“Cybercrimes are increasingly penetrating society, targeting even vulnerable senior citizens. Awareness must be created to educate society about the emerging threats,” – MA Saleem Director-General & Inspector-General of Police of Karnataka
One of the fastest-growing cyber threats in India today is a scam that starts with something as simple as a text message. You get an SMS saying your bank account will be blocked unless you update your KYC. Or a message offering you a refund, a cashback, or even a parcel tracking link. It looks official—but it’s fake.
This kind of scam is called smishing—the SMS version of phishing. Instead of emails, fraudsters now use text messages to trick you into clicking a link or sharing personal details. And because mass texting is cheap and people rely heavily on their phones, smishing attacks are spreading faster than ever.
Continue reading this blog to learn how smishing works, the most common types of smishing to watch out for, and simple ways to protect yourself from these scams.
What Is a Smishing Attack?
A smishing attack is a scam where fraudsters send fake SMS messages to trick you into taking harmful actions. Smishing stands for “SMS phishing” and is a type of attack done over text messages.
These messages often look like they’re from your bank, a delivery service, or a government body. It may contain a link asking you to “verify” your KYC, claim a refund, or track a parcel. But the moment you click, you’re either redirected to a fake website, unknowingly download malware, or end up sharing sensitive information like card details or OTPs.
Smishing works by creating a sense of urgency or fear, so you respond quickly without thinking.
How Smishing Works?
Smishing attacks work by making you believe the message is from a trusted source. Attackers often spoof names of banks, government bodies, delivery partners, or payment platforms to create a sense of urgency or authority.
Here’s how these scams usually work:
- Fake links for KYC or account updates: You might receive a message asking you to “verify your KYC” or “update bank details” through a suspicious link. These links lead to fake websites that look real and steal your information once you enter it.
- OTP requests from fake officials: Some messages are followed by a call or another SMS from someone pretending to be a bank representative. They’ll say your account is under threat and ask for an OTP to “prevent suspension.”
- Spoofed sender names: The SMS may show up as if it’s from “RBI,” “UIDAI,” “SBI,” or even “Customs.” These names make the message look official, especially when the text says there’s a problem with your Aadhaar or a parcel held at customs.
Common Types of Smishing Attacks
| Type | Example SMS Message |
| Bank/KYC Scam | “Dear customer, your bank KYC will expire in 24 hours. Update now: kycupdate-sbi.in” |
| Delivery Scam | “Blue Dart: Your package is held due to unpaid customs fee. Pay ₹25 to release: bluedarttrack.in” |
| OTP Theft | “You’ve received ₹22,450 from Abhishek Sharma. Please share the OTP to receive the money.” |
| Survey/Job Scam | “Part-time job alert! Earn ₹1,500/day by filling surveys. Limited seats: workfast-india.link” |
| Government/Police Impersonation | “RBI Alert: Suspicious activity found in your account. Click to verify identity: rbi-verification.in” |
Smishing vs Phishing: What’s the Difference?
Smishing and phishing are two sides of the same coin. Both are scams where fraudsters pretend to be someone trustworthy to steal your information. The only real difference lies in how they reach you.
Here’s how smishing and phishing compare:
| Smishing | Phishing |
| Sent as SMS to your phone | Sent through email or hosted on fake websites |
| Uses your phone number as the main contact point | Targets your email address or online activity |
| Often includes tiny, suspicious-looking links | Typically includes fake pages that look professional |
| Messages sound urgent or threatening | Wording is usually more formal and detailed |
Real-Life Examples of Smishing in India
1. Farmer Loses Over ₹8 Lakh After Son Clicks on Fake KYC Link
Pawan Kumar Soni, a 55-year-old farmer from Rajasthan, faced a big loss when over ₹8 lakh disappeared from his bank account.
His son, Harsh Vardhan, received a message on his phone that said, “Your bank account is blocked. Please update your KYC.” The message looked real, just like the ones banks usually send. Harsh didn’t know it was fake. He clicked the link in the message. Right after that, a fake bank app got downloaded on his phone. The app looked just like the real SBI app, so he didn’t doubt it.
As soon as he entered details, the scammers started stealing money from the father’s account—bit by bit, through many small transactions.
Luckily, the family acted quickly. They contacted the bank and the cyber police, who helped trace the fraud. In the end, they were able to recover the lost money.
2. India Post Delivery Scam Targets Mobile Users Across India
Recently, cyber experts found a scam where people in India received fake messages pretending to be from India Post. The message said that a parcel was waiting to be delivered and asked the person to click a link to confirm or pay a small fee.
The message looked real, and the website link also seemed similar to the official India Post site. But once someone clicked the link, they were taken to a fake website. That site asked them to enter personal details like name, address, card number, or even bank login info.
Many people trusted the message and shared their details. The scammers behind this used that information to steal money or run more scams later.
This scam was planned by a group called the Smishing Triad, known for sending fake messages to people in many countries.
