What is Smishing?
Smishing is phishing by text message. The word combines “SMS” and “phishing.”
The goal is the same as email phishing: get you to tap a link, hand over information, or send money.
Attackers usually pretend to be or pose as:
| What the attacker poses as | What they want from you |
|---|---|
| Your bank or credit card company | A login, a code, or a payment “reversal” |
| A courier (FedEx, UPS, USPS) | A small “redelivery fee” or an address update |
| A toll service (E-ZPass, FasTrak) | Card details to settle a fake unpaid toll |
| Your boss, HR, or a coworker | Gift cards, payroll changes, or a quick transfer |
| A government agency (IRS, CRA, DMV) | Personal data tied to a fake refund or fine |
| A “wrong number” stranger | An opening line to a longer scam later |
Moreover, it doesn’t just happen on plain SMS anymore. The same scams now run across:
- iMessage
- RCS (the upgraded text format that runs on most modern phones)
- Facebook Messenger
- Signal and Telegram
Some attackers blend channels. They open with a text, then ask you to switch to an “encrypted” app to keep the conversation going. The FBI flagged that tactic in a December 2025 warning about scammers impersonating senior US officials.
Why Does Smishing Work So Well Right Now?
3 critical things make smishing work so well:
1. Texts feel personal: Your phone is in your pocket. The people who message you there are usually friends, family, or services you actually use. The Federal Trade Commission (FTC) cites studies finding text open rates as high as 98%, well above email.
2. They skip email security: Corporate spam filters don’t sit between your phone and an incoming text. The message lands like any other.
3. People tap before they think: Small screens hide the full URL, urgent wording rushes the decision, and click-through rates on smishing run several times higher than email phishing.
That gap shows up in breach data. The Verizon 2025 DBIR found phishing was the starting point for 16% of breaches, and 60% involved a human action.
AI has added a fourth layer. Generative tools now write cleaner, more convincing messages in any language, at any hour, in any volume. Three in four UK adults told Barclays in late 2025 that AI has made online scams harder to spot.
What Are The Most Common Smishing Texts?
The FTC tracks the patterns reported most. Five show up over and over.
1. Fake package delivery
You “missed a delivery,” or there’s an “issue” with a shipment. The text drops a link to pay a small fee or update your address.
“USPS: Your package can’t be delivered due to an incomplete address. Update your details here: usps-tracking-update[.]com”
This is the most-reported category in FTC data. It spikes around the holidays.
2. Fake toll fees
You owe a few dollars in unpaid tolls. Pay now or get hit with a fine.
“FasTrak: We’ve noticed an outstanding toll of $12.51 on your account. To avoid a $50 late fee, visit fastrak-payments[.]com”
The FBI’s IC3 received more than 60,000 complaints about toll text scams in 2024. Palo Alto Networks tracked the campaign across more than 10,000 lookalike domains covering ten US states and Ontario.
3. Fake bank fraud alert
A text claims someone is using your card. It tells you to confirm the charge or call a number.
“Chase Fraud Alert: Did you authorize $738 at Best Buy? Reply Y to confirm, N to dispute.”
Call the number and a fake “fraud agent” walks you through draining your account.
4. Fake job or task scam
A “recruiter” offers remote work. The first tasks are small. Then the message asks you to “invest” to access bigger earnings.
“Hi, we saw your profile. Remote position, $300/day. Reply START.”
Task scams hook people slowly before the money request. The FTC lists them among the top text scam categories.
5. “Wrong number” or boss-favour text
A chatty “Hi, is this Mike?” or a message from “the CEO” needing gift cards.
“Hey, are you available? I need a quick favour before my meeting. Don’t call, I’m in a session.”
The FBI warned in December 2025 that scammers now impersonate senior US officials this way. The same tactic works on employees who don’t want to bother their boss.
What Are The Red Flags in a Smishing Text?
The wording shifts with every campaign, but the same six tells show up across almost every smishing text.
| Red flag | What it tells you |
|---|---|
| Urgent deadline or threat | The text wants you to act before checking. “Reply within 24 hours” or “account will be suspended.” |
| Strange or shortened URL | The link goes somewhere other than the brand’s official site. Look for misspellings (rnicrosoft, amaz0n), odd endings (.shop, .top, .info), or shortened bit.ly-style links. |
| Request for personal info | A legitimate service won’t ask for your SSN, full card number, or password by text. |
| Unknown sender or 10-digit number | A bank doesn’t text you from a random mobile number. They use short codes (5 or 6 digits). |
| Vague openers | “Hi, is this you?” or “Are you still available?” Scammers fish for replies to confirm the number is live. |
| Gift card, crypto, or wire transfer ask | Almost always a scam, whoever appears to be asking. |
If you spot two or more in the same text, treat it as smishing and use the steps below.
What Should You Do When You Get a Smishing Text?
Three steps. Do them in this order.
1. Don’t tap the link.
Treat every link in an unexpected text as the trap, even if it looks routine or like your bank.
2. Don’t reply, including “STOP.”
A reply, any reply, confirms the number is live. Scammers then sort live numbers into lists they sell or re-target. Even an opt-out reply tells them there’s a person on the other end.
