Smishing
A phishing attack delivered by SMS text message, often impersonating delivery companies, banks, or government services.
Also known as: SMS phishing, text phishing
Last reviewed: 1 June 2026
Smishing (SMS + phishing) uses text messages to deceive recipients into clicking malicious links or calling fraudulent numbers. Because people tend to trust texts more than emails, smishing can have higher click-through rates than email phishing.
Common smishing lures include fake parcel-delivery notifications ('your package is on hold — pay £1.99'), bank fraud alerts, HMRC or IRS tax refunds, and account-verification requests. Clicking the link typically leads to a credential-harvesting site or prompts a malware download.
Some smishing campaigns use 'SIM farms' — banks of cheap SIM cards and phones used to send thousands of texts before the numbers are blocked. Fraudsters also exploit SMS features like sender-ID spoofing to make texts appear to come from your actual bank's short code.
Examples
- A text reading 'ROYAL MAIL: Your parcel requires a £2.49 customs fee. Pay here: [link]'
- A message appearing to come from your bank's real short code asking you to verify a new payee.