Smishing — phishing by SMS — is one of the fastest-growing scam channels. As people got warier of email, attackers moved to text, where messages feel personal and urgent and the small screen hides the warning signs. Recent reporting shows smishing up around 40% and over a third of phishing now arriving via SMS or messaging apps. [1]
The texts to watch for
- Missed delivery: “Your package couldn’t be delivered — pay a small fee / confirm your address” with a link. (USPS, DHL and other carriers are common disguises.)
- Bank or account alert: “Suspicious login detected — verify now” or “Your account is locked.”
- “Wrong number” openers: a friendly stranger who keeps chatting — often the start of a longer investment or romance scam.
- Prizes and refunds: “You’ve won” / “You’re owed a refund — claim here.”
- Boss or family impersonation: “It’s me, I’ve got a new number, can you do me a quick favour?”
Why texts are so effective
On a phone, the full web address is usually hidden, so a fake link is harder to inspect than on a computer. Texts also feel more immediate and personal than email, and link shorteners hide the true destination entirely. Attackers know that switching you from a big screen to a small one makes the signs of a scam harder to spot.
How to handle a suspicious text
- Don’t tap the link. If it claims to be your bank or a courier, open their official app or type their website yourself.
- Don’t reply — not even “STOP.” A reply confirms your number is live and reachable.
- Never share a one-time code. No real company will text and then ask you to read back your verification code.
- Check the number, but don’t trust it. Caller ID and sender IDs are easily spoofed.
- Report and delete. In many countries you can forward spam texts to 7726 (SPAM). Then delete it.
When you’re not sure
Plenty of texts sit in a grey area — it might be your bank. The safe habit is never to act through the text itself: go to the source independently. And remember that a smishing link leads to the same kind of fake web page as any other phishing attack — so protection that inspects pages in your browser still helps once a link is opened.
Protection that follows the link
If a text link opens in your browser, SafeToOpen Browser Security inspects the page and blocks it if it’s a fake — before you enter anything.
How Browser Security works →The takeaway
Smishing trades on urgency and the blind spots of a small screen. Don’t tap links, don’t reply, never share one-time codes, and always reach companies through their official app or site — not the text. Treat an unexpected text exactly as you’d treat an unexpected email.