What Are Smishing Scams? Definition and Examples

Smishing (a combination of the words SMS and phishing) is a socially engineered scam where cybercriminals use fraudulent text messages to manipulate people into sharing private information. Then cybercriminals can use that information to steal money.

Unlike email, your mobile phones don't have strong filters to block text messages containing spam or smishing attempts. That's why cybercriminals like to target individuals via texts; it's easier to get fake texts delivered to you compared to phishing emails.

Keep reading to learn more about how smishing works, examples of what cybercriminals say in smishing messages, and what you can do to prevent smishing scams.

How does smishing work?

Smishing is carried out via SMS messages, but the initial text will vary. Most of the time, the cybercriminal will pose as a trusted person or business. They may even use spoofed phone numbers or inaccurate caller IDs to mislead you about the source.

Smishing usually includes a link, so the malicious text message uses social engineering tactics to convince you to click it. Social engineering is a method to manipulate victims into trusting the sender, usually by impersonating a trusted person or organization.

When you click on a malicious link, you may either have malware downloaded on your mobile device or be redirected to a fake website asking for your password, two-factor authentication code, banking information, or other personal data.

Phishing vs. smishing

Smishing is a type of phishing attack. Both tactics involve manipulating people into falling into a trap or getting involved in a scam. The main difference between phishing and smishing is where it happens. Smishing specifically targets SMS messages, while phishing can occur anywhere online — such as emails or direct messages on social media.

What is vishing?

Vishing is another form of phishing. This version of phishing happens over a phone call. Similar to smishing, it uses social engineering tactics, such as impersonating a trusted source and creating an urgent situation, to convince you to share sensitive information, such as credit card information or Social Security numbers.

7 most common smishing scams

There are several types of smishing scams, but they all share common characteristics. Here's a quick overview of the most common smishing scams, along with some examples.

1. Fake order/account confirmation messages

Attackers will pose as a business and send you a message claiming a shipment is on its way. In other cases, they may say you need to confirm your account.

Take a look at this real smishing scam example. The cybercriminal used a spoofed phone number and sent a message claiming a package was sent. The link is also suspicious because it doesn't make the sender clear from the URL.

Further research confirms that this is a smishing attempt. The link contains duckdns.org, which is an authentic website but it is often used by cybercriminals as part of a phishing campaign.

2. Urgent messages from financial services

Getting access to your financial information is extremely valuable to hackers. But it's also a bit tricky to hack. They will need your account login credentials and possibly a two-factor authentication code to access your account. One of the ways they accomplish this is by sending you a message that is claiming there is an urgent situation.

For example, take a look at this real smishing text. The sender poses as a credit union, using a spoofed phone number, and claims that a hold has been placed on an account. It also sends an unsolicited link to resolve the issue.

Since having your bank account placed on hold can cause you to feel panicked, you may quickly click the link and fill out the requested information without thinking twice. But this is a smishing attempt since this specific financial institution doesn't send unsolicited links.

3. Customer support impersonation

Another scenario is for attackers to impersonate customer support. They'll pick a company you most likely use (like Amazon or PayPal) and then send you a fake text message to verify expensive purchases.

Obviously, you didn't make those purchases, so you respond to say you didn't authorize the transaction. Then the conversation turns to resetting your password, and the fraudster does it in a way that leads you to hand over sensitive data, like your credit card information.

4. Bogus gift and giveaway notifications

The initial smishing text claims you've won a giveaway or prize. While this sounds like great news, this is usually a lure to get you to respond. There are actually cybercriminals behind the supposed free gifts, and they will ask you to claim your prize by paying a small fee. Other times, they'll send you a link to fill out a form designed to steal your sensitive information.

5. Malware attacks

Sometimes the goal of a smishing attack isn't necessarily to steal your information — at least at first. Attackers may want you to accidentally install malware onto your phone. They accomplish this by convincing you to click on a malicious link in a text message. 

Once your mobile device has downloaded malware, cybercriminals can start tracking your behavior, steal personal information, or harm your device.

6. Spear smishing

Spear smishing is a more targeted version of phishing. It targets specific people or organizations via text messages. A common example of this is CEO fraud. An attacker will impersonate a CEO or another high-ranking manager and then send fake requests to employees.

The impersonated CEO may text employees, asking them to buy gift cards with their own money, which the company will reimburse later. Since you may want to please your boss, you might fulfill the fraudulent request without noticing the red flags of a scam.

7. Unpaid toll text scam

Unpaid toll text scams are rising in popularity amongst scammers because they pair something plausible (unpaid tolls) with urgency (pay now or your license is suspended). In fact, toll text scams account for $3.5 billion in losses in 2025 alone. The FTC confirmed that fake toll payment texts are now the fastest-growing form of government imposter fraud in the country, as of May 2026.

How to mitigate smishing scam effects

When you receive a smishing scam, the best thing to do is not to interact with the text message. If you don't respond or open any links, no harm will be done to you. But if you have already responded to the smishing scam, there are some ways to fix the situation.

Here are some steps to consider if you are a victim of a smishing scam:

• Forward the scam text to 7726 (SPAM) to enable mobile carriers to investigate.
• Contact the organization directly with a known number to report suspicious texts.
• Report suspicious text messages to the Federal Communications Commission (FCC) or the Federal Trade Commission (FTC).
• If you've given out your password, change it immediately. If you used the same password for other online accounts, you'll also need to change it there. Password managers can help you store them securely.
• Check your bank accounts and credit cards to ensure transactions are authentic. Report anything unauthorized.
• Consider identity theft protection.

Smishing warning signs and prevention

Smishing scams often share the same red flags. Here are some signs that the text message you received isn't authentic and possibly a scam:

• Sense of urgency: Attackers often want you to feel panicked so you don't stop to think about your decisions. Their text messages will ask you to respond immediately.
• Grammatical errors: Spelling mistakes aren't normal for organizations or businesses. You should be suspicious of errors in grammar from texts claiming to be from well-known brands.
• Suspicious phone numbers: If you don't recognize the phone number, then there's a chance it's a scammer. This is especially true if the text is from a business and it's not the same phone number you previously contacted.
• Asks you to share personal information with them: Usually, attackers won't start the smishing scam by directly asking for your credit card number, but the conversation will eventually ask you to divulge private information.

If you're looking to avoid smishing scams, here are some tips:

• Don't respond to unsolicited text messages or phone numbers you don't recognize.
• Don't send personal or sensitive information over a text message.
• Don't click on any links or respond to the message.
• Check the privacy settings of your mobile device to enable spam protection.
• Don't give out your phone number if you don't need to.

Bottom line

You can be proactive by reporting smishing attempts to government authorities or the organization that's being impersonated. You can also check your phone settings to ensure spam protection is turned on. While you may still occasionally receive smishing attempts, you can minimize your risk of getting scammed by not responding to spam messages.

If you want to ensure you have strong cybersecurity, consider using a password manager, signing up for identity theft protection, or taking steps to remove your cell phone number from the internet.

FAQs