What is smishing, and how to avoid it

Smishing – the commonly-used name for SMS phishing – is an activity which enables criminals to steal victims’ money or identity, or both as a result of a response to a text message. In common with both phishing, which uses email as an initial approach, and vishing, which uses phone calls, smishing uses your mobile phone (either a smartphone or traditional non-internet connected handset). Like the other methods mentioned, it manipulates innocent people into taking various actions which lead to being defrauded.

The risks

You receive a fraudulent text claiming to be from a trusted organisation or individual being impersonated by criminals, including the following:

  • Your bank, informing you that there is a ‘problem with your account’ such as irregular activity or lack of funds.
  • A retailer, offering ‘vouchers’ or ‘gift cards’.
  • A technology provider such as Apple or Google, notifying that you ‘need to validate an account’.
  • A parcel delivery company, notifying you that you need to ‘confirm that you want a parcel to be delivered’.
  • HMRC, informing you that you are ‘due a tax refund’.

This list is not exhaustive.

What all smishing messages have in common is:

  • They instruct you to either go to a website or make a phone call to a specified number.
  • They play on your basic human emotions and needs, such as trust, safety, fear of losing money, getting something for nothing, eagerness to find a bargain or desire to find love or popularity/status.
  • They generally state or imply the need for your urgent action to either avoid an issue or take advantage of an offer.

Websites you visit via smishing messages generally either request confidential details or cause your internet-connected mobile device to be infected with malware. Phone calls you make in response can either result in confidential details being requested, or be to a premium rate number resulting in exorbitant charges being added to your phone bill.

How to avoid becoming a victim of smishing

  • Do not click on links in text messages unless you are 100% certain that they are genuine and well-intentioned.
  • Take time to consider your actions before responding to text messages.
  • Ask yourself if the sender, if genuine, would really contact you via this text.
  • Recognise threats of financial issues or offers that seem too good to be true, for what they really are.
  • If in doubt, call the correct number of the organisation or individual from whom the text claims to have been sent, to check its authenticity.
  • Remember that even if the text message seems to come from someone you trust, their number may have been hacked or spoofed.
  • Do not respond to the text message. Doing so could result in your details being added to a ‘suckers’ list’ and you will be inundated with similar messages.
  • Dial 7726 (or for Vodafone subscribers, 87726). This will enable your mobile network provider to take early action to block numbers that are generating spam – including scam texts – on their networks, and report them to the regulators.
  • Report spam text messages directly to your mobile phone provider free of charge by forwarding them to 7726 from the device they are received on.
  • ‘Which’ also operates an online reporting service for scam texts and phone calls, here:

If you have lost money as a result of a smishing text, or via any other fraudulent activity

Report it to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.ukIf you are in Scotland, contact Police Scotland on 101.

In partnership with

Jargon Buster

A Glossary of terms used in this article:


A popular search engine