Smishing Defined & Explained: How To Identify Scam Texts

December 1, 2023

10

 Minute Read

In this article:

    Shield Icon

    Identity theft and fraud protection for your finances, personal info, and devices.

    Get Identity Guard

    What is Smishing?

    Smishing is a form of phishing that uses short message service (SMS) or text messages. Through text messages, scammers try to steal your personally identifiable information (PII) and your money.

    With texting now the most common communication method, surpassing voice and email [*], SMS phishing has become exceptionally popular — and dangerous. 

    Scammers resort to texts because they're inexpensive, faster, and easier than making phone calls.

    And, these smishing attacks work because scammers can send real-time communications and hide their identities with relative ease.

    Smishing vs. Phishing

    Phishing likely dates back to the mid '90s, when hackers impersonated AOL administrators and targeted users via phishing emails [*].

    Such attacks use various methods to extract sensitive information from victims, including malicious links, fake websites, and social engineering schemes.

    Phishing mediums have evolved as well, with scams now conducted via phone calls, social media messaging apps, and text messages. 

    If you fall for a phishing scam, the following information could be at risk:

    • Login credentials for your online accounts 
    • Financial information, including credit card numbers and bank account numbers 
    • Address details
    • Social Security number (SSN)
    • Date of birth
    • Mobile phone numbers
    • Security codes and one-time passwords sent to your mobile device

    While many attacks share the same characteristics and patterns, there are notable differences between smishing and phishing.

    Signs of smishing: Signs of phishing:
    Scammers use text messages for their scams. Scammers use emails for their scams — spoofing email addresses of familiar organizations and people.
    They may spoof familiar phone numbers and area codes. Email addresses resemble official addresses with only small differences.
    Phone numbers may feature strange area codes or prefixes. Emails allow for longer and more elaborate scams.
    Character limits make messages concise and seemingly urgent. Emails include attachments and/or links.
    Texts include malicious links. Scam emails often include mangled grammar or odd design elements.

    How Does Smishing Work?

    • You receive a smishing message that appears urgent — and without preamble.
    • It comes from a reputable source — like the Internal Revenue Services (IRS), Amazon, or FedEx. 
    • The message asserts that there’s an issue in need of your immediate attention, such as an order misdelivery or suspicious account activity.
    • You are urged to click on a link or call a number to rectify the said problem.
    • The link shepherds you to a scam site designed to extract your PII.
    • In some advanced variations of smishing, you might accidentally download malware onto your smartphone, allowing scammers to steal your personal data without your knowledge.

    80.5% of consumers check their notifications within five minutes of receiving a text message [*].

    Such quick responses, combined with scammers ransacking public databases for phone numbers, make smishing attacks all the more likely to succeed.

    What Does Smishing Look Like? 10 Real-Life Examples

    The more you know about the various forms of phishing and smishing, the easier it is for you to give them a wide berth. Here are 10 real-life examples of smishing scams that you would do well to avoid. 

    1. Fake package delivery alerts

    In package delivery scams, thieves send unsolicited text messages that flag supposed order delivery problems.

    For example, you might get a text from the United States Postal Service (USPS) or FedEx that appears legitimate but conceals fake tracking links or bogus delivery numbers.

    Here’s how it plays out:

    • You click on a link in the spam text that initiates a ransomware download.
    • Or, the link that takes you to a fake website then steals any information you enter.
    • You dial the provided number, and an operator who is in on the scam answers and attempts to get your personal information over the phone.

    2. "Wrong number" text message scams

    The wrong number scam plays on human kindness. When we receive a text from an unfamiliar number, many of us respond to correct the error.

    This opens the door to conversation — an overture that allows scammers to further their schemes.

    Text message chat where the scammer pretends they’re texting a wrong number, only to extend conversation
    Example of a “wrong number” scam. Source: NBC 6

    Here’s how it plays out:

    • If you respond to the text, the scammer thanks you for your time and tries to prolong the conversation. 
    • The scammer attempts to build trust and cultivate a friendly or romantic relationship. 
    • They then solicit money or tout an investment opportunity, which could escalate to extreme losses — as in the recent South Florida crypto scam that cost victims an average of $50,000 [*]. 

    ⛳️ Related: What Happens If You Answer a Spam Call

    3. IRS text scams

    One of the most common types of phishing — especially during tax season — impersonates the IRS.

    Even though the IRS doesn't send account updates via text [*], most people feel obligated to respond just in case.

    Here’s how it plays out:

    • You receive a text message, allegedly from the IRS, claiming there's an issue with your tax account or refund.
    • The message contains a link that takes you to a fake IRS account page or to an information form.
    • You're asked for your personal information, tax information, or financial information, such as your financial institution and account numbers.

    ⛳️ Related: Someone Stole My Tax Refund Check! What Should I Do?

    4. Account verification scams

    In this scam, fraudsters purport to be from a well-known company in an attempt to pry personal information from you.

    They choose large and popular companies because there's a good chance that you trust and deal with these organizations regularly.

