What Is Smishing and How to Protect Yourself From SMS Phishing

What Is Smishing?

Smishing is phishing conducted through SMS text messages. The term combines "SMS" and "phishing." Like email phishing, smishing uses deceptive messages that impersonate trusted organizations to steal credentials, personal information, or money.

Smishing has grown significantly as mobile device usage has increased and as traditional email phishing defenses have improved. Text messages are delivered to a channel where spam filtering is less sophisticated and where users may have lower defenses than in email.

Why Smishing Is Effective

Several factors make SMS phishing particularly effective:

Higher open rates: SMS messages are opened at significantly higher rates than emails. Most people read texts within minutes of receipt.

Weaker filtering: SMS spam filtering is less advanced than email spam filtering. More smishing messages reach users than equivalent email phishing would.

Platform trust: People tend to trust text messages more than emails, partly because they associate their phone number with verified identity.

Context plausibility: Delivery notifications, bank alerts, and two-factor codes all arrive via SMS — making smishing messages that mimic these communications immediately plausible.

Limited screen space: Short text messages leave less room to display the full URL, and mobile browsers may not display full domains clearly, making link inspection harder.

Common Smishing Scenarios

Package Delivery Smishing:
"Your package from [carrier] requires confirmation of your delivery address. Update here: [link]"

This exploits the expectation that packages are in transit. Even if you are not expecting a delivery, the message creates curiosity or mild concern.

Bank Alert Smishing:
"Your bank account has been temporarily locked due to suspicious activity. Verify your identity to restore access: [link]"

Tax and Government Smishing:
"HMRC: You are eligible for a tax refund of £347.82. Claim here within 48 hours: [link]"

Two-Factor Authentication Smishing:
"Your verification code is 847291. Reply with this code to confirm your identity." (The attacker has already tried to log into an account with your credentials and needs the 2FA code.)

Prize and Reward Smishing:
"Congratulations! You have been selected to receive a gift. Claim your reward here: [link]"

How to Identify Smishing

Check the Sender:
Legitimate organizations generally use short codes (5-6 digit numbers) or registered business names, not regular mobile phone numbers. A bank texting you from a regular mobile number is suspicious.

Do Not Click Links:
The primary danger in smishing is clicking the link. If you receive an unexpected text about your bank, delivery, or government agency, navigate to the official website directly rather than clicking the link in the message.

Verify the Claim Independently:
If a text claims there is an issue with your bank account, call your bank using the number on the back of your card — not any number provided in the text.

Unsolicited OTP Requests:
If you receive an OTP code you did not request, someone has your phone number and may be attempting to access an account. Do not share the code with anyone who contacts you claiming to need it.

Report and Block:
In the US, forward smishing texts to 7726 (SPAM). Most mobile operating systems allow you to block the sender number.

The Intersection with Email Privacy

Smishing is primarily a phone number threat, not an email threat. However, it connects to email privacy in one important way:

Two-factor authentication via SMS is vulnerable to smishing. If an attacker smishes you into providing an OTP code, they can use it to access an account even with your password compromised separately.

This is one reason security professionals recommend upgrading from SMS-based 2FA to authenticator apps (TOTP) for important accounts. An authenticator app generates codes locally on your device — there is no SMS message to intercept or trick you into sharing.

FAQ:

Q: My number is unlisted — how did they get it?
A: Phone numbers are collected through data breaches, data broker databases, random generation (sequential or area code-based), and harvesting from websites and social media. Even unlisted numbers can appear in breach databases.

Q: Is clicking a smishing link immediately dangerous?
A: Clicking the link may expose you to drive-by malware on some highly malicious sites. More commonly, the primary danger is entering information on the fake site the link leads to.

Q: How do I report smishing in countries other than the US?
A: In the UK, forward to 7726. In Australia, report to Scamwatch at scamwatch.gov.au. In other countries, forward to your carrier and check your national cybercrime reporting agency.

Conclusion:

Smishing is a growing threat that exploits the trusted and immediate nature of text message communication. The defenses are the same as email phishing in principle — verify independently, do not click unexpected links, be skeptical of urgency — but must be applied to a channel where defenses are typically lower. Upgrading SMS-based 2FA to authenticator apps removes the most dangerous vulnerability that smishing can exploit.