Cybercriminals use a plethora of techniques to breach systems, steal data, launch malware campaigns, and cause damage. One of the most popular tools of the trade is smishing. But what is smishing, how do smishing attacks work, and how can you keep safe?
What is smishing? The definition and meaning
To understand the meaning of smishing, we must first look at the more common term, “phishing.” Smishing has become one of the fastest-growing cyberthreats, with the FTC reporting around $470 million in losses to SMS scams. This is 5times more than in 2020. Not to mention, it’s getting worse, with smishing attacks surging 40% year-over-year in 2025 to now account for roughly 35% of all phishing attacks globally.
Phishing is when a cybercriminal pretends to be someone they’re not (usually a person in a position of authority) and attempts to deceive you into giving up personal data or clicking a malware-infected link.
They could claim to be anyone, such as your boss, a coworker, a family member, or a website, anyone whom you would be automatically inclined to trust. Taking advantage of that inclination to trust, the cybercriminal hopes you will let your judgment slip and provide them with the personal data they need from you. Phishing is when these deceptive acts are done via email. But the word is modified slightly for other platforms. When the scam is done in the form of an SMS message, it’s called “smishing.”
Increasingly in 2026, attackers are using AI tools to make their scams more convincing. They can generate massive amounts of highly personalized and convincing smishing messages in minutes, at scale.
So, the official definition of smishing is when a criminal sends someone a deceptive SMS message with the intention of stealing personal data or infecting your device with malware.
Caught in the sea of phishing scams?
Smishing vs. phishing vs. vishing: Understanding the differences
There’s not just phishing and smishing. There are several variations of this type of attack to wrap your head around.
Smishing
As we said above, smishing is when you receive a deceptive message in an SMS message from a person claiming to be someone you trust. But not just traditional SMS — smishing also applies to chat apps like WhatsApp, Telegram, and Signal.
Using whatever persona they’ve decided to use, the smisher will attempt to get sensitive information from you, such as your date of birth, social security number, user login details, and more. Or they may ask you to click a link, which would then infect your device with malware.
Phishing
Phishing is the email version of smishing. This deceptive approach is made in an email with the same request for information or the same link they want you to click on to be infected by their malware.
Often, phishers try to impersonate banks and other financial institutions, telling you that your account will be at risk unless you sign in by following the link they provide and change your password. Many email programs are now skilled at spotting these fake emails and sending them straight to spam.
Vishing
When a phishing scam is conducted via phone call instead of text messages, it’s called vishing, short for voice phishing. Today’s vishing attacks go beyond impersonating customer support agents or law enforcement, with many scammers using AI voice cloning to replicate anyone’s voice in real time.
In early 2025, the financial director of a multinational firm in Singapore joined a vishing Zoom call that included multiple employees and the firm’s CFO, where he was urgently requested to transfer $499,000 in funds to fake suppliers. And in another incident, a Hong Kong finance worker wired $25 million to scammers, following a deepfake video conference call with their company’s CFO.
How common is smishing?
Smishing is very common. In fact, smishing attacks increased by 300% in 2020 as people started using technology even more actively during COVID lockdowns, Proofpoint reports. Since then, attacks have continued to rise, with a staggering 74% of companies saying they experienced smishing by 2021.
The reasons why smishing is so popular among cybercriminals are simple. For one thing, SMS attacks are cheap. They can be automated and done in bulk, resulting in millions of SMS sent daily. Plus, smartphones have become the device of choice for people worldwide.
What makes smishing attacks so effective?
Smishing works because of one simple factor – psychology. The click-through rates for smishing range from 19–36% compared to just 2–4% for email phishing. This gap reflects the fact that many users view text messages as more trustworthy than emails in general.
By nature, many people are willing to listen to someone in a position of authority. If the bank calls and says the person’s money is in danger, that person often listens. If someone claiming to be from the bank says, “Click this link, and the problem goes away,” what would you do?
This inclination to trust others is precisely what smishers prey on. When a victim doesn’t fall for their tricks, the criminals merely cut their losses and move on until they find someone willing to believe what they’re told.
AI in 2026 has made this situation much worse. You used to be able to detect a scammy text message from poor grammar and typos, but now, AI-generated messages are fluent and nearly indistinguishable from legitimate communication. Luckily, you can ruin a scammer’s chances at successfully tricking you by using Moonlock’s Scam Detector. The app will analyze text messages for signs of fraud and scams. Try it now with a 7-day free trial to avoid smishing attacks.
