What is smishing (SMS phishing)? Signs, examples, and prevention

What is smishing?

Smishing is a form of phishing that happens through SMS. A scammer sends a deceptive text message that looks important, routine, or believable and tries to get you to click a link, call a number, send money, or share personal or financial information. They want to get access to your Social Security number, passwords, credit card numbers, and bank account details.

The term “smishing” combines “SMS” (or “Short Message Service”), the technology behind standard text messages, and “phishing.”

How do smishing (SMS phishing) attacks work? 

A smishing attack works by making a fake text feel like a real one. The message usually appears to come from someone you know or a delivery service, bank, or government agency. It pushes you to act quickly and click a link, call a number, confirm account information, or address a supposed urgent problem.

These scams work because texts feel immediate and familiar. Scammers may spoof numbers, impersonate trusted brands, use personal details, or create urgency to make the smishing message seem real.

A typical smishing scam follows this pattern:

1. The bait arrives. You receive a text about a missed delivery, suspicious bank activity, an unpaid toll, a prize, or a problem with one of your accounts.
2. The message pressures you to act fast. It suggests that a problem requires immediate attention.
3. You’re pushed to one channel. The text includes a call to action — click a link, reply with information, or call a number.
4. The attacker captures something valuable. That may be your password, card number, verification code, Social Security number, or direct payment.
5. The damage expands. The stolen information may be used for fraud, bank account takeover, identity theft, or reselling. 

Smishing vs. phishing and vishing 

Smishing, phishing, and vishing are all social engineering scams. The main difference is the channel.

Phishing is the broad term for scams that trick people into giving up sensitive information or access. It often happens through email, fake websites, or online messages. Smishing is a type of phishing delivered by text. 

Vishing is voice phishing. Instead of texting you, the scammer calls you (or asks you to call them) and uses pressure, scripts, and impersonation over the phone. More on that here: What is vishing? 

Smishing and vishing often overlap. For example, a fake fraud-alert text may tell you to call “security support,” turning a text scam into a phone scam.

The table below highlights the main differences:

The most common types of smishing (with examples)  

Smishing keeps evolving, but the core tactics usually involve impersonation and urgency. The examples below are among the most common patterns seen in current text scams. 

Delivery and package smishing 

Delivery and package smishing is one of the most common forms of SMS scams. These texts usually appear to come from well-known carriers such as FedEx, UPS, or the US Postal Service. The text often mentions a problem with your delivery, such as a missed drop-off, an address issue, a customs delay, or a small fee needed to release the package. The goal is to make you click a link that leads to a fake page, where scammers can steal your information.

Warning signs include vague wording, unexpected tracking links, strange domains, and pressure to act fast before the package is returned.

People who shop online frequently are especially vulnerable, since they’re more likely to have real deliveries in progress.

An example of a delivery smishing text: Your parcel could not be delivered due to an address issue. Confirm redelivery now: usps-track-help.com.

Bank or payment alert smishing

These messages appear to come from your bank, card issuer, payment app, or an online store. They warn you about suspicious activity on your account and push you to act immediately by clicking a link or calling a number. In reality, the goal is to steal sensitive financial information like PINs, passwords, and bank account or credit card details.

This type of scam works because fraud alerts are something many people take seriously, and rightly so. Busy adults, older people, and anyone already concerned about account security are particularly vulnerable.

Common warning signs include requests for login details, prompts to reply with words like “YES” or “NO,” and callback numbers.

An example of a bank alert smishing scam: Did you authorize a $489.22 purchase? Reply NO or call 800-555-0192 immediately to secure your account.

Pro tip: Security alerts help you spot suspicious activity early, but they should come from services you already trust, not in unexpected texts. NordProtect’s security alerts and notifications are designed to provide that kind of verified warning.

Prize, giveaway, or lottery smishing

This scam preys on the hope of getting something for nothing. The message claims you have won cash, a gift card, a mobile phone, a trip, or another reward and tells you to click a link, pay a small fee, or provide personal information to collect it.

The lottery scam tactic is especially effective against people who frequently enter promotions, shop online often, or are more likely to respond to limited-time offers.

Common warning signs include winnings in lotteries you didn’t enter, requests for upfront fees or tax payments, and rewards that seem unusually generous.

An example of a prize smishing scam: Congrats! Your number was selected for a $1,000 Target gift card. Claim now before midnight: target-reward-center.net.

Customer support impersonation smishing

In support impersonation scams, the scammer pretends to be a technical representative of Apple, Microsoft, Amazon, PayPal, or your mobile carrier. The text may warn about suspicious account activity, a billing problem, or another issue that requires you to call a support number, share a verification code, or install remote access software.

Common warning signs include support outreach you didn’t request, pressure to act immediately, requests for gift cards or cryptocurrency, and instructions to share one-time codes or grant remote access to your device.

Older adults and less confident tech users are often singled out, but these scams can catch anyone off guard.

An example of a customer support impersonation smishing scam: Unusual sign-in attempt detected. Call our security team now to prevent account suspension: 833-555-0118.

Government and authorities smishing

In this type of smishing attack, scammers pretend to be from a tax agency, police, the Social Security Administration, a toll authority, customs, or another official body. These messages usually inform about an alleged serious problem, such as an unpaid fine, suspended benefit, legal action, or account restriction. 

Warning signs include threats, payment demands, legal language, and links to unofficial domains.

Older adults, immigrants, and people unfamiliar with how government agencies actually communicate may be more exposed.

An example of a government smishing scam: You have an outstanding road toll balance. Pay today to avoid penalties and license suspension: ezpass-securepay.com.

