Can You Spot a Sophisticated Text Message Scam?
When Patrick Sage received a text message from his bank claiming that someone was trying to make a purchase for over $500 at Walmart, he acted quickly [*].
Sage called the number in the text and followed instructions from the person he thought was a Citibank employee about how to transfer his money to a friend’s account to keep it secure. His friend even received confirmation texts of the transfer. But no money.
Instead of protecting his hard-earned cash, Sage unknowingly gave scammers access to his bank account — and they stole over $7,500.
Sage was the victim of a smishing attack. Scammers send fake text messages claiming to be from your bank, the Internal Revenue Service (IRS), or a company that you trust — and then trick you into clicking on malicious links or giving up sensitive information and money.
Since 2020, the number of smishing attacks has grown by more than 328%, with victims losing over $3.5 billion [*].
Scammers love using text messages, and their smishing attacks are only getting more sophisticated.
In this guide, we’ll cover how smishing attacks work, the latest smishing scams you need to know about, and what to do if you receive, respond to, or click on a link in a smishing message.
What Is Smishing? How Does a Smishing Attack Work?
Smishing — a shortened version of “SMS phishing” — occurs when scammers send you fake text messages claiming to be from a company or organization that you trust. Smishing attacks commonly impersonate banks, the IRS, FBI, and DMV, or companies like Amazon, PayPal, and Apple.
The goal of a smishing attack is to get you to click on a link to a phishing site, download malware onto your device, call the impersonators (so they can continue their scam on the phone), or give up sensitive data — such as passwords, banking information, or your Social Security number (SSN).
Here’s how a typical smishing attack works:
- First, scammers send fake text messages to your mobile device that look legitimate. They may even spoof the number to make it look like the text is coming from a local or official phone number.
- The message will create a sense of urgency — either by claiming that your account has been hacked, someone is making fraudulent purchases, or you’ve won a prize.
- Next, the cybercriminal prompts you to click on a link or call a phone number. But any action you take continues the scam.
- If you click on a smishing link: you’ll be taken to a fake website designed to steal your sensitive information. Some smishing links contain cyberattacks such as spyware and malware that allow hackers to scan your device for personal data and passwords.
- If you call the scammers: they’ll continue the fraud, even using stolen personal information to make you trust them. In the case of Patrick Sage, the scammers had the last four digits of his bank account, which convinced him they were legitimate.
Smishing is dangerous because few of us understand the true risks of opening or interacting with a text message scam. Even replying “STOP” or “NO” could put you at risk of further scams.
📌 The bottom line: Delete unsolicited text messages and never click on links. If you’re concerned about what a message says, contact the company directly by using the phone number or contact information found on their official website.
Smishing vs. Phishing vs. Vishing: What’s the Difference?
Smishing attacks use text messages as their mode of delivery. But while it’s easy for scammers to send millions of fake text messages, it’s unlikely that you’ll respond with high-value information (like your password or financial information).
Instead, smishing often leads to other, more dangerous types of imposter scams.
Smishing attacks are often designed to ensnare victims in these three main types of phishing scams:
- Phishing is the general term used for imposter scams, but it is often used to refer to scam emails. Smishers will sometimes follow up with an email phishing attack in hopes that you’ll click on a malicious link.
- Vishing refers to “voice phishing.” Any time you get a robocall, unsolicited phone call, or call a number in a smishing text, you’re being targeted by a vishing attack.
- Pharming refers to fake websites that scammers use to continue their phishing and smishing attacks. Many scam emails and texts contain links to websites that steal your personal information. For example, scammers may create a website that looks like your bank’s login page, and then send you a smishing text claiming that your account was hacked and you need to update your password. But when you enter your current login information on the fake website, it goes straight to the scammer.
No matter the mode of delivery, all of these scams can lead to disastrous consequences, from lost money to full-on identity theft.
📚 Related: How To Tell If an Email Is From a Scammer →
The 15 Latest Smishing Attack Examples (How To Spot Them)
- Texts claiming suspicious activity on your credit card
- Notifications of missed package deliveries
- Random messages from “friends” you don’t know
- Notifications that you’ve won an award or prize
- Texts from local phone numbers
- Bills for services you never signed up for
- Fake surveys from companies you know and trust
- Password reset notifications that you didn’t request
- Texts claiming to be from your boss
- Notifications about invalid payment information
- Fake family emergency texts
- Texts claiming you’re owed a refund for overpayment
- Alerts that you have a pending money transfer
- Scam texts about COVID-19 vaccines
- IRS scam texts
If you receive any of these text messages, there’s a good chance it’s a scam. Here’s how the latest smishing attacks happen and how to be sure you’re dealing with a scammer:
1. Texts claiming suspicious activity on your credit card (fake fraud alerts)
Fraudsters know that one of the quickest ways to get you to act is to claim that your money or bank account is at risk. In this common smishing scam, you receive a text message claiming to be from your bank with a link provided to “secure” your account.
But the link is fraudulent and will either take you to a phishing site designed to look like your bank’s login page, or it will download malware onto your device.
📌 Don’t get scammed: Never enter passwords or personal information on websites that you visit via text message links. Instead, always visit your bank’s official website directly.
2. Notifications of missed package deliveries (UPS, FedEx, and USPS scams)
Taking advantage of the rise in online shopping that started during the pandemic, scammers create fake text messages claiming that you missed a package delivery.
In these scams, you receive a text message purporting to be from UPS, FedEx, USPS, or another delivery service. The message will claim that you missed your delivery date, or there’s an issue with your address and you need to visit a site to “rebook” your delivery and pay a fee.
But the whole thing is a scam. Any information you provide (address, credit card number, etc.) will be used by the scammers or sold on the Dark Web.
📌 Don’t get scammed: Only check your delivery status using the original shipping confirmation email that you received. Otherwise, make sure you visit the shipping company’s official website (UPS.com, Fedex.com, etc.) and use the provided tracking number.
3. Random messages from “friends” you don’t know
Cybercriminals want you to engage with their messages so they can entrap you in their scams. One way to get your attention is by sending “wrong message” texts.
These texts look like normal text messages — just sent to the wrong person. For example, the scammer might send you a reminder to come over, or pose as an old acquaintance reaching out for the first time in a while.
But if you respond, the scammers try to engage with you further and build a relationship or friendship. In many cases, these texts lead to what’s known as the “pig butchering scam” — fraudsters trick you into investing money in a “guaranteed” investment and then steal your money.
📌 Don’t get scammed: Delete any unrecognized text messages immediately. Don’t respond or engage with them at all.
📚 Related: 10 Unnerving WhatsApp Scams You Need To Avoid →
4. Notifications that you’ve won an award or prize
Scammers may send fake text messages claiming you’ve won a prize or sweepstakes that you never entered. They’re hoping that the promise of a prize — even if it’s a bit unbelievable — will be enough to get you to click on a link.
Scammers often pose as well-known companies and retailers (Apple, Amazon, Microsoft, etc.) to make their giveaway or prize scams seem more believable.
📌 Don’t get scammed: As hard as it is, ignore these text messages and delete them immediately (don’t click on the link). Remember the golden rule of fraud prevention: If it seems too good to be true, it probably is.
5. Texts from local phone numbers (or even your own number)
Scammers use spoofing technology to make their texts and calls look like they’re coming from an official or local phone number. But in a trending smishing scam, fraudsters have started sending text messages that look like they’re coming from your own phone number.
These scams almost all follow the same pattern. You get a text that looks like it’s coming from your phone number about a paid bill. The message contains a link that the sender claims is “a little gift for you.”
Scammers are hoping that you’ll be intrigued enough when you see your own phone number to drop your guard and click on the link.
📌 Don’t get scammed: Ignore text messages that look like they’re coming from your own phone number. If a scammer claims to be from your cell phone provider, ignore the call and contact your provider directly to report the fraud.
📚 Related: What Can Scammers Do With Your Phone Number? →
6. Bills and invoices for services that you never signed up for
Scammers may also send text messages “confirming” a purchase or subscription renewal (Amazon Prime, Best Buy Geek Squad, etc.) that you never made.
These fake text messages almost always include a phone number to call in order to dispute the charge. But if you call, the scammers will pull you even further into their scheme.
Don’t get scammed! Never contact a company from a phone number or link in a text message. If you’re concerned about being charged, call the company in question directly using their official phone number.
7. Fake surveys from companies that you know and trust
Scammers know you’re used to large companies asking for your feedback through surveys. In these scams, they’ll offer too-good-to-be-true prizes as rewards for answering a survey.
But if you click through, you’ll be asked for your credit card numbers or other sensitive information that can be used for identity theft.
📌 Don’t get scammed: While some companies send you legitimate surveys, don’t trust unsolicited text messages (or emails). If you want to be sure that the text is real, contact the company directly.
📚 Related: Did Scammers Use Your Credit Card Numbers? Follow These Steps →
8. 2FA codes or password reset notifications that you didn’t request
Some smishing scams are designed to get access to your online accounts. In these scams, fraudsters pretend to be customer support agents contacting you because of a suspicious login attempt to your account.
They’ll ask you to provide a two-factor authentication (2FA) code (that they requested on your behalf). But if you provide it, they’ll have everything they need to log in to your account and lock you out.
📌 Don’t get scammed: Never send 2FA codes or passwords over text messages. Legitimate companies will never request this information.
📚 Related: How To Protect Yourself From Account Takeover Fraud (ATO) →
9. Texts claiming to be from your boss or colleagues
In this scam, fraudsters research your workplace on LinkedIn and then pose as colleagues or your boss. In the text, they’ll claim to be stuck in a meeting and need your help with either buying and sending gift cards, changing payment information, or providing passwords.
📌 Don’t get scammed: It’s easy to be fooled if scammers know basic information about you or your job. If you receive a text message claiming to be from someone you work with, contact the person directly or through another medium (work email, messaging app, etc.) to make sure.
10. Notifications that your payment information is invalid
If you receive a text message about a payment being declined, it’s most likely a scam. Fraudsters pose as companies like Netflix or Amazon and threaten to take away your service if you don’t “update” your payment information.
But if you click on the links in these messages, you’ll be taken to phishing sites that steal both your login information and your credit card numbers.
📌 Don’t get scammed: Companies like Netflix won’t text you out of the blue about your subscription. Instead, you’ll receive a warning email from an official email address (i.e. [Name]@Netflix.com).
11. Fake family emergency texts (the “grandparent” scam)
Scammers often target parents or grandparents and pretend to be their child or grandchild. These text scams start innocently, but then shift when the scammer claims to be in trouble and needs help.
Scammers may pretend that they’ve been in an accident and need money for healthcare or legal fees. Or, they could say that they’re out shopping and forgot their card, and then ask you to transfer money to an account via Cash App or Zelle.
📌 Don’t get scammed: If anything feels off about a text message from a family member, trust your gut. Try to get in touch with the relative directly by calling their phone. Watch for red flags such as strange spelling and grammar, words they wouldn’t normally use, or instructions not to call them.
📚 Related: 12 Awful Senior Citizen Scams (And How To Spot Them) →
12. Texts claiming you’re owed a refund for overpayment
In this smishing scam, fraudsters offer you a refund for a supposed overpayment — usually from a government agency like the Department of Motor Vehicles (DMV) or Internal Revenue Service (IRS).
But while the thought of an unexpected refund might grab your attention, the link in the message will only take you to a phishing site.
📌 Don’t get scammed: Ignore any text that claims to be from a government agency. The DMV, IRS, FBI, and similar agencies will never contact you via text message. If you’re concerned about the message, contact the agency directly.
13. Alerts claiming that you have a pending money transfer (Cash App, Zelle, etc.)
Scammers also try to trick you into clicking on links by claiming that you have a money transfer waiting for you. Even if you’re not expecting anything, they hope that the promise of “free” money will get you to click.
📌 Don’t get scammed: Never trust links in unsolicited texts. Instead, log into your payment app directly to see if there’s a payment waiting for you.
📚 Related: 11 Sneaky Venmo Scams Running Rampant Right Now →
14. Scam texts about COVID-19 vaccines, surveys, and other pandemic-related messages
According to the Federal Trade Commission (FTC), Americans have lost nearly $20 million to COVID-related text message scams [*]. Covid scams include texts from fake stores selling fraudulent healthcare equipment, offers of fake stimulus checks, scam surveys, and more.
📌 Don’t get scammed: Ignore unsolicited text messages about COVID-19 treatments, tests, stimulus checks, and surveys. The only people who can comment on your healthcare status are your trusted healthcare professionals.
