Smishing (short for SMS phishing) is a growing mobile threat where scammers use deceptive text messages to manipulate and exploit users. According to Zimperium’s 2025 Global Mobile Threat Report, smishing is two-thirds of all mobile-based phishing attacks.
In this article, you’ll learn what smishing is, how it unfolds, how to recognize suspicious messages, and what to do next to protect your devices and identity.
What Is a Smishing Attack?
Smishing is a type of cyberattack that uses SMS or text messages to trick people into revealing sensitive information, downloading malware, or sending money to fraudsters.
SMS is a highly trusted but poorly secured communication channel. People often open 90% of all messages within the first three minutes of receiving them. Yet, SMS lacks built-in sender authentication: mobile phones accept messages from virtually any source without verifying the sender’s legitimacy.
These factors give scammers plenty of room to impersonate trusted entities like banks or delivery services and send deceptive messages to any number without risk of detection. The goal of a smishing attack is typically one of the following:
- Harvesting sensitive information like OTPs, passwords, or credit card numbers
- Getting you to click on malicious links that lead to fake websites or malware downloads
- Manipulating you into sending money or sensitive data directly to the scammer
Smishing vs. Phishing vs. Vishing: What’s the Difference?
Smishing is a type of phishing, which is a broad term for any social engineering attempt to defraud or manipulate victims into taking harmful actions.
Phishing was originally carried out over email, but it has become ubiquitous with other channels where it's known by specific names, such as:
- Smishing: Phishing delivered through SMS, MMS, or RCS messages
- Vishing: Phishing using phone calls impersonating legitimate organizations, or with the rise of AI voice cloning, mimicking a familiar person's voice with startling accuracy
- Quishing: A newer threat where fake QR codes are used to direct victims to malicious websites or payment requests
The attacks share the same underlying tactic of exploiting human psychology and emotions to deceive victims. While the core objective remains the same, the attack has spread to other digital communication channels.
How Does Smishing Work?
Most smishing attacks start with attackers acquiring your phone numbers and other personal details through numerous sources, like:
- Data broker marketplaces that sell contact lists with personal details
- Dark web and breach dumps where stolen user profiles are freely traded
- Social media profiles and public forums
- Misconfigured cloud storage where user data leaks accidentally
Because so much of your data, including phone numbers, names, and associated accounts, can be exposed by mobile carriers, online apps, and services, assembling large lists of targets is inexpensive and easy for attackers.
Once scammers have your details, they can set up spoofed numbers, SMS gateways, or fake websites to send messages at scale. The actual message content can differ depending on the tactics used. Some smishing messages are generic templates blasted to thousands of users at once, while others are highly personalized for the victim using private or confidential insights.
When you open a link or respond to a smishing message with the desired information, attackers can capture your data to reuse or sell it. In many cases, the smishing fraud doesn’t end with the initial interaction. One action can lead to larger attacks, such as account takeovers using stolen credentials.
How To Spot a Smishing Text: Common Examples
With advancements in large language models and easy access to personal data and context, scammers can craft sophisticated phishing texts that are harder to distinguish from legitimate ones.
Still, the persuasion patterns remain consistent. Smishing scams often rely on high-pressure tactics, threatening or urgent language, and carefully placed links to get you to act before you think. Some common templates you’ll come across are:
Smishing Example | What the Message Claims | Typical Goal |
Bank alert | "Security alert: Suspicious activity on [bank name] acct ****1234. Click if not done by you: [link]" | Stealing login, OTP, or card details on a fake banking portal |
Package delivery | "Your package is pending delivery. Update your details to receive: [link]" | Collecting addresses or payment information |
Carrier billing | "Your AT&T bill is overdue. Pay now to avoid service cut: [link]" | Making payments directly to scammers |
IRS/tax scam | "IRS: Unpaid tax notice. Pay now to avoid penalty: [link]” | Getting SSN or bank details, or making payments directly |
Rewards or gift card | "Congratulations! You've won a $500 Walmart gift card! Click to claim: [link]" | Collecting personal data or install malware |
Tech support | "Security issue detected on your iPhone 16. Contact Apple support to avoid critical data loss: [phone number]" | Contacting the scammer for remote access or malware installation |
Payment confirmation (Zelle, PayPal, etc.) | “Did you authorize this transaction? Reply with Yes/No” | Replying confirms your number is active, leading to more targeted attacks |
What To Do if You’ve Received a Smishing Text?
If you get a suspicious text, do not click its links, reply, or call the numbers provided. Interacting with a smishing message confirms your number is active and escalates the risk. Instead, take these immediate steps:
- Screenshot for records: As evidence, screenshot the text before blocking or deleting.
- Forward the text to 7726 (SPAM): This universal short code helps your carrier identify and block similar scam messages.
- Report and block the sender: If you’re using an iOS or Android smartphone, report and block the message to stop receiving future texts from the number.
- On iPhone: Tap on the sender’s icon at the top, then tap Info and select Block this Caller.
- On Android: Long-press the message and tap Block & report spam.
If you’ve accidentally clicked a link, entered information, or made a payment, contact your bank or credit card issuer immediately and report the smishing fraud. They can help freeze accounts, block cards, and initiate chargebacks on unauthorized transactions.
In more serious cases, such as identity theft, you may want to file a complaint with your local police or the FBI's Internet Crime Complaint Center at IC3.gov. This creates an official record and helps authorities track criminal activity.
How To Avoid Falling Victim to Smishing Attacks
Knowing how to spot smishing scams is only the first step. You need proactive strategies to limit how often these messages reach you and limit their impact.
Below are three effective steps you can take to reduce the risk of smishing:
- Use your phone’s built-in spam filters
- Enable multi-factor authentication
- Use a secondary number to reduce exposure
1. Use Your Phone’s Built-In Spam Filters
Both iOS and Android include basic tools to identify and filter spam or unknown messages before they reach your main inbox. While these filters aren’t foolproof, they can catch a significant number of obvious scam texts, reducing the chances you’ll interact with something dangerous.
Android generally offers more robust spam filtering, combining machine learning algorithms with user rules. You can turn on SMS filtering on Android by following these steps:
- Open the Messages app
- Tap your profile icon (top right)
- Go to Messages settings > Spam protection
- Enable Spam protection to flag likely scam texts automatically
On iOS, the Filter Unknown Senders setting diverts texts from numbers not in your contacts into a separate Unknown Senders folder so you don’t open something risky by accident. Here’s how to enable it:
- Open Settings > Messages
- Scroll to Message Filtering
- Turn on Filter Unknown Senders
2. Enable Multi-Factor Authentication
Multi-factor authentication (MFA) doesn’t prevent smishing SMS from reaching you, but it can protect your accounts if a scammer steals your usernames or passwords.
With MFA enabled, even if a scammer gets your login details from a smishing link or breach, they still can’t access your account without the next authentication factor(s). Avoid SMS codes as your MFA step, as they lack encryption and are vulnerable to network interception or SIM swap attacks. Instead, choose more secure verification options like:
- Time-based codes from an authenticator app like Duo Mobile or Google Authenticator
- Physical security keys (like a YubiKey)
- Push alerts
- Biometrics
Most social platforms and online services offer 2-factor authentication (2FA), which can be enabled in their security settings. It’s recommended to enable it on key accounts like email, banking apps, social media accounts, and cloud storage services.
3. Use a Secondary Number To Reduce Exposure
Instead of sharing your primary number everywhere, you can use a secondary number for high-exposure scenarios, for example:
- Online marketplaces
- Loyalty programs
- App registrations
- Dating apps
- Contact forms
Even if this number is sold to data brokers or targeted by smishing scams, the threat is contained. Your private number, used for trusted contacts and critical services, remains insulated from spam.
Most “second number” solutions rely on virtual lines via VoIP services. While these can mask your primary number, they come with significant drawbacks: they often lack strong encryption, are less reliable for SMS delivery, and are frequently blocked by banks, payment apps, and other services that use SMS-based 2FA or login codes.
For a more secure, reliable, and privacy-conscious approach, privacy-first mobile carriers like Cape provide up to two secondary phone numbers built into your mobile plan. Because these are real cellular numbers rather than virtual or VoIP lines, they function like traditional numbers—but without linking back to your primary identity.
This means you can use them freely for high-exposure scenarios like online marketplaces, app registrations, dating apps, or contact forms, all the while keeping your main number private. To access secondary numbers and other built-in security features for mobile communications, switch to Cape.