Common smishing attack types and examples
Smishing isn’t like malware, in which a single attack can be used to infect countless devices. Instead, scammers often tailor their messages to reflect specific fears or life situations of their victims. And thanks to AI, these messages are now personalized and more difficult to detect than ever.
Here are some of the most common types of smishing attacks today:
- Delivery and package tracking: You receive a text message claiming that your package couldn’t be delivered, urging you to click on a link to reschedule. But the link is malicious, and it will likely infect your device with malware or lead you to a fake page where your payment information and login credentials get stolen.
- Banking and financial institution smishing: You receive a message from your bank warning you of suspicious activity on your account. Except it’s not from your bank at all. Attackers have sent the message instead. They typically urge you to verify your account via a link in the message and threaten you with closing your account if you don’t.
- Government and IRS smishing: Texts that impersonate the IRS, Social Security Administration, or HMRC often claim you owe back taxes or are eligible for a refund. The goal is usually either an irreversible transaction or identity fraud.
- Toll road and unpaid fines: A growing category of smishing attacks includes fake messages notifying you of an unpaid toll or traffic fine, along with a link to pay immediately. The FBI IC3 reported receiving close to 60,000 complaints regarding toll-related smishing attempts in 2024 alone.
- Fake job offer: Attackers send unsolicited job offers, typically with attractive salaries and remote work perks. They then request personal information or an upfront payment for training or equipment.
- Prizes and giveaways: You receive a message congratulating you on winning a gift card or a competition you never entered. In order to “claim your prize,” you’re often directed to pay a small processing fee or tax, a payment you likely won’t be able to reverse once you realize the prize isn’t coming.
- Healthcare and Medicare: Texts impersonating health insurers, Medicare, or COVID-related health agencies that offer free tests, benefits, or refunds typically target your personal details, like your Social Security number.
- Social media and account alerts: You might receive fake security alerts claiming that your Instagram, Facebook, or Google account has been compromised. They’ll then prompt you to click a link to verify your identity. If you log in using this page, the scammers will capture your credentials and take over your account.
- Crypto and investment: Texts that promise high-return investment opportunities or warn you that you need to verify your crypto wallet to not lose access to your funds are another type of smishing. Victims are usually funneled into fake platforms designed to steal funds or infect their devices with cryptominers.
- MFA bypasses: If your login credentials were recently involved in a data breach or leak, attackers might then try to take over your accounts by triggering a one-time password sent to your phone. Sharing this code will hand your account over to the scammers.
How do criminals spread smishing attacks through SMS?
So how do these criminals do it? How do they spread these smishing attacks?
The first step is to get the numbers. Millions upon millions of numbers. Grabbing phone numbers from websites is one possible way they do it, but that would be extremely time consuming.
Instead, they most likely use software to randomly generate millions of possible number combinations. Some will work as phone numbers, others won’t. As we said, it’s truly a numbers game (no pun intended.)
Once the messages are mass-sent out to these numbers, the scammers employ a variety of methods to fool their potential victims. One is to clone the phone number of the actual person or company they’re trying to impersonate. So when you look at your caller ID, it looks as if the message is really coming from the official person or place.
The next method is to set up realistic looking websites that look almost like the website from the real person or company. Therefore, when you click on the link inside the SMS, you’re redirected to the scammer’s website. If their site looks identical to the real version of the site, most victims will likely not notice.
These websites will most likely have malware which will instantly jump onto the victim’s computer or mobile device. Malware which is under the control of the scammer.
But ultimately, everything rests on the SMS message. If it is unbelievable, then the rest of the scam fails. It’s here that the criminals ironically make the least effort. The messages are usually badly formatted with multiple typos. But the messages are designed to generate fear in the recipient, so most likely many people won’t look too closely at the text of the message. They’ll just respond.
How common is smishing?
Smishing is one of the fastest-growing types of cyber threats, accounting for 69.3% of all mobile phishing and social engineering attacks. Globally, and due to the widespread use of AI by scammers, smishing has surged by more than 40% in 2025.
SMS scams continue to dominate compared to other types of scams simply because they’re cheap and easily automated. Smartphones are now most people’s primary devices, making them a better target than desktops.
How to identify smishing scams
If you know what to look for, identifying a smishing scam can be remarkably easy. Here are a few common signs:
If you know the signs to look for, spotting a smishing scam can be easy.
Use a dedicated scam detector
Moonlock Scam Detector helps you catch even some of the most expertly crafted scam messages. Simply navigate to the Scam Detector tab in the Moonlock app, paste the suspicious text, and click Check. Try it now with a 7-day free trial.
