Smishing 101: When Scammers Text Instead of Email

Smishing 101: When Scammers Text Instead of Email

You've probably heard of phishing — those dodgy emails pretending to be your bank. But what about when the dodgy message comes via text? That's called smishing (SMS + phishing, because cybersecurity people love a portmanteau), and it's absolutely exploding in Australia.

The ACCC's Scamwatch received hundreds of thousands of scam text reports last year, and Australians lost over $2.9 billion to scams in a single year. A significant chunk of that came through your phone's message app.

Here's what you need to know.

What is smishing?

Smishing is when scammers send you an SMS designed to look like it came from a trusted source — your bank, the ATO, Australia Post, Medicare, Centrelink, or even a delivery company. The message usually contains a link or asks you to call a number.

The goal is the same as email phishing: get you to hand over personal information, login credentials, or money.

Why is smishing so effective?

A few reasons:

1. We trust texts more than emails. Most of us have learnt to be wary of dodgy emails. Texts feel more personal, more immediate, and historically more legitimate.

1. We read texts fast. The average text message is read within 3 minutes. That's not a lot of time to think critically before tapping a link.

1. Scammers can spoof sender names. In Australia, scammers have been able to inject fake messages into legitimate SMS threads — meaning a fake bank message can appear in the same thread as real messages from your actual bank. That's terrifying.

1. Small screens hide red flags. On a mobile, you can't easily hover over a link to see where it goes. URLs are truncated. It's genuinely harder to spot the warning signs.

The most common smishing scams in Australia right now:

• "Your parcel couldn't be delivered" — A fake Australia Post or courier message asking you to click a link and pay a small redelivery fee. You pay. Your card details are stolen.
• "Suspicious activity on your account" — A fake bank message directing you to a spoofed login page.
• "You have a tax refund" — A fake ATO message asking you to click to claim your refund.
• "You've been in contact with a COVID-19 case" — Older but still circulating, fake health department texts asking for personal details.
• "Your Medicare rebate is ready" — Fake Services Australia messages asking you to verify your details.

How to protect yourself:

• Don't click links in text messages. If a text says your parcel couldn't be delivered, open the actual Australia Post or courier app instead.
• Call to verify. If your bank texts about suspicious activity, hang up and call them using the number on the back of your card.
• Check the number. Scammers can spoof names, but sometimes the sending number is a random overseas mobile. Be suspicious.
• Register for SMS blocking. Ask your telco about scam SMS filtering options.
• Report it. Forward scam texts to 7226 (SCAM) — this is the Australian Communications and Media Authority's reporting number.

The business angle

As a business owner, smishing doesn't just threaten you personally — it threatens your staff. A team member who clicks a fake "your account is suspended" text on their work phone and enters their Microsoft 365 login details? That's your entire business's email and files potentially compromised.

Staff training is cheap. A data breach is not.

Test your scam-spotting skills for free

Think you'd spot a smishing attempt immediately? Phishbate's Scam Scenarios module tests your ability to separate the real from the fake — including SMS-based scams.

Try it free at Phishbate →