News

Business & Finance

Tech

About us

Smishing, the SMS and notification scam: What it means and how to protect yourself

Money.it

10 March 2026 - 13:45

condividi
Facebook
twitter
linkedin
whatsapp

Smishing is one of the most widespread online scams of all. But what is it? How does it work? And most importantly, how can you protect yourself? We’ll explain in this guide.

Smishing, the SMS and notification scam: What it means and how to protect yourself

Nowadays, it’s crucial to be able to immediately recognize online scams, understand the warning signs, and, above all, what you can do to protect yourself. Both to prevent potential fraud and to take action if you’re hit.

In this guide, we’ll talk specifically about smishing, a form of phishing that’s increasingly widespread due to its speed of execution and the number of victims it claims worldwide every year. Just in recent weeks, the Nexi case has sparked renewed attention.

Let’s take a look at what it is, how it spreads, what signs should raise suspicions, and what steps to take for prevention and defense.

What is smishing

Smishing is a digital scam born from the combination of the words SMS and phishing. It first emerged in the early 2000s with the advent of the first cell phones, and has exploded globally, especially in the last decade with the use of smartphones for managing one’s digital and financial life.

There are some important differences from phishing. Phishing is spread via email and often ends up in spam folders thanks to the systems of major internet providers, while smishing targets a more direct and personal channel.

When you receive a text message, you usually open it almost instantly to read its contents. And compared to emails, studies show that users tend to lower their guard and trust.

It’s also worth considering that, given the smaller screen on a phone compared to a computer, the URL is harder to parse and therefore easier to click on.

The same goes for the "from" header, which, at first glance, may appear authentic. All of this, combined with the "sense of urgency and panic typical of smishing," leads tens of thousands of potential victims to fall for the scam.

How Smishing Works

How Smishing Works relies heavily on psychology and the sense of urgency it instills in the potential victim. The Online Postal Police Commissioner recently published a guide on the subject, which divides the scam into four main phases:

  1. Identity deception: Criminals use software to disguise their number, so that your phone groups it with other legitimate messages received from your bank or a courier;
  2. Emotional bait: The message leverages a sense of urgency or fear. Often, there are warnings of unauthorized access or accounts to be suspended within 24 hours. These are all words that push the user to act immediately;
  3. Technical trap: To initiate the actual scam, there’s a redirect link that leads to a clone landing page, completely identical to the original. This is where scammers steal your data;
  4. Data theft: this brings us to the fourth and final stage, the most important one. After the user enters their login credentials, they are transmitted to the criminals. They are often also asked for an OTP code via SMS, which, if provided, authorizes hackers to make transfers or purchases.

How to recognize smishing

The techniques used by hackers and cybercriminals are increasingly advanced, but despite this, recognizing a smishing attempt is possible thanks to some common elements typical of these scams.

First, as mentioned, always pay attention to the tone of voice in the SMS and the sense of urgency. If the text suggests an urgent need to act immediately, perhaps to avoid having an account blocked, it could be a scam.

Then take a look at the link inserted in the text. Very often, there are small errors that could expose everything. For example, a domain other than .it or .com, or typos.

The real red flag, however, is the request for sensitive data. No bank or organization will ever ask you to enter a password, OTP, or PIN on a link. This information is typically only entered manually in official apps or on websites.

Other suspicious elements include syntax and formatting errors. In 2026, attackers have minimized these, but you may still encounter irregular spacing, special characters, or punctuation that appears to be machine-translated.

Finally, the sender alias. If you see that the message appears to have been sent by a well-known brand like Nexi or Amazon, be careful, because smishing allows anyone to falsify the label using advanced software.

How to protect yourself from smishing

Let’s now look at some effective techniques to protect yourself from smishing and avoid falling into hackers’ traps.

An effective strategy first involves never clicking on links received via SMS. All security alerts are sent via the official app, never via text message.

This is especially true for OTP codes, which are typically used to authorize transactions, not to cancel them. If you’re asked for one to block a fraud attempt, be wary immediately, as this is a way to empty your bank account.

In practical terms, you can consider activating your smartphone’s spam filter:

  • From Android: Open the Messages app, access your profile by tapping the icon in the top right, select Messages Settings, and scroll down until you find Spam Protection. Finally, set the checkbox next to Turn on spam protection.
  • From iPhone: Open the Settings app and scroll to Apps at the bottom. Now tap Messages, scroll down to Unknown Senders, and set the two filters Filter unknown senders and Filter junk messages to ON.

Another powerful tool to use is non-SMS-based two-factor authentication. Whenever possible, use apps like Google Authenticator or in-app push notifications to make them harder to intercept.

Finally, to be on the safe side, always verify the sender via blacklist. There are numerous online databases or apps like Truecaller that can alert you in real time to numbers used for smishing or telemarketing campaigns.

What to do if you’re a victim of smishing

It can happen that, despite knowing all the necessary steps to protect yourself from smishing, you carelessly click on a suspicious link and provide sensitive data to cybercriminals.

It’s important to act as soon as possible to avoid serious consequences. How? First, block your financial channels. Call your bank using the card blocking number and ask them to immediately close your online banking and account. If you already notice suspicious activity, ask the operator about the chargeback procedure.

If you entered your password, change it immediately on another device. Avoid the affected phone, as it is potentially infected with malware installed on it.

Finally, remember to file a report on the official online portal of the Postal Police Commissioner, copying the scam URL to ensure it is blocked by Google systems.

Original article published on Money.it Italy. Original title: Smishing, la truffa via SMS e notifiche: significato e come difendersi

Argomenti

# Smartphone
# Phishing
# Hackers

Trading online
in Demo

Fai Trading Online senza rischi con un conto demo gratuito: puoi operare su Forex, Borsa, Indici, Materie prime e Criptovalute.

Money.it Prova gratis

Selezionati per te

What is shadow AI, why it poses a security risk, and what risks do employees face?

What is shadow AI, why it poses a security risk, and what risks do employees face?
How to connect Bluetooth headphones to your phone, tablet, and TV

How to connect Bluetooth headphones to your phone, tablet, and TV
AI is overheating data centers: the hidden €1 billion opportunity

AI is overheating data centers: the hidden €1 billion opportunity