What is smishing? Spot & prevent SMS phishing scams

Imagine receiving a text message from your bank, warning you of suspicious activity on your account. The message urges you to click a link to verify your identity immediately. Panic sets in, and without thinking, you tap the link and try to log in with your credentials, only to realize later it wasn’t your bank at all. You’ve just fallen for smishing, a type of cyber attack that uses SMS messages to steal personal information.

Smishing, short for SMS phishing, is a growing cybersecurity threat that preys on people’s trust in text messages. Scammers use fake texts to trick people into sharing sensitive data, downloading malware, or clicking malicious links. Since almost everyone has a mobile phone today, smishing attacks are on the rise, making it more important than ever to recognize the warning signs and protect yourself.

In this guide, we’ll break down what smishing is, how it works, how to detect it, and—most importantly—how to avoid a smishing attack.

What is smishing?

Smishing is a type of cyber attack where scammers send fraudulent text messages to trick recipients into taking harmful actions, such as clicking a malicious link, downloading malware, or sharing sensitive information like passwords or credit card details.

Smishing messages often appear to come from trusted sources, such as banks and financial institutions, delivery services, online retailers, and payment apps. Although smishing texts can take on any form, they always try to elicit a response from you. 

Sometimes, these fake messages create a sense of urgency, fear, or enticement to manipulate you into acting before thinking. Other times, they rely on your confusion or expectations to trick you, such as by sending a tracking link for a “delivery update.” Even if you’re not expecting a package, you might still click the link to see what’s going on. 

How does smishing work?

A typical smishing attack follows this pattern:

1. You receive a fake but convincing SMS. Scammers spoof trusted organizations, making the message appear legitimate.
2. The message contains a malicious link or request for personal data. You may be urged to track a package, claim a refund, secure an account against suspicious activity, or provide a verification code.
3. Clicking a link may lead you to a fake website that steals your login credentials or installs malicious software on your device without your knowledge.
4. Sending a verification code you recently received via SMS or email will let the scammer access the account that sent the PIN or code, which was likely triggered by them trying to log in to your account.
5. Scammers will typically use your stolen data for fraud. This can result in financial theft, identity fraud, or unauthorized access to your personal or business accounts.

Smishing relies on social engineering, exploiting a sense of trust and urgency to bypass victims’ usual skepticism.

How does smishing spread?

Smishing attacks spread through various methods. Scammers typically use a “spray and pray” method, where they send thousands of fraudulent messages at once, hoping some recipients will fall for the scam. Targeted smishing attacks exist too, where scammers have some information about you, such as which bank you use, and send fake messages tailored to you. 

Some smishing campaigns even rely on installed malware to spread fake messages to saved contacts. In that case, scammers don’t need to know your phone number to reach you, while non-targeted smishing attacks use bought or stolen phone numbers to find potential victims. Smishing thrives on exploiting trust and fear, making it a potent and dangerous cybercrime.

Smishing vs. phishing vs. vishing—What’s the difference?

Smishing is part of a broader category of cyber attacks known as phishing, but it’s not the only type. Here’s how smishing compares to other phishing attacks:

Smishing (SMS phishing)

Attack method: Fake text messages impersonating trusted sources.

Common tactics: Urgent warnings, fake delivery updates, or refund scams.

Typical victims: Anyone with a mobile phone is at risk, especially people who frequently use SMS for financial or service-related communications.

Phishing (Email & web-based attacks)

Attack method: Fraudulent emails or fake websites.

Common tactics: Emails urging people to click on malicious links, often disguised as account security alerts or promotional offers.

Typical victims: Email users and businesses.

Vishing (Voice phishing & phone scams)

Attack method: Phone calls from scammers impersonating banks, tech support, or government agencies.

Common tactics: Callers claim an urgent issue is affecting the victim (e.g., compromised bank accounts, unpaid taxes, a fake SIM swap, or a fake account login attempt) and request sensitive data or remote access to their devices.

Typical victims: Anyone with a mobile phone is at risk, especially elderly individuals, business professionals, or anyone likely to trust a seemingly authoritative phone call.

While phishing, smishing, and vishing all rely on deception and manipulation, smishing has become increasingly popular due to the trust people place in text messages and the difficulty of verifying senders.

Read more: Learn about “Spam Risk” calls and how to avoid them.

Common types of smishing attacks

Smishing scams take many forms, often mimicking legitimate businesses and institutions to gain victims’ trust. Below are some of the most common smishing attacks to watch out for.

