Smishing in 2026 — SMS Phishing Attacks and How to Stop Them

A senior engineer at a Dutch fintech receives an SMS on a Thursday at 17:48: 'PostNL: your package could not be delivered — €1.45 customs fee outstanding. Pay now to release: postnl-secure-betalen.com/track/8842'. The engineer is expecting a delivery, the message references a plausible amount, and the domain looks officially PostNL-shaped. She taps the link from her phone — the rendered page is pixel-identical to the real PostNL payment flow, complete with iDEAL bank selector. She picks her bank, lands on what appears to be the iDEAL gateway, and enters her credentials and the SMS-OTP. The site then says 'verification failed, please try again'. She enters credentials a second time. While she is doing this, an attacker on the other end is logged into her actual bank, registering a new device with the OTPs she just relayed. By 18:11 the attacker has moved €18,400 from her current account into a money-mule chain. The lesson: the smish worked not because the engineer was careless, but because the attacker mapped the exact moment a real package was expected and matched the brand experience with pixel fidelity.

Smishing relies on three structural advantages over email phishing: there is no rich URL preview on most phones so users tap before reading, mobile users trust SMS more than email because it is rarer, and corporate security stacks do not see SMS at all. The kits the attackers use are off-the-shelf — modular phishing-as-a-service platforms with brand templates for every major bank, courier, tax authority, telco and government agency in each target country. The sender numbers are spoofed or rented from grey-market SMS gateways, sometimes via SS7 routing. The most damaging 2026 variant chains smishing with a follow-up call: SMS gets the credentials and the SMS-OTP, then the attacker calls the victim from a spoofed bank fraud-team number to talk them through 'verifying' the second OTP. Corporate variants — Twilio-style — target IT or developer staff at a specific employer with an MFA-fatigue pretext ('your VPN expires in 5 minutes, tap here to refresh'). MITRE ATT&CK techniques: T1566.003 (Spearphishing via Service), T1078.001 (Valid Accounts: Default Accounts) when chained with credential reuse, T1411 (Input Capture — mobile). The single most effective user-side defence is a hard 'never tap a link in an unsolicited SMS' habit, regardless of how legitimate the message looks.

• Any link inside an SMS, especially with a shortened domain, lookalike domain, or unusual TLD (.zip, .cam, .top, country-specific lookalikes)
• Pressure to act immediately — 'your account will be closed in 24 hours', 'package will be returned to sender', 'fine doubles after midnight'
• Generic salutation or no name at all — legitimate organisations who have your number usually have your name
• A request for credentials, payment, or 2FA codes via a link rather than via the organisation's app
• Senders showing as a phone number when the organisation normally uses a branded short-code or alpha-sender
• Unsolicited two-factor SMS codes that you did not request — somebody is trying to log in as you
• A follow-up phone call from the same 'organisation' shortly after the SMS, often from a spoofed official number
• Workplace-themed SMS impersonating IT helpdesk, HR, or a senior executive asking for action via a link

1. Never tap links in unsolicited SMS — open the official app or type the URL manuallyEvery legitimate notification a bank, courier or tax authority sends can be confirmed inside their app or by typing the URL yourself.
2. Never reply, even with 'STOP' — replying confirms an active number to the attackerCarriers do support genuine STOP for marketing SMS, but for clear scams, do not engage. Report instead.
3. Forward smishing SMS to the national reporting numberNL: forward to 7726 (works on most carriers). UK: 7726. US: 7726. This routes the message to the carrier and national fraud teams for blocklisting.
4. Report to NCSC-NL fraudehelpdesk.nl (NL) or the equivalent national fraud authorityA 30-second form report contributes to the national pattern dataset that gets specific scams blocked at carrier level.
5. Lock your bank account immediately if you entered any credentialsMost banks support an in-app emergency lock. Then call the fraud line on the number printed on the back of your bank card — not a number from the message.
6. Warn family and colleagues without forwarding the originalDescribe the scam pattern; never forward the raw smish — that re-spreads the attacker's link.
7. If a corporate-themed smish targeted you, escalate to security even if you did not clickTargeted smishing of an employee implies the attacker has the employee roster — security needs that signal.

• NCSC-NL — SMS-fraude en smishing[primary]
• FraudeHelpdesk NL — Report smishing[primary]
• MITRE ATT&CK — T1566.003 Spearphishing via Service[primary]
• ENISA — Threat Landscape (annual SMS-phishing trends)[primary]
• Krebs on Security — Twilio breach analysis (smishing of employees)[secondary]
• Lookout — Mobile threat report (annual)[secondary]

• Spear Phishing in 2026 — How Targeted Email Attacks Actually Work

  9 min read

• Vishing in 2026 — Voice Phishing Attacks and the Helpdesk Bypass

  8 min read