What Is Smishing, and How Do You Protect Yourself Against It?

Updated: Feb. 01, 2024

Don't let the funny name confuse you. Smishing is a major scam that could cost you big bucks.

While a text may seem perfectly normal, it could be from someone with malicious intent—someone who wants to steal your identity, your bank account number, or other sensitive information. A recent report by the cybersecurity company Proofpoint found that 74 percent of organizations surveyed faced texting attacks. But companies aren’t the only ones being targeted. Scammers are sending scam texts designed to fool individual users as well, with a practice called smishing.

Smishing is different from Apple ID phishing scams, an iPhone virus warning scam, and other scams targeting iPhone security; it can affect anyone who texts, no matter what kind of smartphone they have. Here’s what you need to know about it, and how to protect yourself.

What is a smishing attack?

Smishing attack sounds a little scarier than it actually is. It isn’t really an attack—it’s more of a finesse. The scammer is basically trying to trick the targeted person on the other end of a text message.

Smishing definition

Smishing is a type of phishing attack that uses social engineering to get personal information about someone using text messaging. In case you were wondering, here’s how smishing and phishing are different from vishing.

What is smishing short for?

Smishing is short for “SMS phishing.” It combines “SMS” (literally “short message service,” or “texting”) with “phishing;” it’s a phishing scam that operates through text messages.

How do smishing scams operate?

Basically, these fake texts are an attempt to get your personal information by pretending they come from sources you know and trust, like your boss, the IRS, or a bank. According to Ryan Prejean, help desk lead at Guardian Computer, an IT support and service company based in New Orleans, these texts often include messages like:

  • We’ve noticed suspicious activity or log-in attempts

  • There is a problem with your account or payment information

  • You must confirm personal information

  • You need to click on a link to make a payment

  • You’re eligible to register for a government refund

  • You’re being given a coupon

  • Your child is hurt and personal information needs to be sent for their treatment

  • You’ve been overcharged for something and you’re being offered a refund

  • You’ve won a prize and you need to claim it

All of this is an attempt to get you to give them personal information like your social security number, bank information, or credit card details. A good smishing attack can be used to steal your identity in order to drain your bank account, charge up your credit cards, or take out loans in your name.

Why smishing is on the rise

There are many reasons why smishing is on the rise. One major reason is that it’s an easy scam to execute. All the scammer needs is a few phone numbers and a tricky way to get people to reply to a text to get the information they’re looking for.

Plus, people love text messages. Around 95 percent of text messages are opened and responded to within three minutes. Only 20 percent of emails are even opened, let alone replied to, so you can see how texting scams can be more appealing to a thief.

Phone screen with a text from an unknown number: * "You have won $5,000. The prize needs to be claimed ASAP. Please reply with your bank information so we can deposit the money into your account."rd.com, Getty Images

What is an example of smishing?

Spam texts usually use three steps to trick their victims. First, the company’s name isn’t in the text. Second, the text contains a shortened link (usually a bit.ly link) so that the website isn’t clearly identifiable. Third, the text is urgent to get victims to take action while they are off-guard.

Here are some example of smishing texts:

  • “You have won $5,000. The prize needs to be claimed ASAP. Please reply with your bank information so we can deposit the money into your account.”

  • “Your package has been lost. Please click here for more information: http://bit.ly/123R4m”

  • “Your IRS tax refund has been denied. Click here to file a review in 24 hours: http://bit.ly/sdfsd5”

How to protect your phone against smishing

Though preventing these scams completely isn’t possible, there are ways to  block spam texts you receive on your phone. You can also prevent a lot of them from reaching you by setting up spam filters on your phone. To set up the filter on your iPhone, follow these steps:

  • Step 1: Go to the Settings app
  • Step 2: Tap Messages
  • Step 3: Find the Filter Unknown Senders option
  • Step 4: Turn it on by swiping the button to the right

If you have an Android phone, follow these steps:

  • Step 1: Go to the Messaging app
  • Step 2: Tap the three dots icon in the upper right of the screen
  • Step 3: Choose Settings
  • Step 4: Tap Spam Protection
  • Step 5: Turn on Enable Spam Protection by swiping the button to the right

Some Androids don’t have filtering, so if you can’t find the Spam Protection option, your phone probably doesn’t filter messages. In that case, you’ll need to install an app like Nomorobo or RoboKiller.

You may also be able to use filtering tools that are offered by your wireless carrier. Here are some filters you have access to if you use these major wireless carriers:

  • Verizon Call Filter

  • AT&T Call Protect

  • T-Mobile Scam ID, Scam Block, Name ID

  • U.S. Cellular Call Guardian

What to do if you get a smishing text

If you get a smishing text, don’t reply. Don’t even text “stop.” Any kind of communication tells the scammer that your phone number is active—and ripe for targeting again. Your best bet is to block the number.

“Users should also report all spam texts to their wireless carrier for them to investigate,” says Prejean. “You can send any suspicious or spam messages to 7726 (which spells SPAM) if your carrier is AT&T, Sprint, T-Mobile, or Verizon.”

Here are more tips from the FBI for protecting yourself against smishing attacks:

  • Don’t open an unsolicited text message. If it says it’s from a company, look up the company’s phone number online or call the company to ask about the message.
  • Don’t open an attachment or link from someone you don’t know.
  • Look at the spelling in the text—scammers are known to misspell URLs and email addresses in hopes that you won’t notice the difference.

What should you do if you clicked a scam link?

Everyone makes mistakes. If you think you’ve already clicked a fraudulent link and/or provided compromising information, take immediate action. First, change all of the passwords that are associated with the information you gave out. Next, contact the real company you thought you were texting to let them know what happened. Also, make sure to run a malware check on your phone to ensure the link didn’t allow malicious code to be downloaded on your phone. Two good malware removal apps are Malwarebytes and Avast Antivirus.

Most importantly, if you gave out bank or credit card information, contact the bank or credit card company to report suspected fraud and cancel the card associated with the account.

Next, read up on these area codes that could be tied to a phone scam.