You've probably heard of phishing – when criminals attempt to get you to click on links, submit sensitive details, or download malware via email. Smishing is phishing...but through text messages. Instead of a scam email landing in your inbox, it arrives as an SMS, iMessage, WhatsApp, or other text-based notification on your phone. The goal is the same: to trick you into clicking a malicious link, sharing personal information, or downloading malware. 

Just like phishing, smishing is a type of social engineering attack where a scammer manipulates your emotions to bypass your better judgment. Falling for a smishing scam could expose sensitive information like bank details, passwords, or even give a cybercriminal access to your device. 

The good news? You don’t have to fall for it. Once you know the signs of smishing, it becomes much easier to spot, avoid, and report these scams. 

What does a smishing text look like? 

The term "smishing" comes from "SMS phishing" – SMS being an archaic term for text messaging.  

Smishing messages are sneaky. They often disguise themselves as urgent alerts from banks, delivery services, government agencies, or even your boss. The goal is always the same: get you to act quickly before you think hard about the request.  

Here are some of the most common types of smishing texts: 

• Fake delivery updates. You might get a message saying, “Your package is delayed. Update your delivery info here.” The link looks official, but the website is a scam.     

• Bank or account alerts. These messages claim there’s suspicious activity on your account. They urge you to click a link or call a number to “verify” your information. 

• Prize or giveaway scams. The text might read, “Congratulations! You’ve won a $1,000 gift card. Click to claim.” 

• Impersonations of government agencies. Some texts pretend to be from the IRS, Social Security, or even law enforcement, demanding immediate payment or personal information. Another common scam is claiming you have an unpaid toll or traffic ticket. 

• Job or money-making scams. Messages like “Make $500/day working from home. Apply now!” prey on people looking for work. 

• Account verifications. You may get texts saying that your PayPal, Netflix, Amazon, or other account is locked. Often, the scammers will say you need to reset your password, and then they steal your real password when you enter it in their fake "Password Reset" form.  

These texts often include links that look slightly off. They might have domains with random numbers, extra characters, or strange endings like .xyz instead of .com. And because we tend to trust texts more than emails, scammers know you’re more likely to click without thinking. 

Why smishing feels more urgent 

If phishing emails try to rush you, smishing takes that pressure to the next level. Our phones are always in our hands, and texts feel more personal and immediate. Scammers are aware of this, and they exploit it. 

A classic smishing tactic is creating a sense of urgency, which can be either negative or positive: 

• Negative urgency: “Your bank account is locked.” “There’s a warrant for your arrest.” “Suspicious login detected.” 

• Positive urgency: “You’ve won a prize!” “Claim your free gift before midnight!” “Exclusive deal only for you!” 

These messages are designed to make you panic or get excited enough to tap the link before you think it through. 

Take a few seconds before you tap 

A simple pause can save you a lot of trouble. If you get an unexpected text asking you to click a link, share information, or act fast, take a breath. 

Ask yourself: 

• Was I expecting this message? 

• Does the link look suspicious? (Most links in legit texts will come from simple, recognizable domains.) 

• Does the message make sense? Did I actually order a package? Do I really have an account with this service? 

If you’re still unsure, check the situation through official channels (meaning a phone number, contact email, or website not included in the text). Open the app directly or type in the website yourself – don’t trust the link in the message. 

Also, you can show the message to a friend or loved one for their opinion. A second set of eyes is a great tool for detecting scams!

When the scammer knows your name 

Just like email spearphishing, smishing can be personalized. Scammers might reference your name or your workplace. They often scrape this information from public data breaches, social media, or online directories. 

If a text includes your personal information, it doesn’t mean it’s trustworthy; it might mean a scammer has done their homework. Stay cautious whenever you receive an urgent, unexpected request.  

What to do if you get a smishing text 

If you receive a suspicious text, one of the safest things you can do is nothing. Don’t reply. Don’t click. Don’t engage.  

Even replying “STOP” signals that your number is active and can lead to more scam attempts. 

Instead, block the number. Smartphones have a built-in feature to block phone numbers and report them as spam.  

You can take a screenshot of the text and share it with your family group chat to warn them of the scam. Many scams will target people in your family and friend group, so spread the warning. 

Finally, delete the message. Once reported and blocked, delete the message from your phone to avoid accidentally opening it later. 

Good phone security habits  

While spam filters catch a lot of junk, no filter is perfect. Here are a few ways to reduce your vulnerability. The same good cybersecurity habits you use on your computer also work for your phone. 

• Turn on multifactor authentication (MFA) for all your accounts.      

• Use long, unique passwords for each account, managed with a password manager. 

• Keep your phone’s operating system and apps updated, since updates include the latest security fixes.      

• Enable spam and scam call/text blocking features from your phone carrier or within your device’s settings. Talk to your wireless provider for more information.  

Reporting smishing makes a difference 

It might feel like one report doesn’t matter, but that's not true. Phone carriers and the government use reports to shut down scam operations, blacklist malicious links, and prevent others from falling victim. 

By reporting smishing texts, you’re not just protecting yourself. You’re helping stop the scam for everyone. 

You have a few options to report suspected smishing: 

• Forward the message to 7726 (SPAM). This works with most major U.S. carriers and helps them block scam numbers. 

• You can report smishing attempts to the Federal Trade Commission (FTC) at reportfraud.ftc.gov. You can also report the incident to the FBI at IC3.  

Think before you tap 

Smishing relies on speed. Can a scammer get you to click before you think? Dodge smishing bait by taking a few seconds to verify the sender, inspect link URLs, and ask yourself if this text seems legitimate. 

Remember: No legitimate organization will ever ask for sensitive information or demand urgent action over text. When in doubt, delete it. 

And for more online safety tips, sign up for our newsletter!