📱 Smishing (SMS Phishing): How to Spot Text Message Scams in 2026
Smishing (SMS Phishing): How to Spot Text Message Scams in 2026
Text message phishing — smishing — is the fastest-growing attack vector in cybersecurity. Unlike email phishing, which has decades of user awareness behind it, SMS attacks exploit our instinctive trust in text messages. The 2026 Proofpoint State of the Phish report found that 78% of mobile users opened smishing messages within the first hour of receipt.
Common Smishing Templates in 2026
Delivery Notification Scams
"Your package is awaiting delivery confirmation. Tap here to reschedule: [malicious link]" — This remains the single most common smishing template. Attackers impersonate Royal Mail, USPS, DHL, FedEx, and Amazon. The message creates urgency around a missed delivery and directs you to a page that asks for payment for redelivery or personal information.
Bank Alert Scams
Fake bank security alerts are the second most effective smishing type. "HSBC Alert: Unusual login detected from [location]. If this wasn't you, secure your account: [link]." The landing page mimics the bank's login screen and captures credentials in real-time. Some advanced variants also prompt for MFA codes, enabling the attacker to immediately use the stolen credentials with the intercepted OTP.
Government Impersonation
HMRC, the IRS, and DVLA are frequently impersonated. "HMRC: You are entitled to a £387 tax refund. Complete your claim: [link]." These exploit authority bias and financial incentive simultaneously. The UK's National Cyber Security Centre reported that HMRC-themed smishing doubled in Q1 2026 alone.
How to Protect Yourself
- Never tap links in unexpected texts — verify through the official app or website directly
- Report to 7726 — most UK and US carriers route reports to their security teams
- Enable SMS filtering — iOS has built-in SMS filtering; Android users should enable Google Play Protect
- Use a number verification service — check known scam databases before engaging