Protect against scams

Download Norton 360 Deluxe to help protect against scams, viruses, malware,and other online threats.

Get it now

Protect against scams

Install Norton 360 Deluxe to help protect against scams, viruses, malware, and other online threats.

Get it now

What is smishing? How to spot + avoid an attack

A man checks his phone and is happy to see that a recent text is legit and not a smishing attack.

You’ve probably heard of phishing, but what is smishing? Learn how scammers use text messages to spread malware and steal data, the types of smishing scams out there, and how to recognize the warning signs of a smishing attack. Then, strengthen your online security with Norton 360 Deluxe to help block scams and prevent threats. 

What is smishing?

Smishing is a type of cyberattack that uses deceptive text messages to trick recipients into providing personal information or clicking malicious links. The term “smishing” is a combination of “SMS,” the technology that enables text messaging, and “phishing,” the type of social engineering attack that aims to trick people into clicking malicious links.

Scammers use smishing to perpetrate identity theft, fraud, or spread different types of malware. Shielding yourself against smishing attacks involves staying vigilant, understanding the signs of suspicious text messages, and learning to protect your mobile security

Smishing vs. phishing vs. vishing

Phishing is a social engineering tactic used by scammers and cybercriminals. It’s often carried out via fake emails pretending to be trusted sources. Phishing attacks account for 36% of all data breaches in the US.

Vishing and smishing are types of phishing. Smishing, or SMS phishing, involves sending malicious text messages. Vishing, or voice phishing, is when scammers impersonate professionals over the phone to trick victims into revealing sensitive data or transferring money.

How does smishing work? 

Cybercriminals use a combination of malware, malicious links, text threats, and social engineering tactics to carry out smishing attacks. Here are the usual steps of a smishing attack:

  1. A scammer sends out a text message using social engineering tactics to trick you into believing the message is legitimate. 
  2. You click on the infected link or provide them with personal information.
  3. The scammer uses your compromised information to carry out further attacks, commit fraud, or even sell the stolen data on the dark web.
Hackers can commit smishing attacks in three simple steps.

5 types of smishing attacks 

Smishing text messages can come in many forms, because hackers like to customize their messages to fit their targets. Keep these different kinds of smishing texts on your radar to help ensure the Cyber Safety of your smartphone and even your Internet of Things (IoT) devices.

1. Delivery and package-tracking smishing

Package delivery scams are among the most common types of smishing attacks, and are especially prevalent during holidays or major sales events. You might receive a text message supposedly sent by FedEx, USPS, or another reputable mail carrier notifying you about a delivery snag or requesting an update on shipping details. Often, the text is a scam, and the real aim is to trick you into clicking a harmful link or divulging personal information. 

2. Financial services smishing scams

Financial services smishing scams take advantage of the fact that almost everyone uses banks and credit card companies to manage their finances. These smishing messages pose as legitimate banking institutions to get you to compromise sensitive data like Social Security numbers, addresses, phone numbers, passwords, emails, and more. 

For example, IRS-related scams to watch out for are messages that promise tax credits or help with setting up an online IRS account. The IRS has reported an increase in smishing attacks, so keep that in mind if you receive a text message supposedly from the IRS.

A common smishing example is a financial services scam.

3. Confirmation smishing scams

A confirmation smishing scam uses fake confirmation requests to get you to compromise sensitive information. This could be for an online order, an upcoming appointment, or a bill invoice for business owners. The smishing text may contain a link directing you to a site that asks you to input login credentials or other sensitive data to verify your appointment or purchase.

4. Customer support smishing scams

Customer support smishing scams send smishing texts posing as any company a person may trust — not just banks or credit card companies. They may pose as a representative from an online business or a retailer notifying you of an issue with your account. They’ll provide directions to solve the issue, which may include directing you to a fake site infected with spyware

The customer support smishing scam is a popular smishing attack.

5. Gift or giveaway smishing scams

If you’ve ever received a “You’ve won!!” text only to find yourself prize-less, you’re familiar with gift smishing. This type of smishing attack advertises a fake contest giveaway and tries to get you to click a malicious link to claim your prize. If you do tap and end up on their site, your device could get infected with malware

Smishing attack examples 

Learning about real-life smishing examples can help you understand how to avoid them in your everyday life.

  • Tokyo Olympics, 2020: CYFIRMA detected a smishing campaign targeting Olympics fans by attempting to sell fake event tickets to steal personal and banking information. 
  • United States Postal Service, 2020: The CEO of SlickRockWeb reported a smishing campaign posing as the USPS to trick users into compromising login credentials.
  • Verizon, 2022: Verizon acknowledged a smishing campaign targeting its users. The smishing text appeared to come from a user's own phone number in hopes of them clicking the malicious link attached to the message.
  • UPS Canada, 2023: UPS experienced a data breach where unauthorized access to their package lookup tool exposed some recipients’ details. UPS warned customers that attackers had targeted some recipients with smishing attacks demanding payment before delivery.

