What is Smishing? How to Protect Yourself from the Latest Texting Scams
Summary: You’ve probably heard of email phishing, but there’s a new type of security risk in town. Meet smishing, short for SMS phishing. These arrive as a text message on your phone, and they’re not showing any signs of slowing down. Here’s what to look out for and how to protect yourself.
Email phishing is a well-documented (although annoying!) occurrence in many people’s inboxes. It’s a type of scam that usually involves a cybercriminal asking for money, personal information, or some other type of valuable, such as gift cards or tech devices.
There are four main types of email phishing but that’s not the only online security risk. There’s a new one in town: meet smashing.
What is Smishing?
Smishing gets its name from combining phishing (a cybercriminal sending a fraudulent message) and SMS (which stands for short message services, but you probably know it as texting). The sender’s goal is the same: to trick you into giving them confidential information. Smishing just happens to use text messages instead of email.

Smishing vs. Phishing vs. Vishing: Key Differences
Phishing, smishing, and vishing all use social engineering to steal information—the channel is what changes.
- Smishing: Delivered via text message (SMS). Uses short links, urgent tone, and familiar brand names to prompt quick action.
- Phishing: Delivered via email. Often includes spoofed domains and links to fake login pages.
- Vishing: Delivered via voice calls. Attackers may use caller ID spoofing or deepfake voices to sound legitimate.
Why Smishing Is So Effective
Attackers use SMS because:
- Texts get opened more: SMS often sees far higher open rates than email, so scams spread fast.
- People trust text threads: A message that looks like it’s from your bank, delivery service, or toll authority can feel “official.”
- Urgency works: “Your account will be locked” or “Final delivery attempt” pushes instant clicks.
- It scales easily: Attackers can blast thousands of messages at low cost.
- Generative AI raises the bar: AI helps attackers personalize messages (names, locations, recent purchases) and reduce grammar mistakes.
How to Spot a Smishing Attempt
Often, the signs of a smishing attempt are similar to the ones you may have seen in your inbox. The sender is just hoping that you’ll have your guard down and click on a link. Here are some of the most common attempts to be wary of:
- A message from a financial institution asking you to update your account information or confirm your ATM code
- A message asking you to update your login information or make a payment with a link
- A message claiming that you won a giveaway or are eligible for a free product by clicking a link
- A text from a suspicious or odd-looking phone number. Think: not the typical 10-digit layout or the same number repeated over and over
- A text with a link, or a link that takes you to an unsafe site (such as no “https” in the URL)
- Any urgent requests — if you’re concerned it’s real, either call the company that supposedly sent it or log in to your account via their app or website, not through the link in the message
- Requests for money
These are just a few examples, but just like phishing has evolved over the years, we know smishing will, too.
Real-World Smishing Examples
Smishing campaigns commonly impersonate brands you know. Recent patterns include:
- Fake package notices: “USPS/FedEx: Your package couldn’t be delivered. Update your address.”
- Unpaid toll texts: “Final notice: Unpaid toll. Pay now to avoid penalties.” The FBI has warned about widespread versions of this scam.
- Bank alerts: “Suspicious login detected. Verify now.” Links route to spoofed banking pages that capture credentials.
- Account verification: “Your account will be closed in 24 hours. Confirm info here.” Attackers rely on fear to drive fast clicks.
How to Protect Yourself from Smishing
Follow these steps to reduce your risk:
- Don’t click links in unexpected texts: Navigate to the company’s official site or app instead.
- Never share sensitive info by text: That includes passwords, Social Security numbers, or card details.
- Verify independently: Contact your bank, carrier, or retailer using a known number or their app—never the link in a message.
- Block and report: Use your phone’s “Report Junk” and block features. Then delete the message.
- Turn on MFA: Enable multi-factor authentication on your important accounts to limit damage if a password leaks.
- Use reputable security tools: Mobile security can help flag malicious links and protect your data. Stay informed: Take a minute to skim official security pages from your bank, carrier, and delivery providers so you know their real communication practices.
Plus, get a cybersecurity package for your phone. It’ll monitor the dark web for any personal information, and keep you covered with a million-dollar protection package, secure VPN, and more.
How Attackers Use Generative AI
Generative AI makes smishing more convincing and scalable:
- Polished language: Fewer grammatical errors and more natural phrasing.
- Personalization at scale: Tailored messages using scraped data (location, purchases, job titles).
- Rapid variations: Attackers can quickly spin up thousands of unique texts that evade basic filters.
What to Do if You Experience a Smishing Attack
You can be incredibly careful and still fall for a smishing attack. It happens! If you’re concerned that your information has been involved in a data breach, here’s what to do:
- Change your password to the compromised account. And if you use the same password for any other accounts, change it there, too.
- Contact the organization. If you clicked on a link claiming it was from your bank, you can reach out and warn them that this is happening
- Watch out for warning signs of identity theft. In other words, keep an eye on your credit score, bank, and credit card statements. Report any suspicious activity.
- If you believe your identity has been stolen, report it to the FTC.
It’s important to remember that while there are cybercriminals out there, you can take steps to stay safer. It’s unlikely that you’ll get a virus or compromise information just from opening a text message. If you need to see more context than the preview window, just avoid clicking on any links. Be wary of any odd-looking or unexpected messages — whether it’s email phishing or smishing, you want to avoid it.
We’ve got the perfect cyber security package to pair with all your devices. Get EarthLink Protect+ powered by Norton and install it on everything from your phone to your laptop to your tablet. Oh, and psst: it pairs great with fiber internet and secure wireless 5g internet plans.
Key Takeaways: Stay Safe from Smishing
- Smishing uses fake text messages to steal personal information—and it’s growing fast across the U.S.
- Attackers often impersonate trusted sources (banks, retailers, delivery services) to trick you into sharing data.
- Watch for red flags: urgent language, shortened or suspicious links, and unknown or odd-looking numbers.
- Protect yourself: don’t click links from texts, verify messages directly in the official app or website, and use mobile security tools (VPN, dark web monitoring, and identity protection).
- Report smishing to help others: forward spam texts to 7726 (SPAM), alert the company being spoofed, and file complaints with the FTC.
- Stay alert. Tactics keep evolving, so regular vigilance is your best defense against SMS phishing.