Fake banking alerts and financial fraud

One of the most dangerous types of smishing scams involves fraudulent banking alerts. Scammers pose as your bank and send urgent messages claiming you need to address an issue with your account, or it needs a confirmation of some kind from you.

These kinds of smishing messages usually involve notifying you about suspicious activity on your account, claiming that your account has been compromised or frozen, or requesting confirmation for unusual transactions (that never happened). Here are some examples:

• “We have noticed an unauthorized login. Click here to secure your account.”
• “Your bank account has been frozen due to suspicious activity. Verify your identity now.”
• “Did you authorize a $1,200 purchase? Reply YES or NO.”

Clicking a link in these messages may lead you to a fake banking website designed to steal your login credentials. Even responding with “NO” can trigger follow-up messages or different smishing texts. A reply shows scammers it’s a working number they can target with additional smishing attacks.

Delivery scams

With online shopping at an all-time high, delivery smishing scams have become more common. These scammers impersonate couriers like FedEx, UPS, DHL, and USPS with fake package tracking messages, such as:

• “Your package is delayed. Update your delivery preferences here: [link]”
• “Failed delivery attempt. Reschedule now: [link]”
• “Customs fee required to release your package. Pay now: [link]”

Victims who click the link may be prompted to enter payment details for a nonexistent fee or unknowingly download malware onto their devices. Some delivery smishing messages aim to steal login credentials for shipping accounts, letting criminals reroute or intercept real deliveries.

Tech support and customer service impersonation

Tech support scams involve scammers posing as Apple, Microsoft, Google, or other tech companies, claiming your account or device has a security issue. Messages may state:

• “Unusual login attempt detected on your Google account. Secure it here: [link]”
• “Your iCloud storage is full. Upgrade now to prevent data loss: [link]”
• “Virus detected on your device! Contact Apple Support immediately at [number].”

Clicking these links can result in stolen credentials or malware being installed on your device. Some smishing texts direct victims to call a fake support number, where scammers trick them into providing remote access to their devices or accounts.

Account verification and password reset scams

Many smishing attacks target login credentials by sending fake password reset requests or security verification messages. These scams typically impersonate banking institutions, email providers, online marketplaces, social media platforms, and payment apps. According to Statista, the most impersonated brands include Microsoft, Adobe, DHL, Google, AOL, DocuSign, and Amazon.

A common tactic is sending a message like:

• “Unusual login detected on your Adobe account. Verify now to prevent suspension: [link]”
• “Your Google Pay account has been restricted due to suspicious activity. Update your details immediately here.”

These links usually lead to phishing websites that steal your login credentials. Scammers can then log in to your account and make fraudulent transactions or lock you out to sell the account to someone else.

Healthcare-related smishing scams

Scammers often exploit public health concerns, sending fraudulent messages related to insurance, medical bills, or prescriptions. These messages may claim things like:

• “Your health insurance policy is expiring. Click here and renew now to avoid coverage loss.”
• “Important COVID-19 test results available. View here: [link]”
• “Claim your free government healthcare subsidy before it expires: [link].”

These scams typically attempt to steal people’s insurance details, personal health information, or financial data. Some even lead to medical identity theft, where fraudsters use stolen information to receive healthcare services under the victim’s name.

Lottery, giveaway, and prize smishing scams

A classic scam tactic involves falsely informing victims that they’ve won a prize or have been selected for an exclusive giveaway. These messages often follow a typical pattern:

• “Congratulations! You’ve won a $1,000 gift card. Claim your prize now: [link]”
• “Your phone number was randomly selected for a luxury vacation giveaway! Confirm your details here.”
• “You’ve won a free iPhone 15! Click here to arrange delivery.”

Clicking the link may direct victims to a phishing page that asks for personal information, such as their home address, phone number, or credit card details for a “processing fee.” Scammers often use this information for identity theft or financial fraud. Sometimes, they don’t want information but only want victims to pay a “delivery fee” for a non-existent package, then disappear with the money.

Real-world examples of smishing scams

Smishing scams are not just theoretical threats—they have affected thousands of people worldwide, leading to financial loss, identity theft, and stolen credentials. Here are real cases of smishing attacks, how they worked, and their impact.

Fake Apple iPhone pre-order scam

In September 2024, ahead of the iPhone 16 launch, scammers launched a smishing campaign targeting Apple customers. The fraudulent text messages claimed that victims had exclusive early access to pre-order the iPhone 16 before the general public. Victims were sent a link to a fake Apple website designed to steal their credentials and money.

• The scam primarily targeted people in the U.S., UK, and Australia, taking advantage of the excitement surrounding new Apple product releases.
• The smishing message claimed the victims were eligible for an exclusive pre-order with a generous 40% discount.
• Once they clicked the link, victims were sent to a legitimate-looking but fake Apple website that stated they needed to pay upfront to secure their exclusive iPhone “pre-order.”
• Victims could then click through to a billing page with the option to pay via PayPal. 
• The website even generated an invoice with fake tax and shipping information, including “free shipping” for orders over $1,000.
• Victims who went through this process and paid for their “iPhone pre-order” never received anything and lost their money.

USPS and FedEx tracking scam

As online shopping continues to grow, so do delivery-related smishing scams. One of the most widespread cases occurred in late 2022, when scammers impersonated USPS and FedEx, sending fraudulent text messages claiming issues with package deliveries. Victims were urged to click a link to update their shipping details or pay a small fee for “re-delivery.”

• Victims who clicked the link were taken to a fake courier website that requested their personal information, including their full name, address, and sometimes even their social security number.
• Some websites only requested the victim’s credit card details as “confirmation” of their order while others asked victims to pay a fake “re-delivery” fee. Those who provided their details were usually left with fraudulent charges on their credit cards.
• The scam spread across the U.S., Canada, and parts of Europe, leading to warnings from shipping companies and cybersecurity experts.

Fake government assistance programs

During the COVID-19 pandemic and beyond, scammers exploited financial aid programs by impersonating government agencies such as the IRS or private financial institutions. The pandemic saw a significant rise in smishing attacks targeted at low-income individuals, claiming they were eligible for extra government benefits or fake lottery compensation prizes.

• Victims received texts stating they qualified for a fake relief payment and needed to provide banking details to receive the funds.
• Some messages asked victims to click a link to get their money, which led them to a website with a survey asking for their personal information.
• Sometimes the smishing scams would tell people to forward these messages to others for them to be eligible to collect their money.
• These and other scams were reported in multiple U.S. states, leading to official warnings from entities like the IRS and WHO about the fraudulent text messages.

Customer support impersonation

Between 2023 and 2024, a major smishing campaign impersonated PayPal and Amazon customer support, tricking users into clicking fake security alerts. Victims received texts stating their accounts had been compromised and they needed to verify their identity immediately.

• Clicking the link led victims to a cloned PayPal or Amazon login page, where scammers collected login credentials and stole funds from linked payment methods.
• Some messages contained a fraudulent phone number, where victims who called were instructed to download remote access software, letting scammers take over their devices.
• PayPal and Amazon have issued formal warnings about fraudulent texts and advised people to enable two-factor authentication to prevent unauthorized access.

“Wrong number” scam & social engineering tactics

A more subtle but growing form of smishing involves scammers sending friendly “wrong number” texts to initiate conversation. In 2023, cybersecurity researchers found that thousands of victims were tricked into long-term text message exchanges that led to investment fraud or romance scams.

• Scammers often pretend to have texted the wrong person, such as: “Hey Sarah, are we still meeting for coffee today?”
• If the recipient responds, scammers continue the conversation, building trust over weeks or months.
• Eventually, victims are encouraged to invest in fake crypto trading platforms or other schemes, which is when the scammers steal their funds and disappear.
• These scams have resulted in millions of dollars in losses, with victims in the U.S., Canada, and Asia.

How to identify a smishing attempt

Recognizing smishing attempts is crucial in safeguarding your personal information. Here’s how to spot and handle them effectively.​

Common red flags in smishing messages

Be vigilant for the following common signs that a text message might be a smishing attempt:

• Unknown or hidden numbers: Scammers may hide their identity or spoof local numbers to appear authentic. ​
• Urgent or alarmist language: Messages that create a sense of urgency or panic, such as claims of account issues or suspicious activity, are common tactics to prompt immediate action without scrutiny. ​
• Requests for personal information: Legitimate organizations typically do not solicit sensitive data like passwords or Social Security numbers via text messages. ​
• Suspicious links or attachments: Unexpected links, especially shortened URLs, can lead to malicious websites or initiate malware downloads.
• Generic greetings: Messages lacking personalization or specific details may indicate a mass phishing attempt.
• Poor grammar and spelling: Scammers often intentionally include writing mistakes in their messages as people who overlook these issues are less likely to question the scammers’ intentions.