15. IRS scam texts (including claims that your tax return was rejected)
Scammers take advantage of your fear and uncertainty when dealing with the Internal Revenue Service (IRS). These scam texts claim that your tax refund was rejected or that the IRS is filing a lawsuit against you and will be freezing your financial accounts.
📌 Don’t get scammed: The IRS will never contact you via text message unless you ask them to. Anyone who messages you claiming to be from the IRS is a scammer.
What Happens If You Click on a Link in a Smishing Text?
Scammers almost always include phishing links in their fake text messages. Here’s what could happen if you click on a link in a smishing text:
- Scammers learn more about you and verify that your number is active. Hackers send messages to confirm that your phone number is active (so they can keep targeting you with scams). If you click on a link, they could also get some basic information such as your approximate location, device statistics, and other details that you unwittingly provide.
- Hackers install malware on your device that lets them spy on you or find sensitive information. Clicking on a phishing link could install malware on your phone that allows fraudsters to view your address book, steal passwords, or find sensitive photos and information.
- You’re taken to a phishing website where you give up passwords or other data. Links in smishing texts could also take you to fake websites where you’ll be tricked into giving up sensitive information.
How To Spot a Smishing Attack: 9 Warning Signs
- The text is from a strange phone number. Check if the text message was sent from a number in your address book, and be wary of texts that don’t use a typical 10-digit format.
- It includes a suspicious link. Scam text messages include links that are obscured, shortened, or don’t lead to an official domain. For example, a scam text claiming to be from Apple will include a link to “Apple-customer-support.com” or another spoofed domain.
- It claims to be from a company that you know and trust. Legally, companies can’t text you without your permission. If you get a text claiming to be from a company that hasn’t messaged you before, be very cautious.
- There are spelling, grammar, and formatting mistakes. Scammers aren’t always native English speakers and may include strange language, grammar, and formatting in their texts.
- There’s a sense of urgency. If you feel your heart start to race when you open a text, slow down. Creating a sense of urgency is a common tactic scammers use to prevent you from thinking through your decision or consulting a trusted advisor. Legitimate businesses won’t threaten you in text messages.
- The text includes requests for money or information. When you receive a money request through Venmo or Cash App, call your loved ones to verify before paying. Always double-check any texts from your financial institutions by contacting them directly.
- It promises a reward or prize if you click on a link. If you receive a message saying you’ve won a giveaway on social media or have been randomly picked from a pool of subscribers to win a gift card, it’s probably part of a scam. Do not click on an attached link as it’s most likely a smishing text.
- The text includes a phone number and asks you to call back. Smishing scams are often starting points for phone scams. If the text includes a phone number to call to “cancel a payment,” don’t call. Instead, find the company’s official phone number and reach out to them directly.
- It starts off with a strange greeting (and not your name). Scammers send thousands of scam texts a day. If the message doesn’t use your name, or starts with a strange greeting (such as “dear valued customer”), it’s probably a scam.
Here’s How To Prevent Smishing Attacks
While it’s impossible to prevent all smishing and spam texts from landing in your inbox, there are steps you can take to secure your phone and make sure you don’t get scammed.
Ignore smishing messages (Don’t reply with “NO” or “STOP”)
Responding to a smishing message confirms that your number is active. Even worse, this tells scammers to continue to target you with their schemes. Never respond to smishing texts — even with “NO” or “STOP.”
Never click on links
Clicking on a link in a smishing text is one of the most dangerous things you can do. Never click on links inside a text message, no matter how legitimate they appear.
Use anti-spam tools to keep smishing texts out of your inbox
There are features on your phone as well as third-party apps that can help reduce the amount of spam texts and calls that you receive. Most mobile carriers include anti-spam tools, including: Verizon Call Filter, AT&T Call Protect, U.S Cellular Call Guardian, and T-Mobile Scam Shield.
You can also report spam text messages to 7726 (this works for all carriers, including AT&T, T-Mobile, and Verizon Wireless).
- On iPhone: Press down on the spam text and click “More.” Then, tap “Forward” to send it as a new text.
- On Android: Press down on the text and click on the three-dot icon in the top right corner. Then, select “Forward” from the options.
