Smishing (Text Message Scams)

Overview of the Scam

Smishing is a form of fraud that uses text messages - SMS or messaging apps - to deceive people into clicking malicious links, calling fake numbers, or providing sensitive personal and financial information. The term combines "SMS" with "phishing," reflecting the fact that it applies phishing tactics through the text messaging channel instead of email.

Text messages feel more immediate and personal than email. Most people read texts within minutes of receiving them, and the informal nature of the medium can lower the guard that someone might otherwise apply when evaluating an email. Scammers have recognized this for years and have dramatically increased the volume and sophistication of smishing attacks as a result.

Smishing is now one of the fastest-growing forms of consumer fraud. Billions of fraudulent text messages are sent each year, impersonating banks, delivery companies, government agencies, and major retailers. Because most people are not trained to scrutinize text messages the way they might scrutinize an email, smishing frequently succeeds even against people who would recognize a phishing email for what it is.

How the Scam Works

Smishing attacks follow a compact and effective structure, designed to move you from initial contact to link click or information submission as quickly as possible.

• You receive a text message that appears to come from a recognizable organization - your bank, a shipping company, a government agency, or a major retailer. The message may appear in the same thread as previous legitimate texts from that organization, which is possible because phone numbers and sender IDs can be faked.
• The message presents a situation that requires your immediate attention. Common scenarios include: a suspicious charge on your account, a package that could not be delivered, a government benefit that needs to be claimed, or an account that will be suspended unless you verify your information.
• The message includes a link and instructs you to tap it to resolve the issue, confirm your details, or track your package. The link is typically shortened to hide the actual destination URL, making it harder to evaluate before tapping.
• If you tap the link, you are taken to a fake website that looks nearly identical to the real organization's site. You are asked to log in or enter personal and financial information, which is captured by the scammer.
• In some cases, simply visiting the malicious site can install malware on your device, even without entering any information - particularly on devices that have not been kept up to date with security updates.
• With your credentials or information in hand, the scammer can access your real accounts, make unauthorized purchases, or use your information for identity theft.

A key feature of smishing is speed. The entire sequence from receiving the text to entering information on a fake site can happen in under two minutes if the recipient does not pause to evaluate the message. That speed is by design.

Common Variations

Smishing texts impersonate a wide range of organizations and use several different scenarios to create urgency.

• Bank fraud alerts: A text appearing to come from your bank says a suspicious transaction has been flagged and you need to verify it immediately through a link. The link goes to a fake bank login page.
• Package delivery scams: A text claiming to be from USPS, FedEx, or UPS says a package could not be delivered and you need to reschedule or pay a small fee through a link. These are among the most common smishing texts currently in circulation.
• Government benefit texts: A message claiming to be from the IRS, Social Security Administration, or another agency says you are owed a payment, your benefits are at risk, or your account needs to be verified.
• Toll payment scams: A text says you owe an unpaid toll and must pay immediately through a link to avoid a fine. These have increased significantly with the growth of electronic tolling systems.
• Account security alerts: A text claims your streaming service, email account, or social media account has been accessed from an unknown device and you need to verify your identity immediately.
• Prize or reward notifications: A text tells you that you have won something or are eligible for a reward and need to click a link to claim it, which leads to a site designed to collect your information.

Example Scam Messages or Pop-Ups

The screenshot below is a real example of the type of text message used in smishing scams. These messages are deliberately short and urgent, designed to prompt a tap before careful thought.

Notice the urgency, the vague but alarming claim, and the shortened link that hides its true destination. Legitimate organizations do not send texts with links asking you to log in or verify personal information. If a text arrives about your bank account, a package, or a government benefit, go directly to that organization's app or website to check - never through the link in the text.

Common phrases that appear in smishing texts include: USPS - your package could not be delivered, click here to reschedule, your bank account has been temporarily locked due to suspicious activity, the IRS has issued a notice regarding your account - verify now to avoid penalties, you have an unpaid toll balance of $4.75 - pay immediately to avoid a $35 fine, and congratulations - you have been selected for a reward - tap to claim before it expires. These messages are short by necessity and rely on familiar brand names and a sense of urgency to prompt action before reflection.

Warning Signs

The following signals are strong indicators that a text message is a smishing attempt rather than a genuine communication.