To help avoid becoming a victim of a smishing attempt, it’s a good idea to learn the warning signs and smishing protection tips.

Smishing attack warning signs

Use these smishing attack warning signs to help determine if you’re dealing with smishing spam texts on your mobile device:

  • Suspicious phone numbers: Smishing messages often come from numbers that don’t follow the typical 10-digit layout or use a series of the same number. 
  • Links and files from unknown numbers: Phishing through text messages often includes deceptive website links with unusual URLs that take you to an unsafe site.
  • Urgent requests: Scammers frequently employ urgency to frighten their victims. But genuine companies give ample notice about issues, so delete these messages or verify them with the supposed sender.
  • Money requests: Messages urging online money transfers are likely scams aiming to drain your funds.
  • Prize notifications: Receiving prize alerts for contests you didn't enter is a red flag; steer clear of engaging or clicking any embedded links.

How to avoid smishing scams 

How to detect, avoid, and protect against smishing attacks.

Your cell phone is likely one of your most used and trusted devices. Avoid potential smishing scams with the help of these cybersecurity tips:  

  • Never respond: The first rule of smishing prevention is to not engage. Replying to a smishing text confirms that your number is active and may lead to further attacks. 
  • Contact banks and/or retailers directly: Scammers commonly impersonate valid businesses or banks. If a text seems questionable, reach out to the mentioned institution directly to verify it.
  • Avoid clicking suspicious links or files: The core of a smishing attack is often a malicious link. Avoid clicking these links at all costs. And if you can tell a text is fake when you receive it, delete it immediately.
  • Inspect new phone numbers: Odd phone numbers may point to a smishing attempt. Be especially careful of numbers that don't follow the typical 10-digit format. 
  • Never send personal information via text: Never give out personal details, such as passwords, credit card numbers, addresses, or emails via text.
  • Use two-factor authentication: Even if you get tricked and a password is compromised, two-factor authentication adds an additional protective layer. For example, biometric technology uses a fingerprint or facial recognition to verify your identity.
  • Download antivirus software: Downloading trusted antivirus software like Norton 360 Deluxe can help keep your device secure by protecting against hacking and blocking malware and other online threats before they infect your device.

How to respond to smishing 

Let’s say you receive a text message that raises your suspicions. It has all the tell-tale signs of smishing and phishing. First, don’t panic. Here’s a quick rundown of how to respond to smishing attempts: 

  1. Don’t respond: Don’t ever respond to a suspected smishing text. 
  2. Report the attack: Mark the text as spam, report the number, and notify your mobile service provider. There are also official channels to report these scams, like the Federal Trade Commission.
  3. Update your passwords: Change the passwords of any accounts you think might be at risk. Use long and unique passphrases to make the password strong.
  4. Monitor your finances: Check your bank statements and credit card activity. If you notice anything suspicious, alert your bank immediately. 
  5. Scan your device for malware: Run a thorough malware scan on your device using trusted antivirus software. If you’ve clicked any links, there might be unwanted threats lurking. 

Help protect against online scams with Norton 360 Deluxe

As with other social engineering tactics, smishing exploits human error — that’s why staying informed is key. And there are other threats out there, so practicing good digital hygiene and using strong security software is essential to helping to protect your digital life. 

Get Norton 360 Deluxe for ironclad security against malware, hacking, and other online threats.

FAQs about smishing 

What is smishing short for?  

Smishing is a combination of “SMS” (short message services) and “phishing.”

What is smishing in social engineering?

In the context of social engineering, smishing involves sending deceptive text messages designed to trick recipients into taking particular actions, like clicking malicious links or providing personal or financial information. 

Can I get a virus from opening a text?  

Simply opening a text message is generally safe; it's the actions that may follow, like clicking a malicious link or downloading a malicious attachment, that can introduce a virus or malware to your device.

What is the difference between phishing and smishing? 

Smishing is a type of phishing. Phishing often refers to deceptive emails, while smishing only uses text messages.

Is smishing a cybercrime? 

Yes, smishing is a cybercrime that uses malicious text messages to commit fraud or steal personal information to benefit the cybercriminal.

Why do cybercriminals use smishing? 

Cybercriminals use smishing because people typically trust messages sent to their phones. The purpose is to steal a victim’s personal data or have them click a malicious link.

What do you do when a strange number texts you?

If you receive a text from an unknown number, especially if the content seems odd or too good to be true, don’t click any links, consider reporting the number as spam and think about blocking the number if you don’t want to hear from it again. 

Olga Knezevic
  • Olga Knezevic
  • Cybersecurity writer
Olga Knezevic is a Prague-based cybersecurity writer whose work explores online privacy and all things Wi-Fi. She provides a unique perspective on information access in the digital era, due to her previous experience as a librarian and e-learning specialist.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc.