6 tips to help avoid smishing scams

January 16, 2026 | 5 minute read

Key takeaways

  • Smishing is phishing delivered by text — known as short message service (SMS) — to mobile phones and messaging applications.
  • A phish is any type of electronic communication that aims to steal personal or proprietary information for fraudulent purposes.
  • Be wary of responding to text messages from an unknown sender, especially if the message includes a link, asks for money or sounds urgent.

Smishing is a fast-growing version of one of the internet’s oldest and most successful scams. Like any other type of phishing, smishing aims to trick you into handing over sensitive data and information. Instead of using email, cybercriminals send their messages via text or short message service (SMS). Smishing attempts are typically sent to mobile phone users as standard texts, but they can also be sent via popular messaging apps.

 

Smishing is a form of social engineering where scammers exploit emotions like fear, sympathy, curiosity or greed to incentivize individuals to divulge personal or business information. They do this by sending fraudulent texts to your phone, purporting to be from a trustworthy source like a delivery service, utility company, bank or government agency. The information they seek could include usernames, passwords, credit card numbers, bank account numbers, vendor names or other proprietary data. Cybercriminals then sell that data on the black market or use it to commit identity theft, empty bank accounts or redirect payments to themselves.

In 2024, consumers reported losing $470 million to scams that started with text messages.1

Email phishing remains one of the most dangerous channels for organizational cyberattacks, but smishing is still appealing to cybercriminals.2  Criminals use compromised phone numbers and spoofed or hacked accounts on popular messaging platforms to fake their identities. Smishing messages often contain links that take users to a website that may look legitimate, but the site is designed to steal usernames, passwords and other data. Some messages can even contain links or attachments that secretly install malware on victims’ mobile devices.

Common smishing scams

Making false promises

Criminals employ a wide variety of smishing tactics to convince people to part with personal data and money. They may make false promises of:

 

  • Gift cards, prize money, or other winnings
  • Low-interest or no-interest credit cards
  • Coupons and other discounts
  • Student loan debt forgiveness

 

Posing as legitimate companies

Smishing attempts may allege to be from legitimate companies with questions about your account or transaction. They may:

 

  • Claim to be a customer service representative needing to verify account information
  • Want to discuss a recent suspicious charge or problem with your payment
  • Send a fake invoice and ask you to contact them if you didn’t authorize the purchase
  • Pretend to be a package delivery notification or tracker
  • Claim to be from one of several legitimate toll payment companies

 

Preying on charity

Smishing criminals may even prey upon your charitable impulses by:

 

  • Requesting donations after a natural disaster or other catastrophic event, such as hurricane or wildfire relief
  • Posing as people you may know, such as a community organizer or politician, who would collect monetary contributions   

 

6 ways to protect against smishing

  • Don’t click hyperlinks in texts from suspicious or unknown numbers. This is doubly true if the link is an abbreviated URL. When used in SMS messages, shortened URLs are often an indicator that cybercriminals are trying to mask overtly fake URLs.
  • Be wary if urged to pay or give out sensitive information. Pause and verify to see if the source is legitimate and trustworthy.
  • Never respond to texts from unknown or suspicious numbers – even to tell them to stop. Doing so will let scammers know your number is active, and you could be added to spam lists and harassed further.
  • Always keep your phone’s operating system up to date to protect against malware hidden in smishing links.
  • Pay attention to social engineering red flags, such as urgent messages or get-rich-quick schemes. If it seems too good to be true, it probably is.
  • Don’t trust texts asking for personal information, even if they claim to come from real organizations. Remember that government agencies and legitimate companies — including Bank of America — will never text you asking for account details. If there’s any doubt, contact that person or organization through another trusted channel.

1 “New FTC data show top text message scams of 2024; overall losses to text scams hit $470 million.” Federal Trade Commission, April 16, 2025.

2 “Email phishing is still the main way in for hackers: report.” CSO, Aug. 15, 2023.

Back to Homepage

Explore more

Imposter scams are on the rise: Here’s how to manage the risks

As criminals impersonate trusted figures and set up fraudulent websites, education is the best defense.

5-minute read

Proving identity and protecting credentials in a work-from-anywhere world

Many businesses continue to rely on outdated verification and access management models that leave their networks exposed — a situation only exacerbated by remote work. Here’s how to keep credentials safe.

9-minute read

Important Disclosures and Information

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.

 

Not all materials on the Center for Business Empowerment will be available in Spanish.

 

Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.

 

Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.

 

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S” or “Merrill”) makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp.”). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.

 

Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.

 

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.

 

Investment products:

Are Not FDIC Insured Are Not Bank Guaranteed May Lose Value