How to verify if an SMS is legitimate

To determine the authenticity of a suspicious text message:

1. Avoid immediate action: Refrain from clicking links or providing information without verifying the sender.​
2. Contact the organization directly: Use official contact information from the organization’s website or official correspondence to confirm the message’s legitimacy.​
3. Inspect the sender’s number: Compare the sender’s number with the official numbers listed by the organization. Discrepancies can signal it’s a smishing scam.​
4. Look for spelling and grammar errors: Professional organizations typically avoid mistakes in their communications.​
5. Be skeptical of unsolicited messages: Unexpected messages, especially those requesting personal information or immediate action, should be treated with caution.

Read more: While smishing attacks are a rising concern, email is still the biggest target for phishing scams. Learn how to improve your email security.

How to report a smishing scam to mobile carriers and authorities

If you encounter a suspected smishing attack:

1. Report the suspicious message to your mobile carrier as this helps carriers identify and block similar messages.
2. File a complaint with the FTC at ReportFraud.ftc.gov to create awareness of the scam so the FTC can investigate it and warn others. The FCC provides resources on how to report smishing and other scam messages.
3. Inform the company or agency being impersonated so they can alert others and collaborate with law enforcement.
4. Use your device’s settings to block the sender’s number, reducing the risk of future scam messages from that scammer.

By staying vigilant and speaking out, you can protect yourself and others from smishing scams.

What to do if you become a victim of smishing

If you’ve fallen for a smishing attack—whether by clicking a malicious link, providing sensitive information, or downloading malware—it’s important to act quickly to minimize the damage. Acting quickly after a smishing attack can significantly reduce the risk of financial loss and identity theft. Here’s what to do next.

Immediate steps to take

Do not respond or click links

If you suspect a text message is a smishing attempt, avoid interacting with it in any way.

• Do not reply, even with “STOP” or “NO,” as this confirms to scammers that your number is active, potentially leading to more scam attempts.
• Do not click any links—these could lead to phishing websites designed to steal your credentials or install malware on your device.
• Avoid calling any numbers listed in the message, as they may connect you to fraudsters posing as customer support representatives.

Block and report the sender

Blocking the sender can help prevent further scam messages. Most smartphones let you block numbers directly from the messaging app:

• iPhone: Tap the message, select the sender’s profile, then tap “Block this Caller.”
• Android: Tap and hold the message, select “Block” or “Report Spam.”

Additionally, you can report the scam message to your mobile carrier. You can also report smishing attempts to relevant authorities, such as the FTC (the U.S.), FCC (the U.S.), Action Fraud (the U.K.), Scamwatch (Australia).

Scan your device for malware

If you clicked a link or downloaded a file from a smishing message, your device may be infected with malware. Take the following precautions:

• Run a security scan using a trusted mobile antimalware app.
• Look for unusual behavior—if your phone suddenly slows down, shows pop-ups, or apps crash frequently, malware may be the cause.
• Uninstall suspicious apps—go to your app settings and remove any apps that were recently installed without your permission.

Change compromised passwords & enable 2FA

If you entered login credentials on a phishing website, it’s important to change your password immediately to prevent unauthorized access.

• Use a strong, unique password that includes a mix of letters, numbers, and symbols.
• Enable two-factor authentication (2FA) on accounts that support it—this adds an extra layer of security by requiring a second verification step (such as a code sent to your phone).
• If your email account was compromised, go through its recovery settings to ensure scammers haven’t changed your backup email or phone number.

How to recover stolen data or money from smishing scams

If you’ve lost money or had personal information stolen due to a smishing scam, here’s how to take action:

• Contact your bank or credit card provider. If you provided your financial details, notify your bank immediately to monitor for suspicious activity, dispute fraudulent charges, and take further steps. Most financial institutions have fraud protection policies that can help recover lost funds.
• Monitor your accounts. Look out for unauthorized transactions or account changes and set up alerts to be notified of unusual activity.
• Freeze your credit (if necessary). If personal details such as your Social Security number or banking information were compromised, consider placing a credit freeze with the major credit bureaus in your country to prevent identity theft.
• Report identity theft. If scammers have misused your personal data, report the fraud to your country’s official identity theft protection service.
• File a police report (if needed). If you lost a significant amount of money or sensitive information, filing a police report may be necessary for further investigation.

