Smishing scams (SMS phishing) use fraudulent text messages to trick recipients into revealing personal data, clicking malicious links, or calling fake helplines. Smishing attacks impersonate banks, government agencies, and delivery services to create false urgency—and are one of the fastest-growing forms of cybercrime in India.
What Are Smishing Scams?
Smishing is a portmanteau of “SMS” and “phishing”. Unlike email phishing, smishing exploits the higher open rate and perceived trustworthiness of text messages. Victims receive an SMS that appears to be from their bank, TRAI, or a courier company. The message typically contains a link to a fake website or a phone number connected to a scammer posing as customer support. Smishing is closely related to OTP fraud because the attacker’s end goal is almost always to capture a one-time password and drain a bank account.
How Do Smishing Scams Work?
Step 1: The Fake SMS is Sent
The attacker sends a text message impersonating a trusted entity. Common scenarios include: “Your bank account will be suspended. Click here to re-verify your KYC”; “Your parcel is on hold. Pay ₹35 customs fee”; “Congratulations! You have won a cashback reward. Claim within 2 hours.”
Step 2: Victim Clicks the Link or Calls the Number
The link leads to a cloned banking or government portal that harvests login credentials. Alternatively, calling the number connects the victim to a scammer who claims to be a bank official or TRAI officer and requests OTPs to “verify the account”.
Step 3: Data Theft and Financial Loss
With the OTP or credentials in hand, the attacker performs unauthorized transactions. In some cases, malware is downloaded silently in the background when the link is clicked, enabling further credential harvesting even after the initial session ends.
What Are the Most Common Types of Smishing Scams in India?
- Bank KYC smishing — “Your KYC is incomplete. Your account will be blocked within 24 hours.” Leads to a fake bank login page.
- TRAI SIM block smishing — Part of the broader BSNL fake notice scam pattern targeting mobile users.
- Delivery parcel smishing — Fake courier alerts requesting small fees or personal details to release a package.
- Prize or cashback smishing — Claims of lottery wins or cashback rewards that require bank details to process.
- Income tax refund smishing — Impersonates the Income Tax Department, directing victims to a fake refund portal.
- Job offer smishing — Fraudulent job offers asking for registration fees or personal documents.
What Are the Warning Signs of Smishing Scams?
- Urgency and artificial deadlines — “Act within 2 hours or your account will be blocked” is a red flag in every legitimate business communication.
- Links that do not match the sender’s official domain — A message from “SBI” with a link to “sbi-verify-kyc.in” is fraudulent.
- Requests for OTP, passwords, or card details via SMS — No legitimate bank or government agency asks for these over text.
- Unknown sender numbers, especially foreign prefixes like +92 or +1 — Indian government agencies use registered short codes, not random mobile numbers.
- Grammatical errors and informal language — Authentic bank messages are professionally worded and follow specific formatting.
- Clickable shortened URLs (bit.ly, tinyurl, etc.) — Legitimate bank messages do not use URL shorteners.
How Can You Protect Yourself from Smishing Scams?
- Never click links in unsolicited SMS messages — Go directly to the bank or organization’s official website by typing the URL manually.
- Never share OTPs or passwords with anyone — Not with callers, not in response to SMS prompts. OTPs are one-time and private by design.
- Verify the sender before responding — Official government and banking SMS messages arrive from registered six-character sender IDs like SBIINB, not random mobile numbers.
- Enable spam filters on your device — Android and iOS both offer built-in SMS spam detection and carrier-level filtering options.
- Install a reputable mobile security app — Security apps flag malicious links and warn before you visit a phishing page.
- Report smishing numbers to TRAI — Use the Sanchar Saathi portal to report fraudulent senders and help block them for other users.
How to Report Smishing Scams in India?
- Call the National Cyber Crime Helpline: 1930
- File an online complaint at cybercrime.gov.in
- Forward the fraudulent SMS to 1909 (TRAI’s anti-spam service)
- Report the sender number on the Sanchar Saathi portal (sancharsaathi.gov.in)
- Contact your bank’s fraud team immediately if financial details were shared
For expert help investigating smishing fraud or recovering lost funds, contact cyber expert Anuraag Singh.
