Phishing Scams via SMS (Smishing)
How smishing campaigns exploit SMS's lack of a sender-domain check, alphanumeric sender ID spoofing, and mobile-browser URL truncation to harvest credentials and card details at scale.
Part of: Phishing
Last reviewed: 1 June 2026
SMS phishing — smishing — is distinct from email phishing in one critical way: the mobile channel provides almost none of the verification signals that a careful email reader can use. There is no sender domain to inspect, no spam filter trained on message patterns, and the mobile browser typically shows only the beginning of a URL before it is truncated. These structural properties make smishing a high-conversion attack surface that requires different protective habits from email.
This guide covers how smishing campaigns are technically constructed, the categories most commonly impersonated — banks, carriers, government agencies, and delivery companies — and the specific mobile-first habits that stop the attack before credentials or card details are entered.
How this scam works on SMS/text
Smishing campaigns are sent via SMS aggregators or compromised SIM-based devices to large contact lists, often purchased from data brokers or assembled from breached databases. The sender display name is set using alphanumeric sender ID — a feature of the SMS protocol that allows any string to appear as the sender name. This means 'HSBC,' 'Amazon,' 'HMRC,' or any other brand name can be spoofed as the apparent sender with no technical barrier.
The message text creates urgency — a suspicious login, a held parcel, a tax refund, an account suspension — and includes a shortened or slightly altered URL. On a mobile browser, long URLs are truncated, and the padlock icon (HTTPS) provides no guarantee of legitimacy because any site can have a valid TLS certificate. The landing page copies the target brand's genuine login or payment interface and captures what the user enters in real time.
A particularly effective smishing pattern is the one-time passcode relay: when the victim enters their card number, the attacker simultaneously attempts to use it on a genuine payment site, triggering a passcode to the victim's phone. The smishing page then asks for that code — completing the fraud in a single session without the victim realising they have just authenticated a transaction they did not initiate.
Common red flags
- An unexpected text from a bank, carrier, government body, or delivery company with a link
- Sender name matching a trusted brand — this can be spoofed by anyone
- URL in the text that differs from the brand's known official domain when viewed in full
- A request to enter login credentials, card details, or a one-time passcode via a link in the text
- Extreme urgency: 'account suspended within 24 hours unless you verify now'
- A one-time passcode arriving on your phone while you are on a payment page you reached via a text link
How to protect yourself
- Never follow links in unexpected texts — navigate to the sender's official app or website directly by typing the URL
- On mobile, tap and hold any link before opening to reveal the full destination URL
- A one-time passcode sent to your phone while you are on an unfamiliar page means you may be in a relay attack — close the page immediately without entering the code
- Forward suspicious texts to 7726 (SPAM) — this works in the US, UK, Australia, and many other countries
- Enable SMS filtering on your phone (iOS: Settings → Messages → Filter Unknown Senders; Android: Spam Protection in Messages settings)
How to report it
- Forward the text to 7726 (SPAM) to report to your mobile carrier
- Report to the FTC at reportfraud.ftc.gov (US), Action Fraud at actionfraud.police.uk (UK), or Scamwatch (Australia)
- In the UK, report the phishing website to the NCSC at [email protected]
- If card details or credentials were entered, contact your bank and the relevant service immediately
Frequently asked questions
Why can a scammer make a text appear to come from my bank's name?
SMS alphanumeric sender IDs are set by the message sender, not verified against any registry. Anyone with access to an SMS sending platform can set the sender name to any string — including your bank's name. The displayed sender name is never proof of origin. The only safe verification is to navigate to the bank's official app or website independently.
Is HTTPS on a smishing page a sign that it is safe?
No. HTTPS only means the connection between your browser and the site is encrypted — it does not verify the site's legitimacy. Fraudulent sites routinely use free TLS certificates. The padlock icon tells you the traffic is encrypted, not that the site is genuine. Always verify the full domain, not just the protocol.