Smishing: SMS Phishing That Looks Like Your Bank
Your phone buzzes. A text message from what appears to be Bank of America reads: "ALERT: Unusual sign-in detected on your account. If this wasn't you, verify immediately: boa-secure-verify.com." You tap the link instinctively. The page looks exactly like Bank of America's login. You enter your credentials. Within seconds, an attacker on the other side of the world has your username, password, and is logging into your real account.
This is smishing — SMS phishing. It has become the fastest-growing form of social engineering, with the Anti-Phishing Working Group reporting a 328% increase in smishing attacks between 2023 and 2025. The reason is simple: people trust text messages more than email and act on them faster.
Why Smishing Is Exploding
SMS open rates dwarf email. Text messages have a 98% open rate compared to roughly 20% for email. Over 90% of texts are read within three minutes. Smishing reaches more eyeballs, faster, than any email campaign.
Mobile screens hide red flags. On a phone, you cannot hover over links to preview destinations. URLs are often truncated. Email addresses are hidden behind display names. The small screen makes careful inspection difficult, and people rarely try.
SMS lacks robust filtering. Email providers have decades of anti-phishing technology. SMS filtering is primitive by comparison. Most smishing texts arrive directly in your inbox without any warning or filtering.
Shortened and custom URLs are normalized. Brands routinely use bit.ly links, branded short URLs, and tracking redirects in legitimate texts. This means a shortened malicious URL does not look out of place.
Received a suspicious message?
Paste the message here for instant analysis.
Free · No signup required · Cmd+Enter to scan
Common Smishing Templates
The bank fraud alert.
"Chase Fraud Alert: Did you authorize a $487.32 purchase at Best Buy on 4/18? Reply YES or NO, or call 1-888-555-0198."
When you reply NO, you receive a call from a "fraud specialist" who walks you through "securing your account" — by collecting your login credentials, card number, and PIN.
The delivery notification.
"USPS: Your package has a delivery issue. Update your address to receive your package: usps-deliver-update.com/track"
Delivery smishing exploits the ubiquity of online shopping. Everyone is expecting a package. The link leads to a phishing page that harvests personal information under the guise of "redelivery."
The toll or fee scam.
"You have an unpaid toll balance of $4.35. Pay now to avoid a $50 late fee: tolls-payment-portal.com"
This campaign has been massive in 2026, targeting drivers in states with electronic toll systems. The low dollar amount makes it seem trivial — people pay without thinking. The payment page captures card details.
The account verification.
"Your Apple ID was used to sign in on a new device. If this wasn't you, verify your account: apple-id-verify-account.com"
Fear of unauthorized access drives immediate action. The phishing page is a near-perfect Apple login clone.
How to Identify Smishing
Check the sender. Legitimate banks text from short codes (5-6 digit numbers) or their verified business numbers, not random 10-digit phone numbers or email addresses.
Inspect the URL. Before tapping any link, long-press it to preview the destination. The domain should match the company's official domain exactly. "chase.com" is legitimate; "chase-verify-secure.com" is not.
Watch for urgency and threats. "Immediate action required," "your account will be suspended," and "pay now to avoid penalties" are standard smishing pressure tactics. Real banks give you time and multiple channels to respond.
Be wary of unsolicited texts. If you did not initiate a transaction, request a delivery, or expect a message, treat it with suspicion regardless of how legitimate it looks.
Never reply to suspicious texts. Replying — even with "STOP" — confirms your number is active and monitored, leading to more smishing attempts.
What to Do When You Receive a Suspicious Text
Do not tap the link. If the message claims to be from your bank, open your bank's app or type their URL directly into your browser.
Forward the text to 7726 (SPAM). This reporting number is supported by all major US carriers and helps them block smishing campaigns.
Report to the FTC. File a report at reportfraud.ftc.gov.
Analyze the message. Copy the text and paste it into IsThisAScam for instant analysis. The tool checks URLs against known phishing databases and identifies social engineering patterns in the message text.
Block the sender. Use your phone's built-in blocking features to prevent further messages from the same number (though attackers rotate numbers frequently).
Smishing succeeds because it combines trusted delivery (your phone), emotional triggers (fraud alerts, missed deliveries), and a platform with minimal security infrastructure. The defense is the same as all social engineering: pause, verify independently, and never act on urgency alone.
Received something suspicious? Check it now for free →