Account verification smishing

This scam is designed to create a small moment of panic around your email, streaming subscription, payroll portal, social media profile, or another online account. The message usually warns that your account needs to be verified, your billing details couldn’t be confirmed, or your access is about to be limited. The link in the text usually leads to a fake sign-in page built to steal your username, password, and sometimes MFA code.

Common warning signs include generic greetings, urgent deadlines, and login pages that look right at a glance but use strange URLs.

Students, employees, and people using many online accounts are common targets.

An example of an account verification smishing scam: We could not verify your billing details. Verify your account now to avoid interruption: netflix-billing-check.co.

Impersonation of friends, family, or colleagues

This type of scam works by pretending to be someone you know and trust. The text may appear to come from a child, partner, friend, coworker, or manager and usually asks for urgent help, like sending money or responding to a sudden emergency. Parents, grandparents, and workplace teams are often targeted.

Warning signs include a new number, unusual writing style, urgency, secrecy, and requests involving money or codes.

An example of a family impersonation smishing scam: Hi Mom, this is my new number. My phone broke. Can you send me a verification code when it comes through? I need it urgently.

Pretending to text the wrong number 

This version begins with messages that look accidental, such as “Hi Anna, are we still on for dinner?”, followed by “Sorry, wrong number.” In many cases, that’s not a mistake at all. The goal is to start a conversation, build rapport, and then turn it into a romance, crypto, or investment scam. People who are lonely, polite, or curious are especially vulnerable.

Warning signs include strangers who quickly become friendly, try to move the conversation to another app, or drift toward investing or personal details.

An example of a wrong-number smishing setup: Hi Sarah, I’m outside the restaurant. Are you close?

Why are smishing attacks effective?

Smishing works because it exploits human psychology and everyday texting habits. The impact isn’t minor: The Federal Trade Commission (FTC) reported $470 million in losses tied to text-message scams in 2024, and impersonation scams overall accounted for nearly $3 billion in reported losses. The FBI has also warned about unpaid toll text scams, showing how widespread these campaigns have become.

On an emotional level, smishing works by pushing people to react quickly instead of pausing to verify. To do this, scammers rely on a few common psychological triggers.

• Urgency: Creating pressure to act immediately before the situation gets worse.
• Fear: Suggesting that your account, money, or personal information is at risk.
• Greed: Offering a prize, reward, or unexpected benefit.
• Curiosity: Drawing you in with a vague, unusual, or unexpected message.
• Authority: Borrowing the voice of a bank, government agency, or other trusted institution.
• Trust: Making the message look like a normal update about a delivery, payment, or account.

Signs of smishing messages

Smishing texts are designed to look ordinary and urgent, which makes the warning signs easy to miss. If a text pushes you to respond quickly or share information, take a closer look to spot these red flags:

• An unexpected message. The text comes from a company, agency, or person you were not expecting to hear from.
• Urgent or threatening language. It tries to pressure you by mentioning penalties, account lockouts, fraud, or legal consequences.
• A suspicious link. The URL is shortened, misspelled, or unrelated to the real organization it claims to represent.
• A request for sensitive information. Legitimate organizations don’t ask for passwords, full card numbers, Social Security numbers, or verification codes.
• A push to call or reply immediately. The message tries to move you into a channel the scammer controls.
• Generic wording. The text says things like “Dear customer” instead of using your name.
• Poor grammar or odd phrasing. Not every scam text is badly written, but awkward language can still be a warning sign.
• A too-good-to-be-true offer. Surprise prizes, refunds, gift cards, or rewards you didn’t expect should raise suspicion.
• A sender that looks unfamiliar or slightly off. The name or number may resemble a real one, but not match it exactly.

How to prevent smishing attacks

You can’t stop scammers from sending fake texts, but you can make them much less effective by building a few simple habits:

• Use spam filtering and phone security features. Many mobile devices and carriers can filter suspicious texts.
• Be careful about what you share publicly. The less personal information scammers find about you online, the harder it is for them to tailor convincing messages.
• Monitor accounts proactively. Verified alerts from your bank or trusted security software help you spot real problems faster.
• Turn on MFA or 2FA. This step adds an extra layer of protection in case a password is stolen. 
• Keep your phone and apps updated. Security updates reduce the risk of malware, malicious links, and other known vulnerabilities.

What to do in case of smishing 

If you receive a suspicious text, don’t act on it right away. A quick pause can prevent a lot of problems.

If you suspect a smishing text message:

1. Don’t click, reply, or call back. If the text asks for personal, financial, or account information, treat it as suspicious until proven otherwise.
2. Verify independently. Open the company’s official website or app, or use a phone number from a bank card, statement, or verified account page.
3. Save evidence. Take a screenshot and note the sender’s number.
4. Block the sender on your phone.
5. Forward the text to 7726 (SPAM) so your wireless provider can investigate.
6. Report the smishing attempt to the Federal Communications Commission (FCC).
7. File a complaint with the FBI’s IC3 if the scam attempt appears to involve identity theft or broader cybercrime.

If you became a victim of smishing:

1. Act fast. If you entered card or bank details, contact your bank or card issuer immediately.
2. Change compromised passwords and update any reused passwords on other accounts.
3. Reset MFA settings if needed and review account recovery options.
4. Scan your device if you downloaded anything or suspect a malware infection.
5. Watch for identity misuse. Review accounts, credit reports, and suspicious account activity, especially if your personally identifiable information was exposed. Credit monitoring can help you catch identity fraud early. 
6. Keep records and report the incident. Save texts, screenshots, payment receipts, and any phone numbers involved. Report the incident to your bank, the FTC, and IC3.