Smishing combines 'SMS' and 'phishing' to describe fraudulent text message campaigns designed to steal sensitive information or compromise your device. Unlike email phishing, smishing exploits the trust people place in text messages, which often feel more personal and immediate than emails.
Common smishing tactics include:
- Fake delivery notifications asking you to confirm a parcel or pay a charge
- Banking alerts claiming suspicious activity on your account
- Prize notifications saying you've won a competition you didn't enter
- Login verification codes requesting you confirm your identity urgently
- Links shortened with services like bit.ly to hide the true destination
Why smishing matters: mobile phones feel safer than computers to many people, so you may let your guard down. Texts also arrive in a dedicated app with limited context, making it harder to spot red flags like poor spelling or suspicious sender addresses. If you click a malicious link, attackers can install spyware, steal banking credentials, or access your contacts to target others.
What you should do: Never click links or download files from unsolicited texts, even if they appear to come from your bank, delivery company, or mobile provider. Legitimate organisations rarely ask for personal details or passwords via text. If you're unsure, contact the organisation directly using a phone number from their official website, not one provided in the message. Report smishing to your mobile network operator and, if it impersonates a real company, report it to that organisation's security team.