What is smishing?
Smishing is phishing conducted via SMS text message. Fraudulent texts impersonate delivery services, banks, or government agencies and contain links designed to steal your credentials or personal information.
Last reviewed: 10 June 2026
Explanation
Smishing became a major fraud vector as smartphones became universal and people grew accustomed to receiving legitimate transaction alerts and delivery notifications by text. Criminals mimicked this pattern, sending texts that blend in with the flow of real notifications.
Common smishing themes include: a parcel could not be delivered and a small customs fee is required; your bank has flagged suspicious activity; your government benefit payment needs to be confirmed; your streaming subscription is about to expire. The link leads to a convincing fake site that harvests card details, login credentials, or personal information.
Smishing has some advantages over email phishing for criminals: there is no spam filter, messages are seen on a small screen where full URLs are harder to inspect, and people are habituated to tapping links in texts. Some smishing messages also carry malware payloads that install themselves when the link is opened on vulnerable devices.
Since your mobile number is not linked to a specific bank or service, anyone can receive a smishing text about any institution. The fact that you receive a parcel notification does not mean you have a parcel. Always navigate to the courier or institution's official app or website rather than tapping a link in a text.
Common red flags
- An unsolicited text with a link about a delivery, account alert, or payment
- The URL in the text is short, obscured, or does not match the claimed sender's domain
- A small fee or charge is mentioned — delivery fees, customs, or account reactivation
- The message creates urgency about acting within hours
- Generic language not using your name or specific account details
- Texts arriving from unusual numbers, email addresses displayed as sender, or unknown short codes
What to do now
- Do not tap the link — go directly to the company's official app or website
- Forward the suspicious text to 7726 (SPAM) in the UK or report to the FTC in the US
- If you entered details, change your password and contact your bank
- Block the sender number on your phone
- Report to the platform's abuse team if it came via a messaging app
Frequently asked questions
How do smishers get my phone number?
Phone numbers are obtained from data breaches, purchased from data brokers, scraped from social media, or simply generated in sequential batches and mass-texted. Receiving a smishing text does not mean the sender has any specific personal information about you.
Are iMessages safer than regular SMS?
iMessages between Apple devices are end-to-end encrypted in transit, but smishing attacks do not rely on intercepting messages — they rely on you clicking a link. The risk from clicking a malicious link is the same regardless of the messaging platform.