How to Identify a Smishing Attempt?
Here are some common signs that an SMS could be a smishing attempt:
Messages from unknown or masked numbers:
Scammers often use random phone numbers or hide behind names like “BANK-ALERT” or “UPI-HELP” to appear official. If you receive a message from a name or number you don’t recognise, be cautious—especially if it’s asking you to act quickly.
Shortened or suspicious-looking links:
Most smishing texts include links, but instead of showing full URLs, they often use shortened ones like bit.ly, tinyurl.com, or random combinations. These hide the actual website you’re being sent to. If you don’t know where the link will take you, don’t click.
Urgent or threatening language:
Words like “last warning,” “your account will be suspended,” or “update KYC immediately” are meant to scare you into acting fast. Real banks and companies don’t usually threaten you via SMS—this kind of pressure is a major red flag.
Poor spelling or grammar:
Many smishing messages are written in a hurry or by non-professionals. Look out for sentences that sound odd, are full of typos, or use inconsistent capitalisation. A legitimate bank message is unlikely to have obvious writing errors.
Requests for personal details or OTPs:
No genuine bank, government department, or service provider will ask for your PIN, password, or OTP over SMS. If a message is asking for sensitive information, it’s almost certainly a scam.
How to Protect Yourself from Smishing?
Tips for Users
- Avoid clicking on links in random messages: If you receive an SMS with a link you weren’t expecting—especially about KYC, refunds, or deliveries—don’t click. Visit the official website or app directly instead.
- Never share OTPs, passwords, or account info: No bank or government body will ever ask for sensitive details like OTPs or PINs through SMS. If you get such a request, ignore and report it.
- Always verify through official sources: If a message looks suspicious, log in to your bank’s official app or call customer care using the number on their website. Don’t rely on numbers or links in the message itself.
- Use spam filters or SMS protection apps: Apps like Truecaller, Norton, or even built-in spam filters on your phone can help flag or block suspicious messages automatically.
- Report spam to TRAI: If you receive a suspicious message, you can report it by either calling or sending an SMS to 1909. To report by SMS, copy the message, note the sender’s number, and send it in this format:
‘SMS Content, Sender Number, dd/mm/yy’ to 1909.
If you prefer to call, keep the same details ready and share them when asked.
Tips for Businesses
- Use verified sender IDs: Sending messages from proper headers like “HDFCBK” or “ICICIBNK” helps users trust your communication—and reduces confusion caused by fake texts.
- Educate your customers: Make it a practice to inform users that you’ll never ask for OTPs or account details via SMS. Add safety reminders to your messages or apps.
- Secure your messaging systems: Make sure your SMS gateway is protected and can’t be spoofed. Monitor for any misuse of your brand name in bulk SMS campaigns.
What to Do If You’ve Been Targeted or Scammed?
- Stop all communication immediately: Don’t reply to the message, click any links, or share any further information. Scammers often try to keep the conversation going to pressure you into giving more details.
- Block the sender’s number: Use your phone’s built-in features or a trusted spam protection app to block the number. This helps prevent further messages from the same source.
- Contact your bank right away: If you’ve shared any personal or banking details, call your bank’s official helpline immediately. Ask them to freeze transactions or monitor your account for unusual activity.
- Report the incident on the Cybercrime Portal: Visit https://cybercrime.gov.in to file a report with the National Cyber Crime Reporting Portal. This helps authorities track and act against such scams.
- Inform your mobile service provider: If you think the scammer used a spoofed number that looks like it came from a genuine sender (like your bank), report it to your telecom operator. They may be able to investigate or block such numbers.
Conclusion
Smishing is one of the simplest yet most dangerous scams today. It targets millions across India using convincing SMS messages that are easy to fall for—especially when they create a sense of urgency.
Before tapping on any link or replying to a message, take a moment to verify. A quick check through your bank’s app or official website can save you from serious loss.
Stay alert, and don’t keep this information to yourself. Talk to your family, especially those who may not be tech-savvy, and encourage them to be cautious with SMS messages. If you come across a suspicious message, report it—it helps protect others too.
Being educated and informed is the strongest way to stay ahead of smishing scams.
FAQs
Q1. What does smishing stand for?
Smishing stands for SMS phishing. It’s a type of scam where fraudsters use fake text messages to trick you into sharing personal information.
Q2. How is smishing different from phishing?
Smishing is done through SMS, while phishing usually happens over email or fake websites.
Q3. Can smishing steal money directly?
Yes, if you share details like your OTP, UPI PIN, or account information in response to a smishing message, scammers can use it to steal money from your account.
Q4. What should I do if I accidentally clicked a smishing link?
Stop interacting with the site immediately. Don’t enter any information and contact your bank if you shared any details. Also, report the scam at cybercrime.gov.in.
Q5. Are smishing scams increasing in India?
Yes. With more people using mobile banking and digital payments, smishing scams are rising rapidly.
