Smishing: SMS scams and how to spot them in time
Smishing uses fake texts from the post office, your bank or the tax authority to steal your data and money. Learn to recognise the signs and protect yourself.

Smishing is one of the fastest-growing digital scams in Spain, precisely because a text message seems harmless and we open it almost out of reflex. Behind a brief, seemingly urgent message lies an attempt to steal your banking credentials, your personal data or your money. Understanding how it works and learning to spot it in time is your best defence.
What is smishing
The term "smishing" comes from the combination of "SMS" and "phishing". It is a fraud technique in which the attacker sends you a text message pretending to be a trusted company or organisation —your bank, a parcel delivery firm, the tax authority— with a single goal: to get you to tap a link, enter your details on a fake website or install a malicious app on your phone.
Unlike email, an SMS conveys a sense of immediacy and closeness. Many people trust a text message more than an email, and scammers know it. On top of that, small screens make it hard to see a link's full address, which plays into the fraud's hands.
Common smishing examples
Smishing campaigns tend to repeat the same patterns because they work. These are the most common ones in Spain:
The held parcel
Probably the most widespread. You receive an SMS saying something like: "Your parcel is being held at customs. Pay €1.99 to arrange delivery" or "Correos: we were unable to deliver your shipment, confirm your address here". The link leads to a website identical to that of Correos, SEUR or a courier company, where they ask for your personal details and, above all, your card details to pay a supposedly trivial fee. That small amount is the bait: what they really want is your card details.
The fake bank alert
Messages warning of a "suspicious transaction", a "security block on your account" or the need to "verify your identity". The link leads to a replica of your bank's website. The most dangerous part is that these texts often appear in the same conversation thread as the legitimate messages from your bank, because the criminals spoof the sender (a technique called SMS spoofing).
The fine or penalty
"You have an outstanding traffic fine" or "Notice from the DGT, pay before today to avoid surcharges". They exploit the fear of a penalty and the deadline to push you into acting without thinking.
The tax office and the refund
Especially active during the income-tax season. Texts promising a "pending refund from the tax authority" and asking for your bank details to "deposit the amount". The tax authority does not announce refunds or request data by SMS with links.
Warning signs that give a fraud away
Although each campaign changes the wording, almost all of them share clues you can learn to spot:
- Shortened links or odd domains. Addresses such as
bit.ly,t.ly, or domains that imitate the original with small variations (correos-envio.info,seur-entrega.com,aeat-devolucion.net). Official bodies use their own, verifiable domains. - A sense of urgency. "Final hours", "your account will be blocked today", "pay before 23:59". Haste is the scammer's favourite psychological weapon: it aims to make you react before you reason.
- Spelling mistakes and odd phrasing. Missing accents, badly constructed sentences, machine translations. They don't always appear, but when they do, they are a clear giveaway.
- Requests for sensitive data. No bank, public body or reputable parcel company will ask you by SMS for your PIN, your full password, your card's CVV or your access keys.
- Small amounts "to process". That token fee of one or two euros exists only to get you to enter your card details.
- A suspicious sender. Long, international or alphanumeric numbers that don't match the organisation's usual communications.
Why you should never tap links or install apps from an SMS
The golden rule is simple: don't tap links that arrive by SMS and don't install apps that a message invites you to download.
Tapping a link can land you on a fraudulent website designed to capture your credentials the moment you type them. And downloading an app from an SMS link —outside the official stores— can install malware that reads your messages, intercepts your bank's verification codes or takes control of the device. Some smishing campaigns distribute banking trojans in exactly this way.
If a message claims to be from your bank or from Correos, don't use the link: open the official app yourself or type the web address by hand into the browser. That ten-second difference is what separates being protected from handing over your data.
Filtering suspicious SMS
Today's phones come with tools that help. On Android and iOS you can enable filtering of messages from unknown senders, which moves them to a separate inbox. You can also mark an SMS as spam or junk and, on many handsets, block the sender. These features are not foolproof against spoofed senders, but they cut down the noise and help you avoid opening out of habit what you shouldn't. It's worth reviewing your messaging app's settings and keeping them switched on.
What to do
If you receive an SMS that fits these patterns, act calmly:
- Don't tap the link or download anything. This is the most important step.
- Don't reply to the message. Replying confirms that your number is active.
- Check for yourself. Go to your bank's official app or to the Correos website by typing the address yourself. If in doubt, call the helpline listed on their official website, never the one shown in the SMS. Also learn what to do about a suspicious call.
- Delete the message after marking it as spam.
- If you have tapped the link or entered any data, contact your bank immediately to block the card, change the affected passwords and keep an eye on your transactions.
- Ask for free help. Spain's INCIBE provides the cybersecurity helpline 017, where they will advise you free of charge if you think you have fallen victim to a fraud.
Remember that smishing rarely travels alone: it is often combined with fraudulent calls. If someone calls you pretending to be your bank to "confirm" the SMS, you are dealing with a case of vishing. Keeping a healthy distrust of unsolicited messages and calls is the best protection.
Protect your phone against calls too
The same networks that send out fraudulent texts are often behind spam-call campaigns. That's why it pays to know how to block spam calls and to check the spam number directory whenever you receive a suspicious communication.
Look it up and report it on NoCall
If you have doubts about a number that has sent you an SMS or called you afterwards, search for it on NoCall: other users' experience can confirm at a glance whether it's a known fraud. And if you were the target, report it to warn the community. Start with our spam number directory and help us stop the scammers together.
Received a suspicious call?
Look up the number in NoCall before sharing data, calling back, or clicking any link.
Search a phone number or a company name (Telstra, Telstra and Optus...) to check if it has been reported as spam.
