware even if you do not enter any information on the resulting page. Once you have avoided the immediate risk, take these steps to report smishing and protect yourself:
- Do not reply. Replying confirms to the attacker that your number is active, which may result in more targeted follow-up messages.
- Forward the text to 7726 (SPAM). This short code works on all major US carriers — AT&T, Verizon, T-Mobile, and others. Forwarding smishing texts to 7726 feeds carrier-level spam detection systems and helps protect other customers from the same number.
- Report to the FTC. Visit reportfraud.ftc.gov to file a report. FTC reports feed into a national database used by law enforcement agencies to identify and pursue large-scale fraud campaigns.
- Look up the sending number. Before dismissing the message or deciding whether to escalate your report, look up the phone number. Who Sent That Text Message can help you identify the carrier, line type, and any community-reported spam or fraud activity associated with the number.
- Delete the message. Once you have reported it, delete the text to avoid accidentally tapping the link later.
If you have already clicked a link in what you now believe was a smishing text, change the password for any account you may have entered credentials for, enable two-factor authentication on that account, and monitor your financial statements for unauthorized transactions. If you provided financial information, contact your bank or card issuer immediately.
How to Protect Yourself from Smishing
Avoiding smishing requires building a few consistent habits. None of these steps are technically complex — protection comes from awareness and caution, not specialized tools.
- Enable spam filtering on your phone. Both iPhone and Android offer built-in filters that move messages from unknown senders to a separate folder. On iPhone, go to Settings → Messages → Filter Unknown Senders. On Android, the Messages app has a similar option under Settings → Spam protection. See our guide on how to block spam text messages on iPhone and Android for complete step-by-step instructions.
- Never share personal information via text. Make this a firm rule: your Social Security number, passwords, PIN codes, and full card details should never be transmitted via text message to anyone — even someone who claims to represent your bank or a government agency.
- Be cautious with SMS-based two-factor authentication. While SMS 2FA is better than no 2FA, it can be vulnerable to SIM-swapping attacks, where an attacker convinces your carrier to transfer your number to a SIM they control. Where possible, use an authenticator app such as Google Authenticator or Authy rather than SMS codes for high-value accounts.
- Keep your phone’s operating system updated. CISA recommends keeping all software and firmware current as a baseline cybersecurity practice. Security patches close vulnerabilities that malware — potentially delivered via smishing links — could exploit.
- Limit where you share your phone number. Contest entry forms, loyalty program sign-ups, and online forms are common sources of phone numbers that end up sold to data brokers and, eventually, smishing campaigns. The fewer organizations that have your number, the lower your exposure.
- Look up unknown numbers before responding. If you receive a text from a number you do not recognize and you are unsure whether to respond, use Who Sent That Text Message to look it up first. You can check the carrier, line type, and whether other users have flagged the number as spam or suspicious — giving you more context before you decide how to act.
Smishing vs. Phishing vs. Vishing: Understanding the Differences
Smishing is one branch of a broader family of social engineering attacks. Understanding how the three primary variants — phishing, smishing, and vishing — relate to each other helps you recognize fraud attempts across all the channels that attackers use.
| Attack Type | Channel | Common Pretexts | Primary Goal |
|---|---|---|---|
| Phishing | Password reset, invoice, account alert | Credential theft, malware installation | |
| Smishing | SMS / text message | Delivery notification, bank alert, prize notification | Credential theft, financial fraud, personal data |
| Vishing | Voice call | IRS debt, tech support, bank fraud department | Direct financial transfer, credential theft |
Criminals increasingly combine these approaches in multi-channel campaigns. A smishing text might serve as first contact — establishing urgency and directing the victim to call a number — while the subsequent call completes the fraud. The FBI’s Internet Crime Complaint Center (IC3) has documented campaigns that layer all three methods against the same targets over multiple days.
Across all three attack types, the defensive principles are the same: verify through official channels before acting, never share personal information in response to unsolicited contact, and report suspicious messages and calls to the appropriate authorities. When you are unsure about the source of a text, looking up the phone number on Who Sent That Text Message before responding is a fast, low-effort way to gather context and make a more informed decision.