    Here’s how it plays out:

    • You receive a text asking to verify your account information or suspicious account activity.
    • You may see outdated contact information or none at all, but there's a link for you to follow.
    • The link ushers you to a fake login page where the information you provide is then stolen.

    ⛳️ Related: Executive Phishing: What Is It? How Does It Happen?

    5. Phony security alerts (Banks, credit cards, etc.)

    Many bank account and credit card scams now mimic the security alerts that banks send to customers.

    These scammers trick victims into thinking that they're stopping fraud, when, in fact, they're allowing it.

    A Pennsylvania man fell for this scam when he thought he was helping his bank shut down a fraudulent transaction, but unwittingly gave fraudsters access to his account and thousands of dollars [*].

    Here’s how it plays out:

    • You receive a security alert via text that appears to come from your bank.  
    • You're asked to log in to your account or send a message back if you don’t recognize the made-up activity. 
    • You may be directed to a login page — where your personal, bank account, and credit card information could be stolen.
    • If you respond to the text, you may receive a call from the scammers so that they can extract the information they need to muscle into your account.

    ⛳️ Related: What To Do If a Scammer Has Your Phone Number

    6. Prize or lottery scams

    Also known as a sweepstakes scam, lottery scams notify you that you have won a prize of some sort, such as money, an iPad, or a vacation.

    As you might expect, there is no prize — only a determined thief ready to steal from you. 

    Here’s how it plays out:

    • You receive a text alerting you to a prize win — which is fake.
    • You’re either required to log in or pay a fee to redeem the fake prize.
    • Some versions of the scam request money in return for increased prize-winning odds. 
    • In other versions of the scam, like the Lottery Winner Donation Scam in Arizona, scammers impersonate an actual lottery winner and ask for personal or financial information so they can donate their winnings to you [*]. 

    7. Bogus order confirmation/order verification messages

    Order verification scams come from scammers posing as e-commerce giants, such as Walmart and Amazon. 

    This way, they have better odds of reaching actual customers. Scammers hope to con people who aren't paying attention, recently placed an order, or those willing to dispute fraudulent orders. 

    Here’s how it plays out:

    • You get a text message about a fake order from your account.
    • You're then urged to click on a link to log in and investigate the order.
    • You may be escorted to a fake login page ready to steal your information.
    • If you call to dispute the order, you're asked to provide your information over the phone.

    8. Job offer scams

    In employment-related smishing attempts, fraudsters extend fake jobs to trick people into clicking on malicious links.

    They dangle the promise of easy work, attractive positions, and high pay. In Springfield, Illinois, scammers impersonating city officials promised lucrative job opportunities in order to entice clicks [*].

    Here’s how it plays out:

    • You receive an unsolicited job offer via a text message.
    • You're asked to click on a link and provide your personal information.
    • You may go through a fake interview process and even receive a formal offer. 
    • You're then asked for detailed information, including your SSN and direct deposit information.
    • In some variations of this scam, you're sent a counterfeit check and instructed to return a portion of the funds via wire transfers or gift cards. Subsequently, the check will be discovered as fraudulent and bounce.

    ⛳️ Related: What Information Do Cyber Criminals Steal?

    9. Emergency texts scams

    In a real emergency, your family or a hospital might contact you to let you know what has happened.

    Unscrupulous scammers take advantage of our heightened emotions in these situations in order to defraud us. 

    Here’s how it plays out:

    • This social engineering scheme involves criminals posing as the police, hospital administrators, or a family member.
    • They grab your attention with a make-believe emergency and implore your help. 
    • The so-called emergency is merely a pretext for their inability to talk on the phone — and to request money from you.

    Did you know? Identity Guard provides complete family identity theft protection for everyone in your household →

    10. Scam survey texts

    Scam surveys attract victims by promising a gift in return for feedback. To generate interest, fraudsters make it look like the survey comes from a reputable organization.

    In North Dakota, residents of a county received a bogus survey, which sought their opinions but rather blatantly also asked for personal information [*].

    Text message scam asking for responses for a Burleigh County survey
    Source: KX News

    Here’s how it plays out:

    • You receive a text from a recognizable source asking you to complete a survey by clicking on a link.
    • The survey touches on an important issue or offers a financial incentive.
    • You're asked to provide your information to submit your survey and/or claim your prize.

    ⛳️ Related: Census Scams: How To Identify the 8 Latest Frauds

    Spotting Text Message Scams

    Recognizing a smishing text early gives you the time to take preemptive action and deter imposters before they can do any significant damage. Identify smishing scams with these six warning signs:

    • Texts claiming to be from a legitimate source. Fraudsters pose as trustworthy sources, such as banks and the IRS. Well-known organizations, however, don't send unsolicited SMS messages. They also do not issue threats of arrest or account closure via text message.
    • Suspicious URLs or unreasonable demands. Many scammers use a sense of urgency to rush people into making errors, such as clicking on unusual links and sharing PII. Hover over the link, or use a link scanner to verify where it takes you.
    • Texts that elicit emotional responses. Smishing frequently employs social engineering attacks that target people's emotions. Scammers use public issues, disasters, and fabricated health emergencies to manipulate your empathy.
    • Spoofed or masked caller IDs. While calls from blocked, hidden, or foreign numbers usually point to a scam, familiar numbers may not be safe either. Scammers can spoof their area code or entire phone number to make it appear local or from your contacts.
    • Unexpected prize or gift offers. Thieves can use gift cards, low-interest credit cards, or tax rebates as bait — asking you to provide your information to claim your prize. 
    • Texts with unusual greetings. Since smishing texts go out to such large numbers of people, they often lack personalization. These attacks typically start with generic salutations, such as “Hi Sirs,” “Hello family,” or "Dear customer."

