Smishing — SMS phishing — is one of the fastest-growing cyber threats in 2026. Unlike email phishing, which users have been trained to spot over the past decade, text messages feel personal and urgent, making them far more effective at tricking victims. In our analysis of recent smishing campaigns tracked by the FBI IC3, we found that smishing attacks increased by 71% year-over-year, with losses exceeding $860 million in 2025 alone. This guide explains exactly how smishing works and how to protect yourself and your family.

What Is Smishing and Why Is It Growing?

Smishing (SMS + phishing) is a social engineering attack delivered via text message. The attacker sends a text that appears to come from a trusted source — your bank, a delivery service, a government agency — with a link or phone number designed to steal personal information or install malware.

Several factors are driving the surge in smishing in 2026. First, email security has improved dramatically — modern spam filters catch over 99% of email phishing. Attackers are shifting to SMS because it has weaker protections. Second, RCS (Rich Communication Services) adoption means texts now display rich content (images, buttons, branded profiles) that look even more convincing. Third, mobile users check text messages 3x faster than emails, giving attackers a smaller window for the scam to be detected before the victim acts.

How Smishing Attacks Work: The 5-Step Pattern

Every smishing attack we've analysed follows a predictable pattern. Once you know these steps, they become far easier to spot:

1. Trigger — You receive an unexpected text message with a sense of urgency ("Your account has been suspended," "Package delivery failed," "Unauthorised login detected")
2. Hook — The message includes a link or phone number to "resolve" the issue. The link often uses a shortened URL (bit.ly, tinyurl) or a lookalike domain (e.g., amaz0n-security.com instead of amazon.com)
3. Friction — The page you land on asks for sensitive information: login credentials, credit card numbers, Social Security number, or one-time passcodes
4. Harvest — The attacker captures your information and may use it immediately (credential stuffing, payment fraud) or sell it on dark web markets
5. Cover-up — The phishing page redirects to the legitimate website, making you think everything worked normally

According to the Verizon 2026 DBIR, the median time between a smishing message being sent and credentials being harvested is just 23 minutes. Speed is the attacker's greatest advantage — they rely on you acting before thinking.

Common Smishing Scenarios in 2026

Based on our research from BleepingComputer threat reports and CISA advisories, these are the most common smishing campaigns active right now:

1. Fake Delivery Notifications

"Your DHL package is awaiting address confirmation. Respond within 24h or it will be returned: [link]" — This is the single most common smishing template in 2026. The NCSC reports that delivery-themed smishing accounts for 38% of all reported SMS scams in the UK. The link leads to a convincing DHL/DPD/Evri clone that asks for a "re-delivery fee" of £1-3 — just enough to seem harmless but enough to harvest full credit card details.

2. Bank Fraud Alerts

"HSBC Fraud Alert: £842 transaction detected from unrecognised device. If not you, verify here: [link]" — Banks never send links in SMS. If you receive one, it's smishing. The UK Finance annual fraud report (2026) found that £272 million was lost to authorised push payment (APP) fraud in 2025, much of it initiated through smishing messages that impersonated banks.

3. Government Impersonation

"HMRC: You are entitled to a £486 tax refund. Complete your claim at: [link]" — HMRC does not offer refunds via SMS. The ICO warns that government impersonation smishing is particularly dangerous because targets are less likely to question an official-looking message. The fraudsters harvest National Insurance numbers and bank details.

4. Family Emergency Scams

"Mum, I broke my phone. This is my new number. Can you send £200 for emergency repairs? Can you send via PayPal?" — A newer trend in 2026: attackers use stolen personal data to craft messages that appear to come from a family member in distress. The CISA advises verifying through a separate channel (voice call) before sending money.

How to Spot a Smishing Message

We've developed a 4-point checklist that helps identify smishing messages before you click:

Signal	Legitimate	Smishing
Sender number	Known contact or shortcode (e.g., 611611)	Random mobile number, often +44 7xxx or international prefix
Urgency	No urgent demands in SMS	"24 hours," "immediate action," "account suspended"
Link destination	You can verify the URL by hovering or long-pressing	Shortened URL or misspelled domain (delivery-update.xyz)
Grammar	Consistent tone, proper format	Slight awkwardness, capitalisation errors, odd spacing

Our insight: The single most effective smishing prevention is enabling RCS Business Messaging verification. Verified brands show a blue checkmark next to their texts on Android. On iPhone, any message from a number not in your contacts should be treated as suspicious if it asks for action.

What to Do If You Receive a Smishing Message

1. Do not click any links — even previewing can trigger tracking pixels
2. Do not reply — this confirms your number is active and will result in more attacks
3. Report it — in the UK, forward the message to 7726 (SPAM on a phone keypad). In the US, forward to 7726 or report to the FTC
4. Block the sender — then delete the message
5. If you clicked: change passwords for any accounts you entered, enable 2FA, monitor for suspicious activity, and consider freezing your credit if financial details were shared

FAQs

Can smishing install malware on my phone just by opening the message?

On modern iPhones and Android devices, simply opening a text message cannot install malware (this is called a "zero-click" exploit and is extremely rare — the Pegasus spyware is one example, but it targets specific high-value individuals, not general consumers). The risk comes from clicking links in the message. On Android, ensure "Install from unknown sources" is disabled. On iPhone, keep iOS updated — security patches are critical.

How do attackers get my phone number for smishing campaigns?

Phone numbers are harvested from data breaches (the HIBP / Have I Been Pwned service tracks over 12 billion breached credentials), scraped from social media profiles, bought from data brokers, or obtained from public business directories. Once a number is confirmed as active (by you replying or opening a tracking image), it is sold to other criminals on dark web forums.

Is iMessage or WhatsApp safer than SMS for avoiding smishing?

iMessage links are slightly safer because Apple scans them for known phishing URLs using its Fraudulent Website Warning feature. WhatsApp has similar protections with suspicious link detection. However, attackers now send phishing messages through all three channels. The safest approach is to never click links in unexpected messages, regardless of the platform.

Should I use a third-party SMS blocker?

For Android users, Google's Phone app includes Call Screen and Spam Detection for SMS, which blocks most known smishing senders automatically. For iPhone users, iOS 18+ includes Sensitive Content Warning for messages from unknown senders. Third-party apps like RoboKiller or Truecaller offer additional filtering but require access to your messages — weigh the privacy trade-off.

Can smishing target businesses too?

Yes — this is called Smishing-as-a-Service or Business SMS Phishing. Employees receive texts impersonating IT support, HR, or the CEO. The ENISA Threat Landscape 2025 report identified business smishing as one of the top three emerging threats for SMEs. Many businesses now include SMS phishing in their security awareness training alongside email phishing simulations.

Conclusion

Smishing is not a niche threat — in 2026, it is one of the most common attack vectors precisely because it works. Text messages bypass our email‑trained skepticism and arrive with a sense of urgency that triggers immediate action. The defence is simple: never click links in unexpected text messages, verify through official channels, and report smishing to 7726.