En español | The word “smishing” comes from combining “SMS” — for short message service, the technology behind texting — with “phishing,” the practice of stealing personal or financial information through deceptive communications, primarily emails. Basically, it's phishing by another means, namely text messages on mobile devices.
Like phishing emails, smishing texts are social-engineering scams that aim to manipulate people into turning over sensitive data such as Social Security numbers, credit card numbers and account passwords or providing access to a business's computer system. They rely on persuading you that the sender is a familiar or trusted source and that urgent action is needed to secure a benefit, resolve a problem or avert a threat.
For example, you might get what looks like a text from a company you do business with, such as your bank, a mobile provider, or a tech service like Netflix or PayPal. It claims your account has expired or been locked on some pretext, maybe suspicious activity, and you need to provide personal information or click on a link to reactivate it. That gives the scammers means to steal your money or identity or to infect your device with malware.
Variations abound. A scam text might say you've won a lottery prize or a gift card, or promise a break on student loan debt. It could look like an alert from a government agency such as Social Security or the IRS or link to a phony invoice or cancellation notice for a product or service you supposedly bought.
The coronavirus pandemic unleashed a raft of new schemes, according to the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC). Scam texts offer bogus treatments, stimulus funds, supposed government health updates or warnings that you've been exposed to the virus.
Most common of all are messages purportedly from the likes of Amazon, FedEx or the U.S. Postal Service about an impending package or shipment snafu. Delivery scams accounted for more than a quarter of spam texts in 2021, according to a February 2022 report from Robokiller, a company that provides call-blocking and other phone security services.
Smishing now outstrips robocalls as a scam tool, RoboKiller reports, with bad actors hitting send on more 87.8 billion fraudulent texts in 2021 — up 58 percent from the previous year — compared to 72.2 billion crooked calls. Those phishy messages cost consumers nearly $10.1 billion, the company estimates.
- A text message requests personal information, such as your Social Security number or an online account password.
- The message asks you to click a link to resolve a problem, win a prize or access a service.
- The message claims to be from a government agency. Government bodies almost never initiate contact with someone by phone or text, according to the FCC.
- The text offers coronavirus-related testing, treatment or financial aid, or requests personal data for contact tracing.
- Do contact the company or organization that supposedly sent the text, using a phone number or website you know to be legitimate, if you think it might concern a genuine problem.
- Do forward spam and scam texts to 7726 (SPAM), the spam reporting service run by the mobile industry. This sends the text to your carrier so it can investigate. Cybersecurity company Norton has a guide to the process.
- Do consider using tools that filter or block unwanted messages or unknown senders:
- Your mobile device may have built-in spam protection. Check the settings on its messaging app.
- Most major wireless carriers offer call-blocking services.
- Some call-blocking apps (see “More Resources” below) also filter out junk texts.
- Don't provide personal or financial data in response to an unsolicited text or at a website the message links to.
- Don't click on links in suspicious texts. They could install malware on your device or take you to a site that does the same.
- Don't reply, even if the message says you can “text STOP” to avoid more messages. That tells the scammer or spammer your number is active and can be sold to other bad actors.
- Don't assume a text is legitimate because it comes from a familiar phone number or area code. Spammers use caller ID spoofing to make it appear the text is from a trusted or local source.
Updated March 8, 2022
About the Fraud Watch Network
Whether you have been personally affected by scams or fraud or are interested in learning more, the AARP Fraud Watch Network advocates on your behalf and equips you with the knowledge you need to feel more informed and confidently spot and avoid scams.
More From the Fraud Resource Center