    Did You Receive a Suspicious Text? Here’s What To Do:

    According to the Federal Trade Commission (FTC), text scams doubled between 2021 and 2022 [*]. Here are 12 steps to safeguard your personal information and stop thieves from taking advantage of you through smishing scams:

    • Enable multi-factor authentication (MFA). Set up MFA on every eligible account to create an extra security step in the login process. Even if scammers somehow get your login information, MFA ensures that they still need physical access to your device to then access your accounts.  
    • Don’t respond to texts from unknown senders and numbers. Government agencies only contact you for valid reasons, and they always provide their contact information. They also tend to get in touch in multiple ways. Contact the organization by another means before proceeding.
    • Always double-check international area codes. Smishing schemes often involve call centers, hotlines, and unsecured numbers based in countries with less stringent compliance laws. If you don't recognize the area code, don't respond.
    • Refrain from clicking on any links. Fraudsters place misleading URLs in their text messages to take you to fake pages and forms. While you're best to avoid all links, you can hover over suspicious links to see the actual destination. You can also use Google's site checker to see if a website is safe. 
    • Resist the urge to reply “STOP.” When you reply to unsolicited text messages, you confirm to scammers that your number is valid and operational. Engaging in any way encourages them to pepper you with other types of identity fraud schemes.. 
    • Report spam texts to your carrier and the FTC. Bring any fraud attempts to your phone carrier and the FTC at: reportfraud.ftc.gov. You can also call the FTC helpline at: 1-877-382-4357.
    • Report compromised PII. If you fall victim to a scam, take immediate action by filing a police report and freezing your accounts with all three major credit bureaus — Experian, TransUnion, and Equifax. You might not always recover what's lost, but you can prevent further identity fraud.
    • Actively block or filter spam messages. On an iPhone, go into Settings, Messages, and Message Filtering to Filter Unknown Senders. On Android devices, go to Settings in Google Messages and ensure Spam Protection is enabled.
    • Fight back with antivirus software. A reliable digital security provider can defend your devices and operating systems from malware and cybercriminals. While smishing starts with a text message, it can lead to other scams and viruses. Run a full scan of your device to detect, isolate, and remove any malicious files.
    • Update your phone’s software regularly. On Android phones, you can do this through the Software Update page in your Settings. On iPhones, navigate to Settings, General, and then Software Update. Enable Auto-Updates if possible. 
    • Back up your phone and computer data. A secure backup of your sensitive data and files can help you recover from a cyberattack. You can back up your Android device in several ways, including by using the Google One app, clicking on Backup, and then Back up now.

      On an iPhone, create a cloud backup by clicking on Settings, your profile, and then iCloud. You can also create a backup by connecting your iPhone to a Mac, selecting the device, and clicking on Back Up Now. 

    Don’t Let Smishing Scams Get the Best of You

    While most types of smishing attacks may seem easy to spot and avoid, it’s nearly impossible to keep your information from being leaked. If you’re being smished, it’s because your phone number is freely available.

    T-Mobile’s most recent data breach, in April 2023, gave scammers unfettered access to customer contact information, government IDs, and even SSNs [*].

    For better protection from smishing scams and other cyber threats, consider Identity Guard's identity theft protection solution. Receive real-time credit and debit card monitoring, Safe Browsing tools, a password manager, and White Glove Fraud Resolution support.

    Sign up for Identity Guard and save 33% on your membership today

    Related Articles

    A pair of hands interacting with a phone turned away from the viewer, beside a partially visible laptop and red coffee mug

    The Risks of Mobile Banking Apps: Keep Your Money Safe

    Mobile banking apps are convenient and easy to use. But are they secure? Not always. Here's how to protect your bank account from scammers and hackers.

    Read More

    December 7, 2023

    The Risks of Mobile Banking Apps: Keep Your Money Safe
    A long row of amber barricade flashing lights on a street where the lights away from the viewer is blurred

    21 Warning Signs of Identity Theft: How To Avoid Fraud

    How can you tell if someone is trying to steal your identity? Learn the warning signs of identity theft and how you can keep your identity safe and secure.

    Read More

    February 14, 2024

    21 Warning Signs of Identity Theft: How To Avoid Fraud

    Get Started with Identity Guard

    Get started with Identity Guard today, risk-free.

    Get Protected Today
    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers