Smishing and vishing explained

Q: Can caller ID be trusted?

No. Spoofing the number shown is cheap and trivial. Treat caller ID as decoration.

Q: What do I do with a smishing text?

Forward it to 7726 in most of Europe and the US and delete it. Do not reply.

Q: Are iPhones safer than Androids for smishing?

The attack works on both. Your habits are the real protection.

1Smishing, vishing — phishing goes phone

Smishing is phishing by SMS. Vishing is phishing by voice call. Both bypass the spam filters and corporate email gateways you rely on, and land directly on the most personal device you own. The format is different but the goal is identical: get you to click a link, read a code, or say a password.

+300%

Growth in reported smishing between 2020 and 2024

98%

SMS open rate vs ~20% for email

30s

Median time before someone taps a smishing link

2Classic smishing scenarios

Failed package delivery

"Your parcel could not be delivered. Pay a €1.99 customs fee here: hxxps://deliv-fr[.]top/1234". The €1.99 is bait to collect your card.

Fake bank alert

"Unusual transaction of €899 — if this wasn't you, call 01 23 45 67 89". The number routes to the attacker who then requests your 3-D Secure code.

Tax refund

"You are eligible for a €238 refund, claim it here before it expires". Governments never text you a refund link.

3Classic vishing scenarios

"Microsoft technical support"

A voice with a heavy accent tells you your PC has a virus and walks you through installing remote access software.

Fake bank fraud team

Spoofed caller ID shows your real bank's number. The "agent" asks you to move funds to a "safe account" they control.

AI-cloned CEO

A voice identical to your boss asks you to authorise a confidential wire transfer. The clone is built from a 30-second clip.

Check a suspicious URL on mlab.sh

Received a shady link by SMS? Before tapping, extract it and run it through the mlab.sh IOC extractor and domain scanner.

Open IOC extractor

4Red flags & countermeasures

Unexpected urgency

Real companies do not demand payment or codes in under a minute by text or phone.

Short URLs and weird TLDs

bit.ly links and domains ending in .top / .xyz / .click in SMS are a strong signal.

Hang up and call back

The single best countermeasure to vishing: end the call and dial the number printed on your card — not the one that called you.

Never read a code out loud

A 2FA code is meant for a screen, not a phone line. If anyone asks for it verbally, it is always a scam.

Smishing & vishing FAQ

Can caller ID be trusted?

No. Spoofing the number shown on your phone is cheap and trivial. Treat caller ID as decoration, not proof.

What do I do with a smishing text?

Forward it to your country's abuse number (7726 in most of Europe and the US) and delete it. Do not reply.

Are iPhones safer than Androids for smishing?

The attack works on both equally. The only real protection is your habits.

Related Modules

What is social engineering?

Social engineering attacks: how scammers hack humans instead of systems, and what to watch for.

Recognizing a phishing link

Techniques for detecting fraudulent URLs that mimic legitimate websites.

Spoofing techniques

Digital identity theft: email spoofing, caller ID spoofing, and domain spoofing.