3. Report it, then delete.
You have three reporting options. Use whichever fits.
| Where to report | How |
|---|---|
| Your carrier | Forward the text to 7726 (spells SPAM). Works on most US and Canadian carriers. |
| The FTC | File at ReportFraud.ftc.gov. |
| The FBI | File at ic3.gov if you lost money or if the text impersonated a government agency. |
If you don’t want to do any of these. Just tag it as spam, tap report, delete it, and you’re done. Then, move on.
What Should You Do If You Already Clicked a Smishing Link?
Most clicks don’t end in disaster. CISA and the FTC both note that if you only tapped the link and entered nothing, your immediate risk is low. What you do next depends on what you handed over.
| What you did | Treat it as |
|---|---|
| Just tapped the link | Possible tracking or malware |
| Entered a password | Account compromised |
| Entered card or bank details | Card compromised |
| Sent money or gift cards | Theft, act in minutes |
Then match the action to the situation.
1. You only tapped the link
iPhones are sandboxed and rarely catch malware from a tap. On Android, restart the phone and run a scan with a trusted security app if you want a clean check. No need to contact your bank unless the scan finds something.
2. You entered a password
Change it right away, from a different, trusted device. The FTC notes that if you reuse the password elsewhere, change it on those accounts too. Then turn on two-factor authentication everywhere that supports it. Use an authenticator app or hardware key, not SMS codes.
3. You entered card or bank details
Call the number on the back of your card, not anything from the text. Ask them to flag the account and watch for charges over 30 days. Place a free fraud alert with the three US credit bureaus (Equifax, Experian, TransUnion). It requires lenders to verify your identity before issuing new credit in your name.
4. You sent money or gift cards
Treat it as theft. Call your bank’s fraud team and file at ic3.gov the same day. If you wired money or sent crypto, the bank or platform may have a small window to recover it.
If a password was handed over, the next risk is account takeover. The attacker logs in as you, changes your details, and locks you out. The sooner you change the password and turn on 2FA, the smaller the window they have.
Why is Smishing a Brand Problem?
Most smishing texts use a known company’s name. The scammer picks a bank, a courier, or a retailer that the target already trusts, because a familiar name makes people lower their guard.
That creates a problem for the company whose name the scammer impersonate.
What brand trust means here.
Brand trust is the confidence a customer has that a company will protect them and treat them fairly. It builds up over years of good service. It also shows up in business results: customers buy more, stay longer, and recommend a brand they trust.
When a scammer borrows that name, the trust takes the hit. A customer who loses money to a fake “Chase fraud alert” often blames Chase, even though Chase never sent the text. They feel let down by the company they thought was contacting them.
The numbers back this up. Telesign’s 2025 ecommerce data found that more than 38% of consumers will stop doing business with a brand that fails to protect them online. Lost customers mean lost revenue, higher support costs, and a reputation that takes years to rebuild.
How scammers pull it off
The tool behind most of these texts is a lookalike domain. A scammer registers a web address close to the company’s own, such as cornpany.com or company-payments.com. They set up a working email and a fake login page on it. Then they send texts that point to that page, using a name that looks like the company’s.
This is why blocking the text in the inbox comes too late. By the time the message reaches a customer, the fake domain is already live and sending. Finding the domain earlier, while the scammer is still setting it up, gives a company time to act before any customer sees a text.
Styx Intelligence detects brand-impersonation domains at that setup stage, before the texts go out.
Smishing vs Phishing vs Vishing
Smishing, phishing, and vishing all use the same trick, sent through different channels. The FBI groups them as variations of one tactic: pretend to be someone you trust, then get you to act quickly.
| Type | Channel | Typical message | What to do |
|---|---|---|---|
| Smishing | Text or chat app | “Package held,” “unpaid toll,” “bank alert” | Don’t tap. Forward to 7726. Delete. |
| Phishing | “Verify your account,” “invoice attached,” “password expiring” | Don’t click. Report to your email provider or the FTC. | |
| Vishing | Phone call or voicemail | “This is your bank’s fraud team,” “IRS final notice” | Hang up. Call back on the official number. |
The channel matters because the defences differ. Email filters catch a lot of phishing, but they do nothing for a text or a phone call. That gap is why smishing and vishing keep working.
Scammers also mix the three-in-one attack. A text might tell you to call a number, which hands you over to a vishing script. Treat any unexpected contact that pushes you to act quickly the same way, whatever channel it arrives on.
What all three share is the setup behind the message.
A scammer needs a domain to host a fake page, a mail server to send convincing replies, and a brand name to borrow. Those building blocks leave public signals before the first text or call goes out:
- A new domain registered close to a known brand name (cornpany.com, company-payments.com)
- Mail records (MX) activated so the domain can send messages
- A security certificate issued for the domain, making the fake page look legitimate
- Brand logos, colours, or page titles appearing on the site
Each signal on its own can be noise.
Several together usually mean someone is setting up a campaign.
Catching them early gives a team time to warn customers, file a takedown, or block the domain before any message reaches an inbox or phone.
Find lookalike domains before they hit your customers
Smishing campaigns start with a lookalike domain, a mail server, and your logo on a page you didn’t build. Styx finds those signals as they appear, and helps you take them down before the first text reaches a customer.
Book a 20-minute walkthrough and see what’s already out there using your name.
