Insight: What's smishing, why it works, and what to do about it
Smishing is phishing by text message. It's one of the most effective scams going, it's on the rise, and AI is making it worse. Here's how it works and how to protect yourself and your business.
What is smishing?
Smishing is a phishing attack delivered by text message. A fraudster sends a text pretending to be from an organisation you trust - your bank, a delivery company, HMRC, a streaming service. The message usually contains a link to a fake website designed to capture your login details, card numbers or personal information.
Sender ID spoofing makes these messages hard to spot. Criminals can make a text appear to come from a name you recognise, and in some cases it will land in the same thread as legitimate messages from your actual bank. The message looks like it belongs there. That's the point.
Why it works
Humans are pattern-matching animals. If you're expecting a delivery and a text arrives saying there's a problem with your parcel, you join the dots. The message fits the pattern of your week, so you act on it.
Confusion works just as well as familiarity. A text saying your payment was declined, or that there's a copyright issue with something you've posted, creates a moment of uncertainty. You want to resolve it. That urge to clear things up is exactly what the attacker is counting on. The same psychology drives most social engineering - the attack succeeds in the gap between "that's odd" and "I'd better sort this out."
And these attacks do work. Fraudulent texts are sent in enormous volumes because a small percentage of recipients click, and that's enough. Some phones now include junk filters, but they're imperfect in both directions - they block legitimate messages and let scams through. You can't rely on your phone to make the call for you.
Not every smishing text is after your money directly. Some are designed to gather information - your name, address, date of birth, who you bank with - to make a future fraud attempt more convincing. This is organised crime, and it's big business.
Why it's on the rise
Criminals go where the targets are, and everyone has a phone. Text messages get opened at far higher rates than email, and it's harder to inspect a link on a small screen than it is to hover over one on a desktop.
AI has raised the stakes. Attackers can now generate convincing, well-written messages at scale, tailored to current events and individual targets. The days of spotting a scam by its broken English are over. This isn't going away any time soon.
What to do about it
Treat every unexpected text with a link as suspect, no matter who it appears to be from. If a message asks you to act - pay something, confirm something, log in somewhere - don't use the link in the text. Go to the organisation directly. Call the number on the back of your bank card, or find the company's contact details yourself, ideally on another device.
Look at the URL before you tap anything. Fake sites use addresses that look close to the real thing but aren't. If you weren't expecting the message, that's reason enough to check.
Take a moment before parting with money or information. It's the thinking behind the Take Five to Stop Fraud campaign: stop, take a moment to think, and only then act. Urgency is the scammer's tool, not yours.
Report suspicious texts by forwarding them to 7726. It's free, and it helps your network provider identify and block the numbers behind these campaigns.
Protect your business
Smishing doesn't just hit individuals. One employee tapping one link can hand over credentials that open the door to your whole business - and for firms handling client money or sensitive data, the damage goes well beyond the immediate loss. Staff awareness, strong authentication and the right technical controls all reduce the risk.
If you'd like to talk through how well protected your business is against smishing and the wider range of threats facing London firms, contact us or call 020 3551 6262. A short, no-obligation conversation with James Ratcliff will show you where your gaps are before an attacker finds them first.
FAQ
What's the difference between smishing and phishing?
Phishing is the umbrella term for scams that trick you into handing over information, credentials or money. Smishing is phishing carried out by text message (SMS) rather than email. The tactics are the same; only the channel changes.
How do I report a smishing text in the UK?
Forward the suspicious text to 7726 - it's free - then delete it. This helps your network provider identify and block the numbers behind these campaigns. If you've already clicked a link or lost money, contact your bank straight away and report it to Action Fraud.
How can I tell if a text message is a scam?
Treat any unexpected text containing a link as suspect, whoever it appears to be from. The warning signs are a sense of urgency, a request to pay or confirm something, and a web address that looks almost - but not quite - right. When in doubt, don't use the link. Contact the organisation directly using details you find yourself, ideally on another device.
Can a smishing text really put my whole business at risk?
Yes. If one employee taps a malicious link and enters their credentials, an attacker can gain a foothold in your business systems and data. For firms handling client money or sensitive information, the impact can reach well beyond the initial loss. Staff awareness, strong authentication and the right technical controls all reduce that risk.

