What is Smishing?

That text about a missed package, unpaid toll, or suspicious bank transaction? It's probably smishing — and it's exploding in volume because text messages have a 98% open rate compared to email's 20%.

Why Smishing Works

• 98% open rate — nearly everyone reads text messages
• Less skepticism — people are trained to watch for email phishing but trust texts more
• Urgency on a small screen — shortened URLs on mobile are hard to verify
• Personal feel — texts feel more intimate than emails
• Weaker filtering — carrier spam filters are less sophisticated than email filters

Common Smishing Attacks

Fake Delivery Notifications

"USPS: Your package is waiting for delivery. Confirm your address: [malicious-link]"

• Mimics USPS, FedEx, UPS, Amazon
• Link leads to a credential-harvesting page

Bank Fraud Alerts

"Chase: Unusual activity detected on your account. Verify now: [malicious-link]"

• Creates urgency around financial security
• Harvests banking credentials

Toll Road Scams

"Unpaid toll notice: You owe $4.35. Pay now to avoid $50 late fee: [malicious-link]"

• Massive wave across the US in 2024-2025
• Steals payment card information

Government Impersonation

"IRS: You have an outstanding balance. Claim your refund: [malicious-link]"

• Exploits fear of government agencies
• Collects Social Security numbers and tax information

MFA Bypass

"Your verification code is 847291. If you didn't request this, reply STOP"

• Attacker triggers a real MFA code, then asks you to share it via text

How to Protect Yourself

1. Never click links in unexpected text messages — go directly to the company's website or app
2. Don't reply — even "STOP" confirms your number is active
3. Verify independently — call the company using the number on their official website
4. Report spam texts — Forward to 7726 (SPAM) on most carriers
5. Enable spam filtering — Use your carrier's built-in spam detection
6. Be skeptical of urgency — legitimate organizations don't threaten immediate consequences via text