Part of cyber safety is recognizing an attack when you see one; so, part of staying safe from smishing is taking some time to look at a smishing example.  Recognizing a real-world message as smishing by having seen a similar smishing example before, is a fast path to staying safe.  Just like email got more dangerous when phishing became commonplace, text messaging got more dangerous when smishing became a thing.

In this post, we’ll explore what smishing is, and what to look out for to keep your information safe.  Feel free to also explore our more detailed post on this topic, where we look at 7 Suspicious Signs of Danger when you are evaluating the safety of a text message.

What is Smishing?

Phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” Smishing, therefore, is the same fraudulent practice with the same attempted goal, but done over text message, or SMS (short message service).

We know that smishing is on the rise for many reasons.  Anecdotally, our clients tell us about smishing attacks that they’ve experienced.  Statistically, we know from Google Trends data (searches for Smishing Example) that there is a heightened interested and concern, as well:

Smishing is significantly less common than phishing (for now?), per Google Trends data.

And that’s exactly why you should be concerned: most of us are far more attuned to identifying a fraudulent phishing email, than we are to identifying a smishing attack.  Now is the time to change that, by looking at smishing examples to help you develop a level of pattern recognition to know when a message seems unsafe.

What Does a Smishing Attack Put at Risk?

Simply put—your personal data and information. And further, your company’s data is at risk, as your phone likely stores sensitive company info as well.  In many circumstances, smishermen will use the stolen data to make a profit.  For example, trying to access your financial accounts by luring you to log in to a fake version of your banking website.  Other smishing attacks attempt to get you to disclose confidential information or credentials for non-financial purposes.  However, whatever the smisherman is attempting, the most common mechanisms that they will use in their smishing message, are as follows:

  • Malware Clickthrough: A smishing attack will prompt you to download a seemingly legitimate app, which could open your information (personal and company) up to the attackers.
  • Link to a Fake Site: Clicking on a link may take you to a fake site, encouraging you to input personal information.

Smishing Example: Here are a Few to Look Out For

Common smishing examples include bank notifications, package updates, act-now coupons and urgent warnings. If you receive any of these from unknown numbers, be suspicious, especially for financial texts. Call your bank or credit card company if you have any doubt.There’s no fancy research we pulled to get these images—I just looked through my phone and asked colleagues to do the same. Here’s what we pulled:

This smishing example masquerades as a package tracking update. Aside from my colleague not being named Emily, this is formatted like most SMS tracking updates, making it all the more dangerous. Here’s a tip: Look at the URL. If it doesn’t look legitimate, don’t take a chance.

Once again—look at the URL. If this was truly a Whole Foods Market event, the URL would have “WholeFoods” in it.

When the subject line is full of random letters, it is a smishing attack. Don’t call these numbers.

Legitimate text messages should be formatted correctly, not looking like an odd email with poor grammar.



Here’s a quick list on what to do if receive a smishing text:

  1. Don’t click the link. Don’t call the number.
  2. Seriously. Don’t click the link. Don’t call the number.
  3. If you’re unsure if it’s an attack, look up the sending number online to find it’s legitimacy.
  4. Don’t respond to the SMS.
  5. Report the attack to the FCC to try to protect others.
  6. Block the number on your phone.
  7. Delete the text so you accidentally don’t open the link later.
  8. Once more for good luck: Don’t click the link. Don’t call the number.

Good luck out there—keep your data and your company information protected from smishing attacks!

If you’d like to learn more about how to protect your company’s data, try Havoc Shield’s free trial.