Cybersecurity Awareness Basics
How to avoid identity theft, frauds, scams and more. Click below for more information.
Read our latest Fraud Newsletter: Citizens Fraud Update - Spring 2025
What is Smishing? How Text Message Scams Work (And How To Avoid Them)
Cybercriminals love to go smishing, but you don’t have to take the bait.
You've probably heard of phishing – when criminals attempt to get you to click on links, submit sensitive details, or download malware via email. Smishing is phishing...but through text messages. Instead of a scam email landing in your inbox, it arrives as an SMS, iMessage, WhatsApp, or other text-based notification on your phone. The goal is the same: to trick you into clicking a malicious link, sharing personal information, or downloading malware.
Just like phishing, smishing is a type of social engineering attack where a scammer manipulates your emotions to bypass your better judgment. Falling for a smishing scam could expose sensitive information like bank details, passwords, or even give a cybercriminal access to your device.
The good news? You don’t have to fall for it. Once you know the signs of smishing, it becomes much easier to spot, avoid, and report these scams.
What does a smishing text look like?
The term "smishing" comes from "SMS phishing" – SMS being an archaic term for text messaging.
Smishing messages are sneaky. They often disguise themselves as urgent alerts from banks, delivery services, government agencies, or even your boss. The goal is always the same: get you to act quickly before you think hard about the request.
Here are some of the most common types of smishing texts:
- Fake delivery updates. You might get a message saying, “Your package is delayed. Update your delivery info here.” The link looks official, but the website is a scam.
- Bank or account alerts. These messages claim there’s suspicious activity on your account. They urge you to click a link or call a number to “verify” your information.
- Prize or giveaway scams. The text might read, “Congratulations! You’ve won a $1,000 gift card. Click to claim.”
- Impersonations of government agencies. Some texts pretend to be from the IRS, Social Security, or even law enforcement, demanding immediate payment or personal information. Another common scam is claiming you have an unpaid toll or traffic ticket.
- Job or money-making scams. Messages like “Make $500/day working from home. Apply now!” prey on people looking for work.
- Account verifications. You may get texts saying that your PayPal, Netflix, Amazon, or other account is locked. Often, the scammers will say you need to reset your password, and then they steal your real password when you enter it in their fake "Password Reset" form.
These texts often include links that look slightly off. They might have domains with random numbers, extra characters, or strange endings like .xyz instead of .com. And because we tend to trust texts more than emails, scammers know you’re more likely to click without thinking.
Why smishing feels more urgent
If phishing emails try to rush you, smishing takes that pressure to the next level. Our phones are always in our hands, and texts feel more personal and immediate. Scammers are aware of this, and they exploit it.
A classic smishing tactic is creating a sense of urgency, which can be either negative or positive:
- Negative urgency: “Your bank account is locked.” “There’s a warrant for your arrest.” “Suspicious login detected.”
- Positive urgency: “You’ve won a prize!” “Claim your free gift before midnight!” “Exclusive deal only for you!”
These messages are designed to make you panic or get excited enough to tap the link before you think it through.
Take a few seconds before you tap
A simple pause can save you a lot of trouble. If you get an unexpected text asking you to click a link, share information, or act fast, take a breath.
Ask yourself:
- Was I expecting this message?
- Does the link look suspicious? (Most links in legit texts will come from simple, recognizable domains.)
- Does the message make sense? Did I actually order a package? Do I really have an account with this service?
If you’re still unsure, check the situation through official channels (meaning a phone number, contact email, or website not included in the text). Open the app directly or type in the website yourself – don’t trust the link in the message.
Also, you can show the message to a friend or loved one for their opinion. A second set of eyes is a great tool for detecting scams!
When the scammer knows your name
Just like email spear phishing, smishing can be personalized. Scammers might reference your name or your workplace. They often scrape this information from public data breaches, social media, or online directories.
If a text includes your personal information, it doesn’t mean it’s trustworthy; it might mean a scammer has done their homework. Stay cautious whenever you receive an urgent, unexpected request.
What to do if you get a smishing text
If you receive a suspicious text, one of the safest things you can do is nothing. Don’t reply. Don’t click. Don’t engage.
Even replying “STOP” signals that your number is active and can lead to more scam attempts.
Instead, block the number. Smartphones have a built-in feature to block phone numbers and report them as spam.
You can take a screenshot of the text and share it with your family group chat to warn them of the scam. Many scams will target people in your family and friend group, so spread the warning.
Finally, delete the message. Once reported and blocked, delete the message from your phone to avoid accidentally opening it later.