In this article:
Smishing scams use texts to impersonate a trusted sender and steal a victim's information. There were more than 19.2 billion spam texts sent in November 2024 alone, according to anti-spam app Robokiller.
Scammers typically send out large text blasts to cast a wide net for potential victims, so it's crucial to know what smishing looks like to avoid being deceived. Here's what you need to know about smishing, how to protect yourself and what to do if you become a victim of fraud.
What Is Smishing?
Smishing, or SMS phishing, is when a scammer uses text messages to deceive victims into clicking malicious links or giving up sensitive information. Smishing often uses text messages that impersonate trusted organizations, such as the post office or the Social Security Administration.
By tricking you into engaging with links or downloads, scammers aim to steal personal data, such as your:
- Social Security number
- Usernames and passwords
- Credit card numbers
- Bank account information
Receiving a sketchy text won't, on its own, infect your device with malware or leak your data. You can avoid being victimized by simply not engaging with scammy texts and links.
Learn more >> What Is Phishing?
How Does Smishing Work?
Smishing works by sending text messages containing malicious links the victim is encouraged to open. When the victim clicks the link, malware may be downloaded to their device or they may be directed to a login or billing screen.
Then, the fraudster can capture the victim's login credentials, financial information or personal data. All of this information can ultimately be used for identity theft.
Smishing scams often rely on social engineering—that is, psychological tricks that create excitement, urgency or fear to get victims to act quickly. For example, scammers may promise prizes or warn of financial or legal trouble to coerce you to act. Or, they might attempt to confuse you by sending fake invoices for products you never ordered.
Learn more >> What's the Difference Between Phishing, Smishing and Vishing?
Examples of Smishing Scams
Smishing attacks are used with a variety of scams, but the ultimate goal remains the same: to steal your information. Here are some common smishing attacks to know about.
- Bank impersonation texts: These are scam texts that pose as messages from your bank. In some cases, these scams result in victims being defrauded out of thousands of dollars, or inadvertently giving their Social Security number to scammers.
- Fake prize or gift texts: Sometimes called sweepstakes scams, fake prize or gift texts ask you to click on a link to claim a free prize. But, once you do, you may be prompted to pay a "small fee" to collect your prize. Or, you may simply be asked to send financial information—which then results in fraudulent charges to your credit card or bank account.
Delivery notification scams: In delivery notification scams, fraudsters send tracking numbers or delivery failure notification alerts supposedly from trusted shippers, such as Amazon, FedEx, UPS or the U.S. Postal Service. Clicking the link to "track your package" or "confirm your shipment" leads you to a page where you're prompted to pay a fee or enter your sensitive information.
- Phony job offer scams: If you're looking for a new job, receiving a text about a promising opportunity may seem like a dream come true. Unfortunately, it's probably a scam. Unsolicited job offers are often attempts to smish your data. For example, the "recruiter" may tell you they need your bank account information to run a background check or set up direct deposit. Instead, they steal your money.
Learn more >> The Latest Scams You Need to Be Aware Of
How to Avoid Smishing
Scammers send out deceptive text messages in an effort to trick victims into clicking links or sending personal information. While you can't necessarily prevent being targeted, you can avoid becoming victimized by not engaging with scammers.
- Pause before you act. Scammers turn up the emotional heat to pressure you to act quickly. They create urgency by insisting that time is running out, or by threatening you with severe consequences if you don't act now. These are telltale signs of a scammer.
- Don't interact. If you receive a message from a sender you don't know, or who you suspect may be an imposter, don't respond. Instead, delete the message. If you believe the text could be from a sender that has a legitimate reason to contact you, check the company's website or call them directly using a verified phone number.
- Avoid clicking any links. Smishing texts may include links that could infect your device with malware or to lead you to enter your information into convincing website spoofs that masquerade as sites you trust. Don't click on any links embedded in a suspicious text.
- Keep your devices secure. Keep your cellphone safe from hackers by keeping your software up to date. Phone operating systems such as Android and iOS regularly receive patches designed to close up security holes, so neglecting to install updates can leave you vulnerable to cyberattacks. You should also routinely run antivirus software.
Learn more >> How to Avoid Phishing Scams
What to Do if You're a Victim of Smishing
Smishing and other types of fraud are prevalent and, unfortunately, scammers can be convincing. If you've given a scammer your information or clicked on a suspicious link, act quickly to minimize harm:
- Secure your devices. If you believe your device is compromised with malware, take steps to remove it. Ensure that your security software is updated on your cellphone or personal computer, and then run a virus scan.
- Secure your accounts. Create new passwords for any accounts compromised in a smishing attack. Make sure to use unique, strong passwords for each account and consider storing them in a secure password manager.
- Report it. If a scammer has your financial information, contact the impacted financial institutions (such as your credit card issuer or bank) to report that your information has been stolen. You can also report the fraud to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov. In some cases, you may also want to consider contacting your local police department.
- Add a fraud alert to your credit reports. If sensitive information such as your Social Security number has been exposed, you could be at risk of credit fraud. You have the right to place a fraud alert on your credit reports for free if you believe your information about misuse of your personal information. A fraud alert instructs lenders to take additional steps to verify your identity before processing new credit applications in your name
- Continue to monitor your credit. You can sign up for free credit monitoring through Experian to keep an eye out for changes to your report and score. If you notice information on your credit report that you believe is incorrect, you have the right to dispute it.
Learn more >> How to Report Identity Theft
The Bottom Line
Smishing scams are an ever-present threat, but knowing the signs of fraud can help you protect yourself and your loved ones. Scammers sell stolen information on the internet, where it can be bought and used for identity theft, hacking, spam and robocalls. You can run a one-time free personal privacy scan to search people finder sites for your information and learn what information has been compromised.
If you're looking for added protection, consider a paid premium Experian membership, which allows you to lock your credit file and receive dark web surveillance, monitoring across all three credit bureau reports and real-time alerts if someone attempts to open credit in your name. From there, you may be able to have your information removed.