arrow_backAll articles
Smishing

Smishing (SMS scams): how to spot and avoid them

schedule6 min read

Smishing is phishing via SMS and messages (SMS + phishing), where a scammer impersonates a bank, courier or institution to extract data. You spot it by an unexpected message, an odd or shortened link, an urgent tone and a request to enter details — in which case do not tap the link, but open the service yourself.

Smishing (SMS + phishing) is a scam delivered through text messages: SMS, as well as WhatsApp, Viber or iMessage. The principle is the same as email phishing, but a message on a phone inspires even more trust and is often read in a hurry. On a small screen it is harder to see the real link address, so people tap more often than in an email.

The most common smishing scenarios

  • checkParcel delivery: "Your parcel is waiting, pay a EUR 1.99 customs fee" with a link to a fake courier page.
  • checkBank: "Suspicious payment detected, verify your identity" with a link to a spoofed login.
  • checkTax or government: "You are due a refund, complete the form".
  • checkEmployer or manager: "Can you reply quickly? I need help" — the start of a CEO-fraud style scam.
  • checkPrizes and promotions: "You won a phone, claim it by tapping the link".

Signs that reveal smishing

No single sign is proof, but several together are a clear signal to pause.

  • checkAn unexpected message about a parcel you did not order, or a bank you are not a customer of.
  • checkA link with an odd or shortened domain (bit.ly, random characters, .top / .xyz endings).
  • checkAn urgent, threatening tone: "within 24h", "final warning", "account will be closed".
  • checkA request to enter a card number, password or personal ID via a link.
  • checkAn unknown or foreign phone number, even though the message pretends to be a local institution.
  • checkSmall but odd fees (e.g. a token "customs fee") designed to capture card details.

Why smishing works better than expected

A phone is a personal device, and SMS has historically been used for real notifications — bank codes, parcel statuses. So a text is given more trust. Add that link addresses are often hidden on mobile, and that people read messages while on the move or between tasks, when attention is scattered. This combination is what makes smishing effective.

What to do with a suspicious message

  • checkDo not tap the link or call the number in the message.
  • checkDo not forward the message to colleagues "to check" — report it to IT instead.
  • checkIf it is about a bank or courier, open their official app or website yourself, not via the link.
  • checkBlock the number and delete the message once you confirm it is a scam.
  • checkIf you already entered card or login details — call your bank immediately and change passwords.

How to protect your team from smishing

Because smishing also targets employees’ personal phones — which often hold work email — protection cannot be limited to computers. The most effective approach is to regularly remind the team of real examples and train their reaction. Opsinel simulations cover not only email but SMS scenarios too, so employees learn to spot scams in the very channel where they happen.

Frequently asked questions

Is it dangerous just to open an SMS?add

Usually opening the message itself is not dangerous. The risk comes from tapping a link, downloading a file or entering details on the page it opens.

I got an SMS supposedly from my bank — how do I check?add

Do not use the link or number in the message. Open your banking app or call the official number from your card or the bank website and verify.

Does smishing threaten company phones too?add

Yes. Employee phones often hold work email and access to systems, so smishing can become an entry point into the company. Training should therefore cover the mobile channel.

How is smishing different from phishing?add

It is the same deception through a different channel: phishing arrives by email, smishing by SMS or message. On a phone it is harder to see the real link address, so people click more often.

I paid a "customs fee" from an SMS — what now?add

Call your bank immediately and block the card, since scammers now have its details. Review transactions, change related passwords and enable 2FA.

Read next