What Is Smishing?

Smishing (or SMS phishing) is a form of phishing where attackers use text messages to deceive individuals into sharing sensitive information, sending money or downloading malicious software.

Zak Edwards
Written by Zak Edwards
A close-up of a person’s hand holding a phone made out of construction paper with a blank figure with a question mark over them and a speech bubble saying, “Please send your OTP.”
Image: Shutterstock / Built In
Brand Studio Logo
UPDATED BY
Brennan Whitfield | Aug 25, 2025
Summary: Smishing is a type of phishing attack where scammers use text messages to trick victims into sharing sensitive information, sending money or downloading malware. Common smishing tactics include fake prizes, financial alerts and impersonation of government agencies or tech support.

Smishing — short for “SMS phishing” — is a type of phishing attack delivered via text message. These messages aim to trick recipients into installing malicious software, sending money or revealing sensitive information such as login credentials or financial details.

While similar to email phishing, smishing occurs over SMS or messaging apps like WhatsApp, iMessage and Facebook Messenger.

What Is Smishing and How Does It Work?

Smishing is a type of phishing attack in which scammers send fraudulent text messages (SMS) to trick individuals into revealing sensitive information, downloading malware or sending money, often by impersonating trusted institutions like banks or government agencies.

RelatedWhen and How to Run a Phishing Simulation

 

What is smishing? How phishing via text message works. | Video: TECHtalk

Types of Smishing Attacks

Like email phishing, smishing attacks come in many forms. They can be grouped into two main categories: the attacker’s intended outcome and the message’s style.

These are common smishing strategies, but the examples below are not exhaustive.

Intended Action of the Smishing Attack

The intended action of the attack can fall into three subcategories: revealing sensitive information, downloading malware and sending the attacker money.

1. Revealing Sensitive Information

In this style of attack, the attacker attempts to trick their target into revealing sensitive information, such as login credentials, bank account information, social security numbers, etc.

2. Downloading Malware

In this instance, the attacker tries to talk their target into downloading seemingly legitimate software that’s actually malware, usually in the form of a mobile application.

3. Sending the Attacker Money

This is when the attacker aims to manipulate their target into sending money to an account the criminal can access.

Style of Smishing Message

There’s a variety of ways a criminal can word an SMS message to take advantage of someone.

1. Fake Prize or Gift Messages

These are messages claiming you won a prize and need to perform an action, like clicking a link, in order to get it.

2. Financial Messages

This is when a criminal sends messages pretending to be from a financial institution, such as a bank or the IRS, in an attempt to deceive the target into giving up financial information.

3. Tech Support Messages

These are messages where the attacker pretends to be a tech support engineer to get their target to divulge login credentials or install malware disguised as security. This can also include messages claiming you’re going to be locked out of an account or have your subscription service canceled.

4. Invoice or Delivery Messages

Criminals send fake messages about recent purchases, bills or deliveries, often including a malicious link meant to steal personal information or install malware.

5. Fake Charity Messages

In this case, the attacker claims to be from a charity or participating in some form of donation drive and attempts to trick the target into sending money to a fake cause.

6. Government Agency Messages

This is when the attacker pretends to be from a government agency, such as the IRS or FBI, and threatens some form of punitive action against the victim unless they do what the attacker says.

 

Smishing Examples

2020 Tokyo Olympics Smishing

In 2020 there was a smishing campaign targeting fans of the Olympics that pretended to offer free or discounted tickets to the 2020 Tokyo Olympics if the users clicked on a link. This link would then either attempt to download malware or ask the user to input personal details, such as bank account information.

Annual IRS Dirty Dozen List

Every year, the IRS posts what it calls its Dirty Dozen list, a list of common scams the IRS has seen used against taxpayers.

The list includes smishing scams in which attackers pose as tax professionals offering filing assistance or claiming to help victims receive large refunds, as well as attempting to scare the victim by claiming they’re at risk of being audited. 

These smishing attempts often involve either the victim divulging sensitive financial information or paying large sums of money.

Related What Is Cyber Insurance? Why Do Tech Companies Need It?

 

How to Protect Against a Smishing Attack

The primary way to prevent falling for a smishing attack is to be cautious and avoid clicking links that either look suspicious or are from individuals you don’t know.

1. Verify the Sender

If you receive a message from a sender that claims to be an organization or friend/family member but looks suspicious, verify them. Most organizations include a help line you can call to gain confirmation of contact attempts. 

Do not ask the sender to provide you this number. Instead, look on the organization’s website yourself. If the sender claims to be a friend or family member, message them via alternative means and ask for confirmation.

2. Don’t Click on Suspicious Links

Attackers may disguise malicious links using URL shorteners or spoofed domains that closely resemble legitimate websites.

If you receive a message that just consists of a link or the message contains a link that looks odd, do not click on it. 

3. Guard Your Personal Information

Legitimate organizations and institutions will not request your sensitive or personal information via text message.

Never share sensitive details such as your Social Security number, account credentials or security codes in response to a text, even if it appears to come from a trusted source.”

If you receive a message asking you to reply with details such as your credit card number or banking information, do not hand that information over. In addition, until you have verified the recipient’s identity, do not send personal information of any type.

4. Update Your Mobile Phone

Keep software, including your mobile operating system, up to date to help defend against the latest known threats.

5. Stay Educated

Keep informed about common smishing tactics and threats, and share this information with friends and family to help keep them safe as well.

Frequently Asked Questions

Smishing (short for SMS phishing) is a type of phishing attack that uses text messages to trick individuals into sharing sensitive information, sending money or downloading malicious software.

Smishing attacks typically aim to steal sensitive information, install malware or get the victim to send money. These attacks may appear as:

  • Fake prize offers
  • Financial alerts
  • Tech support messages
  • Package or product delivery notices
  • Charity requests
  • Messages from fake government agencies

Yes. While smishing traditionally involves SMS, similar tactics can also be used on platforms like WhatsApp, iMessage and Facebook Messenger.

Recent Cybersecurity Articles

Nisos Company Culture: Inside the Company's New Service of Human Risk Management
Nisos Company Culture: Inside the Company's New Service of Human Risk Management
FirstBank Learning & Development: How the Company Uses AI to Fortify Its Cybersecurity Defense
FirstBank Learning & Development: How the Company Uses AI to Fortify Its Cybersecurity Defense
Deepfakes Are About to Break the Social Contract
Deepfakes Are About to Break the Social Contract
Explore Job Matches.