Phishing Text Messages: A Guide to “Smishing”

Learn how to spot a text message scam before it compromises your identity - or worse.

Written By: Security.org Team | Published: November 20, 2023

Yes, you read that word correctly: smish.

You might be familiar with the term “phish,” which typically refers to a scam message sent via email. However, a scam communicated by text (SMS) is known as a smish.

Cybercriminals use spoofing techniques to make text messages appear as though they’ve come from legitimate, trustworthy, or familiar sources, such as a friend, your place of work, or even a store you love.¹ A cybercriminal’s goal is to trick you into disclosing personal information, such as important login credentials and demographic details, through text messages.²

For most people, replying immediately to texts and direct messages is a subconscious, automatic response. In 2022, at least 300,497 people fell victim to phishing, according to the FBI Internet Crime Report. The analysis does not divide phishing into its various subtypes, but it's fair to assume smishing accounts for a decent percentage of these 300,497 cases.³

If you’ve ever received a grammatically questionable SMS message claiming to be from a retail giant like Netflix or Amazon, delivery services like FedEx, or even your local government asking you to click a suspicious link, that was probably a smish.

Scammers bank on a few key assumptions when they try to phish you via text:

First, they assume you might not notice a random incorrect letter or strange symbol in an otherwise normal-looking message – particularly in text message format, where we routinely see misspelled words and symbols anyway.
Next, they assume urgency and scare tactics will make you click without thinking.
Last, they assume you aren’t aware that government agencies don’t send you texts to ask for your personal information. Remember, these organizations are old school. You can usually count on the Social Security Administration, Internal Revenue Service, Medicare, and other governmental bodies to contact you with important account information via snail mail⁴).

Phishing and digital scams are widespread in the digital age, but equipping yourself with knowledge (and a few helpful tips) can minimize your vulnerability and prevent this kind of scam from wreaking havoc in your life. Keep reading to find out more about how to spot a phishy text.

What is Smishing (SMS Phishing)?

Smishing is the text message version of phishing. When smishing, cybercriminals send harmful links via text message that ask you to provide secure information. Phishers throw out “bait” by making enticing offers, threatening you, or offering to help you with something. When you take the bait, phishers may be able to hack malware into your phone or extract your private information out of it.

Phishing has been around since the mid-1990s (an AOL scandal was the first known instance). In the early 2000s, scammers often posed as major companies like eBay or PayPal, soliciting passwords or updated payment information.⁵ But it was still more of a dragnet operation than a spearfishing one. As data mining and personal information harvesting have become more sophisticated, phish attack vectors have expanded to include social media, direct messaging apps, and SMS text messaging.

Who is At Risk of Getting a Smish?

In 2023, more than two-thirds of the world's population uses a mobile phone. That is about 5.56 billion people. So many factors influence your day-to-day decisions, including what you click (or don’t click) on your phone. Almost everyone is a potential SMS phishing victim at some point because we can’t always prepare for vulnerabilities like poor technological fluency and high stress levels.

A few factors that make you more vulnerable to phishing include:

Age. 18-25-year-olds are more susceptible to phishing than other age groups because they tend to place more trust in online communication methods; people in this age group also have lower impulse control than other age groups.
Gender. Men are also more likely to be baited by smishers than women.
Low discomfort tolerance. People with higher curiosity, urgency, and stress levels are more likely to be victims of text scams.⁶

SMS phishing is clever because it uses your psychology against you. You rely on shortcuts called “heuristics” to help you make decisions without too much forethought, and scammers are well-practiced at exploiting these tricks. For example, people tend to defer to authority figures; they also don't want to miss out on things that are free or in high demand (colloquially known as FOMO, or fear of missing out).

Higher education level seems to be a protective factor against SMS phishing. But simply being aware of it and knowing to pause before acting on a strange message is hugely beneficial, too.

How To Identify Scam Text Messages

Phishers are out there, but you don’t have to take their bait! Educating yourself on SMS phishing is the best thing you can do to prevent phishing from jeopardizing your safety and security.

So, before you open any new messages or click any unfamiliar links, pause and give yourself a moment to scan for a few important clues.

Here are some examples of common smishing text messages:

Telltale signs of phishy texts include:

Poor spelling and grammar. Look for misspelled or missing words, oddly phrased sentences, poor grammar, and weird spacing. This is a quick and easy way to identify a smish.
Suspicious links. URLs with strange combinations of letters and numbers that don’t include standard features like HTTPS:// or .com/.org/.gov are usually not trustworthy and should be vetted more thoroughly.
Urgent action is required. Many phishers will threaten punitive action if you don’t click on the link now. But remember: legitimate banks, government agencies, and major corporations will never communicate with you this way.
Wrong number of digits. SMS text messages generally come from 10-digit numbers. However, some marketing and political messages come from a five- or six-digit shortcode (you can check https://usshortcodedirectory.com to ensure the one you received is legit). Something from an 11-digit phone number is likely to be a scam.
The message doesn’t apply to you. This message is probably a scam if you didn’t order a package or enter a contest recently. Most delivery updates will come via email and so will prize notifications.

How to Avoid Text Messaging Scams

Allowing yourself a moment to evaluate suspicious text messages for signs of phishing when you get a text is a great way to protect yourself from text messaging scams.

Here are some added layers of protection against SMS phishing:

Filtering. There are settings for both iPhones and Androids that allow you to toggle a spam protection option.

For iPhone: go to Settings > select Messages > filter unknown senders.
For Android: go to Messaging app > tap the upper right three dots > choose settings > select spam protection.

Not replying. When you get a text that says “reply STOP”, DO NOT REPLY! When you reply to a smish, it confirms your phone number is valid. Phishers can then sell your number to other scammers.
Reporting to your phone carrier. Copy and paste the body of the message to 7726 (S-P-A-M) so your phone carrier can investigate.
Blocking. Blocking individual numbers is a good option to use if you frequently get spam from the same number. Unfortunately, many phishers use a different number each time, which could make this ineffective.
Text-blocking apps. Apps like Robokiller help filter suspicious SMS messages, but they often aren’t free.⁷

Should I Report Phishing or Smishing?

If you believe you’ve been SMS phished, you can (and should) report it. Phishers cast a wide net when they attempt to defraud people. If you received a smish message, it's likely that you weren't the only potential victim. Reporting it protects other smartphone users from being scammed, too.

A good rule of thumb with suspicious messages: if you’re not confident right away that what you’re looking at is a real message or from an actual sender, presume it’s a scam and react accordingly. A quick Google search should give you a verifiable email and/or phone number to contact the institution the phisher is impersonating.

Here’s how you can report SMS phishing:

Let the FTC know. They have helpful news, forms, and videos about phishing messages (https://www.ftc.gov) for reference and a simple form to use when you’re ready to report. (https://reportfraud.ftc.gov)
Text S-P-A-M (7726) to your phone carrier so they can investigate. (It won’t count against your plan!) https://www.verizon.com/about/account-security/smishing-and-spam-text-messages
The USPS has its own Inspection Service site if you get a smish of the package/parcel variety. https://www.uspis.gov/news/scam-article/smishing-package-tracking-text-scams