How to protect yourself from smishing scams

Smishing scams are constantly evolving, making it crucial to stay proactive in protecting your personal information. By securing your SMS communications, using security tools, and practicing safe online habits, you can significantly reduce the risk of falling victim to smishing.

Best practices to secure your SMS communications

To minimize your exposure to smishing attacks, follow these best practices when handling SMS messages:

• Never click on links in unsolicited texts. If you receive a message claiming to be from your bank, a delivery service, or a government agency, go directly to the official website instead of clicking any links in the SMS.
• Verify senders before responding. Legitimate companies rarely ask for sensitive information via text. If you receive a message requesting personal details, contact the company directly through official channels.
• Avoid responding to unknown numbers. Responding to a smishing attempt in any way can confirm to scammers that your number is active, which may lead to more scam attempts.
• Keep your phone number private. Avoid sharing your number publicly on social media, forums, or unsecured websites to prevent it from being collected by scammers or data brokers who may sell your information to scammers.
• Be cautious of urgent or threatening messages. Scammers rely on fear and urgency to manipulate victims. If a message pressures you to act immediately, take a step back and verify its authenticity.
• Enable spam filtering on your phone. Both iOS and Android devices offer built-in spam protection tools to help filter out suspicious messages.

How to block smishing messages on iPhone & Android

Blocking smishing messages can help reduce the number of scam texts you receive. Here’s how to block unwanted SMS messages on iOS and Android:

On iPhone:

• Open the Messages app.
• Select the smishing message and tap on the sender’s profile.
• Tap Info > Block this Caller.

On Android:

• Open the Messages app.
• Tap and hold your finger over the smishing message.
• Select Block & report spam.
• Confirm the action to block the sender.

Additionally, you can use third-party SMS filtering apps to automatically detect and block smishing messages. It’s important to only use verified apps from official app stores to avoid potential malware.

Why multi-factor authentication (MFA) helps prevent smishing

Multi-factor authentication adds an extra layer of security to your online accounts, making it harder for scammers to gain access to your accounts even if they obtain your login credentials.

How MFA works: When enabled, MFA requires an additional verification step—such as a one-time password (OTP), fingerprint scan, or authentication app code—before an account will grant you access.

Why it helps against smishing: If you accidentally share your password with a scammer, they still won’t be able to access your account without the second authentication factor.

Recommended anti-phishing software & mobile security tools

Using reliable security tools can help protect your device from smishing-related threats, including malware and phishing websites. Here are some recommended options:

• Anti-phishing protection: Security apps can identify and block malicious links in text messages or block malicious websites from loading, preventing you from accidentally visiting fraudulent websites. Some tools also warn you if you enter sensitive information on a suspicious site.
• SMS filtering and spam detection: Many messaging apps and mobile security tools include spam filters that automatically flag or block messages from unknown senders and known spam/scam numbers, reducing your exposure to smishing attempts.
• Malware and scam detection: Some security apps scan your device for harmful software that may have been installed through a smishing attack. They can also help prevent potentially malicious apps from accessing your personal data.

When choosing a security tool:

• Look for real-time threat detection to block smishing links before you interact with them.
• Ensure it includes automatic updates to stay protected against the latest scams.
• Avoid apps that ask for excessive permissions or collect unnecessary personal data as this may indicate these apps are malware in disguise.

While security tools can help reduce the risk of smishing, they should be used alongside good security habits, such as ignoring suspicious unsolicited messages, enabling multi-factor authentication, and verifying senders before responding.

Can a VPN protect you from smishing scams?

While a VPN enhances your online security and privacy, it does not directly prevent smishing attacks. However, a VPN can protect you from hackers in the following ways:

• Protecting your data using encryption: A VPN encrypts your internet traffic, making it harder for attackers to steal your information.
• Preventing tracking by malicious websites: Some smishing scams direct victims to phishing sites that track their IP addresses and online behavior. A VPN hides your real location and identity.
• Enhancing overall cybersecurity: While a VPN won’t block scam texts, it works alongside other security measures to keep your information private and secure.

ExpressVPN has native apps for all major devices, including Android and iOS. These apps come loaded with advanced protection features, such as an ad blocker, a Threat Manager that prevents malicious trackers from loading, and a password manager. While our Threat Manager can’t prevent you from clicking smishing links, it can keep known malicious websites from loading. This adds another layer of protection in case you mistakenly open a link.