SkipToMainContent

Emerging Threats

What is smishing + smishing attack protection tips for 2022

Two young Black females enjoy a walk together as one uses her smartphone without the fear of falling for a smishing text.

May 4, 2022


Smishing is a combination of the words short message services (SMS) and phishing. Today’s cybercriminals often carry out smishing attacks because people tend to trust text messages more than emails. It’s this mistaken trust that may have led to smishing scams increasing by more than 300% within the past two years.

Use this guide as your compass to understand the ins and outs of smishing attacks and how you can help protect yourself and your overall mobile security.

Here, we’ve outlined how smishing attacks work, smishing warning signs, and tips to help avoid smishing scams. You’ll find real-life smishing attack examples and frequently asked questions to help paint you a clearer picture of why you should care about this cyberthreat. 

How does smishing work?

Three illustrations accompany the steps of a smishing attack.


Cybercriminals use malware and malicious links to carry out their smishing attacks. Look at how hackers execute smishing scams, so you’ll know how to avoid them:

  1. A hacker sends out a text message using social engineering tactics to trick you into believing their message is legitimate. 
  2. You click on their infected link and/or provide them with your personal information, such as usernames, passwords, emails, etc.
  3. The hacker uses your compromised information to commit fraud and/or sell the stolen data on the dark web.

Nowadays, these smishing texts can come in many forms because hackers like to customize their messages to fit their targets. Check out some of the different types of smishing attacks below.

5 types of smishing attacks   

Keep these different kinds of smishing texts on your radar to help ensure the Cyber Safety of your smartphone and other Internet of Things (IoT) devices.

1. COVID-19 smishing scams 

Hackers try to use COVID-19 smishing scams to take advantage of people affected by the coronavirus. They’ll typically pose as government or health care agencies to try and convince you to view newly released information or claim your financial aid. 

While this app is being distributed through the Google Play Store, it has been distributed at a much higher rate in non-official app stores.

2. Financial services smishing scams

An illustration accompanies an example of a financial services smishing scam paired with a smishing attack protection tip.

Financial services smishing scams leverage the fact that almost everyone uses banks and credit card companies to manage their finances. These smishing messages pose as legitimate and trustworthy banking institutions to get you to compromise sensitive data like Social Security numbers, addresses, phone numbers, passwords, and emails. 

3. Confirmation smishing scams

Confirmation smishing scams use fake confirmation requests to get you to compromise sensitive information. This could be for an online order, an upcoming appointment, or a bill invoice for business owners. The message may contain a link directing you to a site that asks you to input login credentials or other sensitive data to verify your appointment or purchase. 

4. Customer support smishing scam

An illustration accompanies an example of a customer support smishing scam paired with a smishing attack protection tip.


Customer support smishing scams send smishing texts posing as any company a person may trust — not just banks or credit card companies like financial services. They may pose as representatives from online businesses or retailers notifying you of an issue with your account. They’ll provide directions to solve the issue, which typically includes you going to a fake site infected with spyware to record any information you type in. 

5. Gift smishing scams

People are usually familiar with gift smishing, as we’ve all probably received a “Congratulations” text at least once in our lives only to find ourselves prize-less. These smishing attacks advertise a fake contest giveaway you’ve won and try to get you to click on a malicious link to claim your prize. Once you continue to their site, malware could make its way onto your device and compromise your system and the information attached.

Smishing attack warning signs

Use these smishing attack warning signs to know whether a smishing text made its way onto your mobile device.

Suspicious phone numbers

Smishing texts may come from phone numbers that don't look normal at first glance. They may stray from the typical 10-digit layout or a series of the same number. If you see this type of number accompanied by a suspicious-looking message, don’t respond and delete the text immediately.

Smishing protection tip: Never respond to suspicious text messages.

Links and files from unknown numbers

Smishing texts are almost always paired with links to fake websites capable of recording your sensitive information. That’s why if you come across one, never click it. And in the event you do click one, look out for signs of an unsafe site, such as no “http” in the URL or small differences that you’re not used to seeing. 

Smishing protection tip: Avoid clicking on suspicious links and files.

Urgent requests

Most phishing emails and text messages feature urgent requests to frighten the receiver. But any legitimate company will give their customers ample notice about pressing issues. Delete these messages, and if you're still concerned after the fact, contact the company directly. 

Smishing protection tip: Never cooperate with urgent requests sent via text.

Money requests

Like urgent requests, you should delete text messages asking you to wire or transfer money over the internet. The likelihood that these are hackers disguised to try and steal your funds is extremely high. 

Smishing protection tip: Never comply with urgent requests for money via text.

Prize notifications

The thought of winning a prize is exciting to anyone, but the chances of winning a sweepstakes you haven't entered is incredibly low. If you receive messages about prizes you won from an unfamiliar contest, avoid clicking on any links attached and delete the text.

Smishing protection tip: Avoid clicking on suspicious links and files.

Smishing attack examples

Learning about real-life smishing attacks can help you learn how to avoid them in your everyday life.

  • Tokyo Olympics, 2020: CYFIRMA detected a smishing campaign targeting Olympics fans who attempted to sell fake event tickets to steal personal and banking information. 
  • United States Postal Service, 2020: The CEO of SlickRockWeb reported a smishing campaign posing as the USPS to trick users into compromising login credentials.
  • New Hampshire, 2022: Reports indicate a smishing campaign targeting New Hampshire residents with fake COVID-19 texts requesting a “New Hampshire State COVID-19 Vaccine Status Validation.”
  • Verizon, 2022: Verizon acknowledged a smishing campaign targeting service users. The smishing text appears to come from the user's own phone number in hopes of them clicking on the malicious link attached to the message. 

    To help avoid becoming a victim of a potential smishing attack, it’s a good idea to look toward adopting some smishing scam protection tips.

How to avoid smishing scams 

A smishing safety guide reviews smishing detection, smishing avoidance, and smishing protection.


Your cell phone is one of our most used — and — trusted devices. Help keep your device safe with these cybersecurity tips meant to help you avoid potential smishing scams.

Never respond 

The first rule when dealing with smishing texts is to never respond. Other than potentially triggering malware to install onto your device, you could verify a working number for the hacker. They could then use it for other scams or include it in a list to sell on the dark web for a profit. 

Contact banks and/or retailers directly 

Cybercriminals often try to impersonate legitimate businesses and/or banking institutions in smishing texts to get people to compromise credit card numbers and identifiable information. If you receive a text and question its validity, the best thing you could do is contact the bank or retailer directly. 

Avoid clicking on suspicious links and files

A hacker’s first step in a smishing attack is attaching an infected link. These may direct you to a site infected with spyware to record what you type or install malware onto your device. Avoid clicking on these links at all costs. And if you can tell a text is untrustworthy upon receiving it, simply delete it immediately.

Inspect new phone numbers 

Strange-looking phone numbers may indicate that the text is a part of a smishing campaign. Take notice of four-digit numbers or any others that stray from the typical 10-digit format. 

Never send personal information via text 

Online scammers love to use the mystery behind our screens to trick us into compromising our most private information. To help keep yourself safe, never give out personal details, such as passwords, credit card numbers, addresses, and emails via text.

Use two-factor authentication 

If you do happen to fall for a smishing scam and expose one of your passwords, two-factor authentication can work as another means of protection. Biometric technology uses fingerprint technology and facial recognition to verify your identity when you attempt to log in. 

Download antivirus software

Cyberthieves often embed different types of malware into their smishing attacks to compromise your cybersecurity. Downloading trusted antivirus software can help keep your device secure by bringing these potential threats to your attention and destroy them if they’re legitimate.

Report smishing attacks 

If you come across a potential smishing scam, report it to the authorities. You can forward all malicious text messages to SPAM (7726) and/or reach out to the FTC directly at ReportFraud.ftc.gov. 

In most instances, the text messages you receive are totally fine. But it only takes one bad one to compromise your cybersecurity. With common sense and caution, you can help keep your privacy, identity, and mobile devices secure. 

Smishing FAQs 

Browse through some frequently asked questions about smishing to properly handle yourself if you come across a malicious text message.

What is smishing short for?  

Smishing is a combination of the words short message services (SMS) and phishing.

What is smishing in social engineering?

In terms of social engineering, smishing is the act of using text messages to trick people into compromising sensitive data using different types of malware, as well as fake websites and phone numbers. 

Can I get a virus from opening a text?  

The likelihood of you receiving a virus from opening a text is low. It usually takes clicking on an infected link or file to trigger a virus to install onto a device. 

What is the difference between phishing and smishing? 

Phishing uses emails as their means for delivering infectious malware, whereas smishing relies on text messages. 

Is smishing a cybercrime? 

Yes, smishing is a cybercrime that uses malicious text messages to steal personal information to benefit the cybercriminal.

Why do cybercriminals use smishing? 

Cybercriminals use smishing because people typically trust messages sent to their phones more than emails. This is all to steal a victim’s personal data.

What do you do when a strange number texts you?

If you don’t recognize the number and the message makes no sense, feel free to delete it.

An estimated $11.3 billion was lost to cybercrime in the past year*

Norton™ 360 brings real-time protection for your PCs, Macs, smartphones or tablets against ransomware, viruses, spyware, malware and other online threats.

Try Norton 360. Post, bank and shop from your device. We’ll keep it secure.

*Based on a survey of 1,004 adults in the US, of which, 395 experienced cyber crime in the past 12 months. Conducted online by The Harris Poll on behalf of Norton™ LifeLock™, October 2018.


Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.