• The message creates urgency - your account will be suspended, a fee will escalate, or a package will be returned unless you act immediately by tapping a link.
• The text contains a link, particularly a shortened one that hides the actual destination URL. Legitimate organizations typically direct you to their official app rather than sending links in texts.
• The sender is an unfamiliar number, or a number that does not match the number your bank or the organization has used to contact you before.
• The message references a package, delivery, or shipment you were not expecting, or describes a transaction you did not make.
• The text asks you to provide personal information, login credentials, or payment details through a link - something no legitimate financial institution or government agency does by text.
• The language is slightly off - unusual phrasing, generic greetings, or wording that does not quite match how the organization normally communicates.
• The link in the text, if you look at it closely without tapping, goes to a domain that does not match the organization's real website - for example, usps-delivery-help.com instead of usps.com.
• You receive a text claiming you have won a prize, are owed a benefit, or have been selected for a reward - especially if you did not enter anything or take any action that would lead to such a notification.

Who Scammers Often Target

Smishing texts are sent in massive volumes to phone numbers obtained from data breaches, purchased lists, and random number generation. Virtually anyone with a mobile phone is a potential target. However, certain groups face a higher risk of being drawn in.

Older adults are disproportionately affected. Many are less familiar with the concept of smishing and may not apply the same level of scrutiny to a text message that they would to an unusual email. A text that appears to come from a recognizable organization and references something familiar - a package, a bank account, a government benefit - can be genuinely difficult to dismiss without that context.

Frequent online shoppers are targeted heavily with delivery-related smishing because the scenario is so plausible. Someone who orders online regularly is likely to have packages in transit at any given time, making a text about a delivery issue feel relevant and worth addressing.

People who have recently been involved in data breaches are also frequently targeted, since their phone numbers, names, and sometimes partial account information may be available to scammers who use it to make smishing texts feel more personal and credible.

What the Scammer Is Trying to Achieve

The most common goal is your login credentials. A fake bank login page, a fake retailer sign-in, or a fake government portal captures your username and password, which the scammer then uses to access your real account.

When the smishing text involves a delivery fee or a toll payment, the goal is your payment card details. The amount is kept small - a few dollars - to reduce resistance to entering your card information, but the real purpose is to capture the full card number, expiration date, and security code.

Some smishing links are designed to install malware on your device when tapped, even before you enter any information. This malware can operate silently in the background, harvesting passwords, capturing two-factor authentication codes, or giving the scammer ongoing access to your device.

What To Do If You Encounter This Scam

If you receive a text message that you suspect is a smishing attempt, the following steps will help you respond safely.

• Do not tap any link in the text. If the message claims to be about a bank account, package, or government notice, open the relevant app directly on your phone or type the organization's web address in your browser to check.
• Do not call any phone number provided in the text. If you want to verify whether the message is genuine, call the number on the back of your bank card or on the organization's official website.
• Do not reply to the text. Replying confirms to the sender that your phone number is active, which can result in more targeted attempts.
• Report the smishing text by forwarding it to 7726 (SPAM). This number is used by wireless carriers in the United States to track and block smishing campaigns. You can also report it to the FTC at ReportFraud.ftc.gov.
• Block the sender's number on your phone if you are concerned about further texts from the same source, though scammers frequently rotate numbers so this provides limited protection on its own.
• Delete the text after reporting it. If you tapped the link before realizing it was fraudulent, change passwords for any accounts that could be affected and run a security check on your device.

What To Do If You Already Paid or Shared Information

If you tapped a link in a smishing text and entered information on a fake site, the steps you take in the next few hours matter significantly.

How To Prevent Smishing Scams

A few consistent habits make smishing attacks significantly less likely to succeed.

• Treat any unsolicited text with a link as suspicious by default. The habit of not tapping links in texts - and instead going directly to the organization's app or website - is the single most effective defense against smishing.
• Install apps for the services you use most frequently, such as your bank and delivery companies. Checking the app directly is always faster and safer than following a link in a text, and official apps are where real notifications actually appear.
• Enable spam filtering on your phone. Both iPhone and Android offer settings to filter messages from unknown senders, and many carriers offer additional spam blocking services.
• Be skeptical of delivery texts, especially if you are not expecting a package or the text references a shipper you did not use. Checking your actual order confirmation through the retailer's app or website will tell you everything you need to know.
• Know that the US government, your bank, and major delivery companies do not ask for payment or account verification through links in text messages. Any text requesting this is fraudulent.
• Keep your phone's operating system and apps updated. Security updates frequently address vulnerabilities that smishing attacks attempt to exploit when you visit malicious sites.
• Talk about smishing with family members who use smartphones. The simple habit of not tapping links in unexpected texts - and going to the app or website directly instead - protects against the vast majority of smishing attempts.