What is Smishing?

Fraud Alerts
You may have heard of phishing, the act of trying to obtain an individual or organization’s personal information under false pretenses typically through emails or phone calls. However, criminals are also using a method called smishing where they attempt to obtain your personal information through SMS or text messages. In recent months, smishing attempts have been on the rise and those that appear to come from financial institutions are becoming a more prevalent method. 

Smishing: Using Text Messages to Obtain Your Information

Smishing occurs when criminals send text messages that appear to be from reputable companies, including financial institutions, to entice you to reveal your personal information, such as passwords or credit card numbers through fraudulent websites. Some of the most common tactics include: 

Financial Institutions Smishing 

These attacks are masked as notifications from your bank or other financial institution. If you use a bank or credit card service, you are susceptible to generic and bank-specific messages. In these attacks, the criminal poses as your bank or another financial institution and sends you an urgent request for information to unlock your account, verify suspicious account activity, or both. 

Gift or Prize Winning Smishing

This kind of smishing is exactly what it sounds like. Suppose you receive an unexpected text message that offers you a cash prize or gift card when you visit a website. In that case, it is likely an attempt to obtain your information or send you to a fraudulent website that will download malware onto your phone or computer. Often, people fall victim to this scam because they are excited about possibly winning the prize, but the prize is for the criminal. 

Delivery Notification Smishing 

Have you received a text message from the post office, UPS, or another popular carrier asking you to verify a package delivery? If so, it's more than likely a smishing attempt. You are advised not to click on links in these messages and, instead, to block the number that sent the message. If you expect a package, contact the company by phone to inquire about the text message.

Invoice or Order Confirmation Smishing

This is a type of smishing attack where a text message is sent asking you to verify an order or billing invoice for a service. The message may include a link to manipulate you into providing account information. Look for clues like an odd phone number or the absence of a business name. When in doubt, visit the provider's website and find a phone number that you can call to verify the text message.

Typically, these text messages appear to be so real that you instinctively click on a link that takes you to a fraudulent website where you give away personal information, and, in some cases, once you click the link malware is downloaded onto your phone, and information can be extracted automatically. When you receive messages like this, some clues can help you to determine if it's fraudulent right away such as: 

  • The link includes misspelled words.  
  • Odd paraphrasing may be included. 
  • The text comes from an institution where you don't have any accounts. 
  • You receive a phone call almost immediately after clicking on the link from the company asking for personal information. 

What to Do if You Think You've Fallen for a Smishing Scam

  • Contact the company that appeared to have sent you the text message directly, but do not use any contact information in the fraudulent text. Locate a phone number on the back of your credit or debit card. Or visit the company's website directly and look for a service phone number. As TowneBank members, you can always contact your banker directly. 
  • Block the Spam Number. Your mobile device can block phone numbers, and if you're unsure how to do this, contact your wireless carrier to ask for assistance. As a note, criminals can make a phone number appear as if it's from your area code, so even if the phone number appears to be local, it probably isn't. 
  • Be sure to set up transaction alerts for your accounts. TowneBank offers card alerts through Card Control. You can also set up notifications within online banking* to receive text messages or emails when your account falls below a certain threshold or when charges are made using your debit card. 

What to Avoid When You Receive Smishing Messages

  • Don't respond to the text message. Responding to these messages only verifies your phone number to the fraudsters and can aid them in obtaining your personal information. As a note, TowneBank will never send you a text message that sends you to a website to verify your personal or login information. TowneBank will also never send you a text message asking you to respond to verify your personal information. 
  • Don't click on links in text messages. Links are often used to send you to a website that will download malware onto your device. This malware includes keyloggers, software that tracks everything you type into your phone so criminals can obtain your passwords. If you think you have clicked on a malicious link by mistake, consider installing an antivirus app on your phone. 

What does TowneBank do when Smishing Attempts are Reported?

If you believe you've received a fraudulent text message from TowneBank, please get in touch with your banker to report the message. Our security team uses services to report the phone numbers that send the text messages to have them taken down by the Federal Communications Commission (FCC). We take these attacks very seriously, and your security is our priority. Your banker can also help you to set up alerts on your accounts and if need be, change your account information.


*Your mobile carrier's web access and text messaging charges may apply.

The information provided is not intended to be legal, tax, or financial advice or recommendations for any specific individual, business, or circumstance. TowneBank cannot guarantee that it is accurate, up to date, or appropriate for your situation. Financial calculators are provided for illustrative purposes only. You are encouraged to consult with a qualified attorney or financial advisor to understand how the law applies to your particular circumstances or for financial information specific to your personal or business situation.


  • Look for clues such as the absence of a company name in the message, a phone number that isn't familiar, or even misspellings in the message itself. When in doubt, don't click on any links in the text message. Navigate to the company's website and find a phone number on the website to contact directly. You are also advised to block the phone number so you don't receive additional messages.
  • The best way to protect yourself is to be vigilant. If you receive an SMS notification that you aren't expecting or from a company you don't know, don't open it and block the number. If the SMS message appears to be from a trusted institution, don't click on any links in the message. When in doubt, visit the company's website directly (not using any URLs that are included in the message) and call the company to verify the legitimacy of the message.
  • If you have received a text message that you believe is fraudulent and it appears to have come from TowneBank, please contact your nearest banking location. Our security team reports the phone numbers these messages come from to a service that works with a federal government body to take the phone numbers offline.
  • Often, phone numbers are collected through phishing emails and websites. In some cases, when there has been a data breach, lists of phone numbers are sold to criminals. Criminals may also call you through 800 numbers and upon answering the call, you have verified your phone number as one that is a potential opportunity to contact for a smishing attempt.
  • Smishing is a type of fraud where criminals send you a fake text message that appears to come from a reputable company. Often, these messages include requests for actions to get you to click on a link that sends you to a fraudulent website where you may download malicious software to your device or provide personal information.
Back to Top