Look for urgency
If a message is trying to scare you or make you panic, it’s likely a scam. Phrases like “Your account has been suspended” or “act now or lose access” are common signs of a scam, as smishers don’t want you thinking clearly before clicking a link and following their instructions.
The sender’s number looks suspicious
Government and financial institutions have specific numbers they use to message people. If it’s your personal bank, you likely have their number saved to your Contacts. Meanwhile, smishing texts will often arrive from unknown or international numbers, although sometimes, scammers will spoof legitimate numbers to appear credible, so you’ll need to be careful with those.
Typos, grammar mistakes, and bad formatting
You know something’s up when the text of an email looks like something a 5-year-old would write. For many smishers, English is not their first language. Therefore, the writing may come across as stilted and unnatural. There may also be a lot of typos and basic grammar errors. Plus, the formatting of the message is often a mess.
To cap it all, the URLs of the links in these emails are often a giveaway. If someone claiming to be from Bank of America, for example, sends you a link that looks like “xhckft.com/click,” it’s a major red flag.
They’re trying to make you panic
Considering that their messages aren’t likely to win the Nobel Prize for literature, the last thing these smishers want is for you to look closely at the actual text. They just want to scare you and hope that your survival instincts kick in.
Messages like “YOUR COMPUTER IS INFECTED!” and “YOUR BANK ACCOUNT IS ABOUT TO BE SHUT DOWN!” are designed to instill panic in potential victims. Their hope is to get people to set aside their rational good judgment and make a slip-up.
They’re asking for information nobody would ask for
Why would your bank ask for your bank account number? Why would your credit card company ask for your card’s expiration date? Why would the police ask for your date of birth and social security number?
When you get an SMS message asking for personal information, ask yourself, “If this is really the person they claim to be, would they need to ask me for this information?” If the answer is no, it’s probably a smishing scam.
There’s always a link
If you get an SMS from an unknown person, and that SMS has a link, never click on it. It could cause malware to be downloaded onto your device, or it could lead to a site that will steal your data.
Instead of clicking on unsolicited links, call the person or company the email claims to have been sent from. Talk to someone to verify whether the SMS is legitimate.
More answers about smishing attacks
Let’s delve into other aspects of smishing, including some common questions about this type of scam.
Replying to a message won’t get you hacked. If all you do is reply, the worst you’ve done is confirm your phone number is real, meaning you will likely get further smishing attempts in the future. The threat of hacking only gets real if you click on a link or provide personal information in a message. The best policy here is to never respond to a text message from an unknown person. Simply delete it.
Just opening a text message will not release any viruses or malware. Again, the danger lies in the link provided in the message. If you click the link, malware may infect your computer or mobile device.
SMS phishing attacks can indeed lead to identity theft, but the scale of the damage will depend on the information you give them. Providing details like your full name, date of birth, social security number, PIN number, and so on can lead to your identity being stolen.
If you reveal your phone number on the internet, it can be swiped and used for smishing attacks. However, collecting numbers from the internet takes time and effort, so in many cases, software is used to generate millions of possible phone numbers. Some will work, and some won’t. These numbers will then be mass-texted, with scammers hoping for a reasonable amount of the numbers to work.
Yes, smishing is classified as a form of cybercrime, mainly because of the actions that follow after it. If the scammer steals your information under false pretenses, it’s theft and/or fraud. If they steal your information over a computer or a mobile phone, it’s computer fraud. Identity theft speaks for itself, and if an attacker uses your identity to commit further crimes, it gives the police more latitude in terms of what charges may be filed.
What does a smishing text look like?
A smishing text’s main intention is to look like a normal SMS message. However, the number that sends the message may be unknown or blocked. It may also be an international number or, more commonly, just seem strange.
A smishing text will attempt to impress a sense of urgency. Malicious SMS texts do not tend to be very long. They will have a link at the end of the message or in the middle. Additionally, links may be concealed inside the text. Smishing texts can also have attachments you will be urged to open or attachments concealed in links.
What happens if you click on a smishing text?
If you are being targeted in a real smishing campaign, there are endless possibilities of what can happen if you click on the text. As mentioned above, links may be hidden inside the text, so even if there seems to be no apparent link in the message, clicking it can have serious consequences. In short, clicking on a malicious message is like lighting a match that will start a fire.
Clicking on smishing texts can lead to:
- Stolen data and credentials
- Financial data leaks
- Stolen contacts
- Malware including spyware, adware, browser hijackers, ransomware, and much more
- The spreading of the attack to other devices, a network, or an organization
Can a scammer get your info if you text back?