Meet Cape: The Secure Carrier Designed for Today’s Threats
We share the most intimate details of our everyday lives with our cell phones. In order to stay connected, our cell phones share that information with local cell networks, and in turn, those cell networks share our data with each other.
While this system is what makes connectivity possible, it was also built with interoperability as its priority, rather than security. The global cell network is vulnerable to a number of threats, as seen through headlines about major carrier data breaches we see time and time again. When major carriers aren’t losing our sensitive personal data in breaches and hacks, they’re actively selling it to ad networks, data brokers, and third parties.
At Cape, we believe that privacy and security shouldn’t have to be sacrificed for connectivity. That’s why we built our service with privacy principles and security features at its core, including:
Cape eliminates the risk of your sensitive data falling into the wrong hands by not even asking for it. When you make your Cape account, we don’t ask for your name, address, or SSN. We only collect the information that’s necessary to provide the service, and we retain it for the least amount of time possible.
During account creation, you receive a unique 24-word phrase that generates a private key tied to your phone number. This pass phrase is required to move your number to a new device or carrier. Nobody else, not even us at Cape, has access to the phrase, meaning there’s absolutely no way for bad actors to transfer your number to their device, effectively nullifying the possibility of SIM swapping.
Your phone stores an incredible amount of data, which can be accessed through call and text records. Most mobile carriers store your call and text metadata for years, which can easily fall into the wrong hands.
Cape is built to forget, meaning we delete Call Data Records (CDRs) after just 1 day, ensuring nobody can see who you texted or called, track where the communication took place, or access the sensitive information within CDRs.
All SIM cards are accompanied by International Mobile Subscriber IDs (IMSI). These function as unique identifiers devices use to register with cellular networks. Traditional telcos assign fixed IMSIs to user accounts, meaning the carriers, advertisers, hackers, and other bad actors can exploit them to identify and track your device.
Cape patches this security hole by allowing you to automatically rotate your IMSI every 24 hours. In practice, this means you appear as a different subscriber every day, making it much more difficult for anyone to identify your device or track your movements.
Are you tired of spam messages from brands, phone call surveys, and scammers trying to trick you into sharing sensitive information over the phone? The reason why most people are exposed to these nuisances is that we are often required to share our phone numbers with retailers, websites, apps, and service providers.
While messages and phone calls can be annoying, what’s worse is that your number can easily become a target for data brokers and bad actors. That’s why many people turn to VoIP numbers as secondary lines. VoIPs are a decent option, but they don’t fully solve the issue—they are not encrypted, you can’t use them for 2FA, and they’re an additional cost each month.
When you sign up for Cape, you get two free additional SMS/MMS lines that are middle-to-end encrypted. This allows you to use Secondary Numbers for online shopping, signing up for services and discounts, and receiving secure OTPs, while your primary phone number is reserved for friends and family.
6. Network Lock
Traditional cellular networks were designed for interoperability, not security. Outdated and legacy network protocols like SS7 have vulnerabilities that allow attackers to hack in and track your location, intercept your calls and texts, and steal sensitive information.
Cape’s Network Lock uses a proprietary signaling proxy to verify that your device’s physical location matches the network it’s trying to attach to. If anything looks suspicious, like a mismatched location, we block the connection.
Voicemails can reveal more than you think, from personal messages to authentication codes, yet most voicemail systems are outdated and unencrypted.
Cape encrypts your voicemails so that only you can access them.
To access phone service while traveling abroad, your phone typically needs to connect to local telecom providers. The trouble is, there’s no guarantee all networks are secure, and not every government treats privacy the same.
Cape doesn’t leave anything to chance. We let you route traffic through our U.S.-based mobile core, so you can safely use international data roaming without exposing your identity or sharing sensitive data or communications with foreign carriers.
With Cape, you get up to 15 GB per month of international roaming, included in your monthly plan.
Get Started With Cape Today
If you’re ready to make a switch from legacy telcos to America's privacy-first mobile carrier, visit cape.co/get-cape.
In addition to all the features listed above, you can further enhance your privacy and security with Proton. Our partnership with this technology leader allows you to get Proton Unlimited or Proton VPN Plus for only $1 for the first six months.
