Get Started
Mobile Security

SMS Phishing (Smishing): How to Spot It and Protect Yourself

July 12, 2026

If you've gotten a text this year about a "failed delivery," a suspicious login, or a refund you weren't expecting — you've likely seen smishing in action. Short for "SMS phishing," smishing is exactly what it sounds like: phishing attacks delivered by text message instead of email. And in 2026, it's growing fast. Industry tracking groups have recorded SMS-based phishing volume climbing by roughly a third quarter over quarter, and some estimates now put text message attacks at more than a third of all phishing activity overall.

Why Smishing Works So Well

Most of us have learned to be at least a little suspicious of email — spam filters catch a lot of it, and "check the sender's address" has become common advice. Text messages don't get the same scrutiny. There's no spam folder quietly filtering out the worst of it, and a message that looks like it's from your bank or a delivery service feels more immediate and trustworthy just by showing up on your phone. Attackers know this, and they're increasingly using AI tools to make these messages more convincing and harder to distinguish from something legitimate.

Awareness gaps make this worse. Research from mobile security firms has found that a surprisingly small share of people over 55 can correctly explain what smishing even is — and younger adults aren't dramatically better at spotting it either. This isn't a "some people are careless" problem; it's a genuine knowledge gap that scammers are actively exploiting.

The Smishing Scams Showing Up Right Now

A handful of patterns keep reappearing, because they keep working:

How to Protect Yourself

None of this requires becoming paranoid about every text you get — just building a few habits:

  1. Don't tap links in unexpected texts, even if the message references something plausible like a delivery or a bank alert. Go directly to the company's app or website instead of following the link.
  2. Never reply to a text with a verification code — legitimate services will never ask you to text a code back to them. If you get one you didn't request, treat it as a sign someone may be trying to access one of your accounts, not just an annoying text.
  3. Verify independently. If a text claims to be from your bank, carrier, or a delivery service, contact them through a number or app you already know is real — not anything provided in the message itself.
  4. Report suspicious texts to your carrier. Most major U.S. carriers support forwarding spam texts to 7726 ("SPAM"), which helps them identify and block these numbers faster.
  5. Use an authenticator app instead of SMS for two-factor authentication where you can. SMS codes can be intercepted or redirected; app-based codes are meaningfully harder to compromise.
  6. Slow down when a message creates urgency. Scammers rely on you acting fast, before you've had time to think it through. A brief pause to verify costs you nothing; acting on a scam text can cost a lot.

Why This Matters Beyond Your Phone

Your phone number has become a key that unlocks a lot of your digital life — bank accounts, email recovery, two-factor authentication. Protecting it isn't just about avoiding an annoying scam text; it's about protecting everything that number is tied to. It's part of why we treat privacy and security as a real part of choosing a mobile plan, not just an afterthought — the carrier and protections behind your number matter just as much as the price on the label.