Your best bet in an SMS attack is not to engage in any way. Just report and block the number. Responding to a smishing attack will inform the criminal that your number is active. This means you will continue to get more fake SMS. In addition, by responding to a text, even asking the person not to keep sending you messages, you risk getting the real attacker on the line, and some of them can be very convincing when it comes to scams.
While it is highly unlikely that your data will be stolen or that malware will infect your smartphone just by responding to a text, experts do not recommend replying, as hackers constantly improve the technology they use.
For example, when using Zero Click Attacks, hackers do not have to convince you to click on a link, go to a site, fill out a form, or download a file. In these types of attacks, just receiving the SMS can breach your phone. One technique used to automatically download malware into your phone via SMS without you engaging with the text is sending you a gif, which, when it plays, runs a series of commands to infect your mobile device.
How to protect yourself from a smishing attack
Despite the global wave of attacks, there are still several things you can do to prevent smishing from happening to you or, when it does happen, to at least mitigate the damage.
1. Never respond: Report and block
If you receive a smishing message, no harm is done as long as you don’t respond to it. Just delete it and go about your day. The danger begins when you do respond, whether it’s by providing the information requested or by interacting with a link provided.
The golden rule is to never respond to suspicious SMS messages. Block them, delete them, and report them to the real company or person, or to the police. By not responding, you are not validating your phone number for potential future attacks. And blocking the number prevents that number from messaging you again.
2. Use real-time malware protection
One day, you might slip up and click on a malicious link in an email or text message without realizing it. For those emergencies, you need to be prepared with real-time protection enabled on your Mac.
Here’s how you do it:
- Sign up for a free trial
- Open Moonlock. From the Home page, click Explore.
- On the right-hand sidebar, under Real-Time Protection, click Options.
- A new window will pop up. Under “Continuous monitoring,” tick the box for “Turn on real-time protection.”
Now, if Moonlock detects any malware on your device, it’ll immediately quarantine the threat and remove it for you.
3. Use two-factor authentication
You can use several technologies to keep your smartphone safe from SMS scams. One of them is two-factor authentication (2FA). While 2FA will not stop malicious SMS from reaching you, it will protect you if you fall for a scam by giving your email, bank, work, and other accounts an extra layer of security. Make sure you activate 2FA on all your accounts.
4. Download trusted antimalware
Just like 2FA, antimalware cannot prevent an attacker from sending out SMS, but it can do a lot for your security. If you do download malware or visit malicious sites, efficient antimalware software will flag the threat and might even block you before you take action. On the other hand, if malware finds its way into your smartphone, professional antimalware that runs scheduled scans or is in live monitoring mode will detect the malware automatically and remove it.
5. Check and verify the source
It’s always a good idea to check and verify the source of an SMS. Note that this doesn’t mean you should call the attacker’s number. Rather, if you receive a message that appears to be from your bank, contact the bank through official channels to check and verify that they sent you a message.
What to do if you fall victim to smishing
If you have already experienced a smishing attack, here are some tips to guide you through the process.
1. Remain calm
It’s essential that you remain calm if you fall for a smishing trick. Having a clear head will prevent you from taking actions that can lead to further damage, like deleting files or accounts or resetting your phone. Remember that it’s best to keep calm and push on through.
2. Change your passwords
You should change all your passwords, whether the attacker managed to get away with your credentials or not. And to further increase your security, after you change your passwords, activate 2FA. And, as mentioned above, make sure you report and block the number.
3. Contact the official organization
Suppose the attacker posed as your financial organization, employer, government agent, or other official organization. In that case, you should contact them and let them know that someone is impersonating them illegally. If you have given away credentials, you should also let the affected organization know. If the attacker managed to get your credit or debit card numbers, cancel the cards and get new ones.
4. Download and scan your phone with trustworthy antimalware
If you don’t have antimalware installed on your mobile device, now would be the best time to get one. Antimalware can help you find and remove any malware that an attack may have left on your smartphone. Always use trusted, professional, and high-rated security apps.
5. Check for suspicious activity
You should remain vigilant for a few weeks after the attack, looking for any suspicious or out-of-the-ordinary events. This includes monitoring your bank balance, financial activity, emails (sent and received), call logs, smartphone performance, etc.
Mobile cyber attacks like smishing will continue to multiply as smartphones play an increasingly significant role in our daily lives. Hackers will always find new ways to convince you to engage with them over SMS, so stay informed and take the best steps toward a safer digital life. And to find out more about various types of phishing attacks, check out our article on whaling, the phishing that targets high-ranking individuals.