📚 Related: How To Stop Spam Texts (on Android and iPhone) →
Call companies directly
If you receive a text message claiming to be from a company or government agency, don’t respond or use the phone number or link provided in the text message. Instead, contact the company directly using their official channels to confirm that the text was legitimate.
Don’t respond to urgent messages
Slow down if the message sounds urgent and encourages you to act quickly. Examples of urgency tactics that fraudsters use include threats to close your account and warnings about suspicious logins to your online accounts. Whatever the tactics, your best option is to call your service provider before making a decision.
Activate call filters on your phone
Scammers use phone numbers that aren’t in your contact list. To keep their messages out of your main text inbox, turn on call filters on your phone.
- On iPhone: Open your settings and then select “Messages.” Toggle the switch for “Filter Unknown Senders.”
- On Android: Navigate to the Message App and click on the three dots in the top right corner. Next, select “Settings” and then “Spam Protection.” Make sure “Enable Spam Protection” is turned on to receive spam alerts.
Don’t share sensitive information via text
Online scammers use social engineering tactics to trick you into sharing private information. Never share passwords, email addresses, or credit card numbers via text messages.
Consider protecting your device with antivirus and a VPN
Scammers use malware, viruses, and other cyberattacks to scam you and steal sensitive data from your phone. Cybersecurity tools, such as antivirus software and a virtual private network (VPN), can protect your phone, computer, and home network from hackers.
Aura includes proactive protection against hackers and scammers, including:
- Powerful antivirus software that protects your devices from malware and viruses.
- Military-grade VPN that encrypts your data and wireless connections so that hackers can’t spy on you.
- Dark Web scanning that searches the depths of the Dark Web for your leaked passwords and alerts you if your accounts have been compromised.
- Password manager with one-click password update. Securely store all of your passwords in one place. Aura will alert you if a password has been compromised (or is easily hacked) and will help you replace it with a more secure one.
Did You Click on a Smishing Link or Talk to a Scammer? Do This
- Disconnect from your mobile network and Wi-Fi. If you’ve clicked on a phishing link, the first thing to do is turn off your phone's internet. Going offline prevents the scammer from gaining remote access to your device or sending phishing links to your contacts.
- Scan your device for malware. Run a full scan of your mobile phone using antivirus software. Aura’s antivirus software, which is included in every Aura plan, finds and isolates malware so that hackers can’t gain access to your data or device. Make sure you delete any unrecognized apps as well, as these can hide malware.
- Secure your accounts, and update your passwords. Changing your password invalidates your previous account login details. Ensure you’re using a different password for each account, and force logouts of all sessions to remove bad actors from your online accounts.
- Freeze or lock your credit. A credit freeze stops anyone from accessing your credit file. This makes it much harder for scammers to open new accounts in your name. You can also lock your credit with a single click using Aura’s 24/7 credit protection service.
- Notify your bank and credit card fraud departments. If you’ve given a scammer your credit card or banking information, contact your financial institutions and warn them.
- Report the scam to the FTC. File a complaint with the Federal Communications Commission (FCC) and the FTC at ReportFraud.ftc.gov. Reporting smishing text messages to the FTC helps them investigate and provide advice to protect you.
- Report the smishing message to the organization that was impersonated. Almost every organization has a way to report scams. Report to the organization, whether it’s your utility company, financial service, network provider, or a government agency. If you clicked on a phishing link, contact your bank to cancel your credit card and get a new one.
- Look for warning signs that your identity was stolen. If you’ve shared personal details with a scammer, these could be used for identity theft. Look for signs that your identity has been stolen such as strange charges on your credit cards, account passwords not working, or calls from debt collectors that you don’t recognize.
- Consider signing up for a digital security solution. Aura’s #1-rated digital security solution monitors your most sensitive information (including your bank, credit, and investment accounts) for signs of fraud. If anything suspicious is detected, you’ll be notified in near real-time. And if the worst should happen, you’re covered by a $1,000,000 insurance policy for eligible losses due to identity theft.
The Bottom Line: Stop Smishers From Stealing Your Identity
You might think that you’d never fall victim to a scam text, but cybercriminals are continuously enhancing their schemes. Stay up to date with the latest smishing scams so that you know what to look out for.
And for added protection, consider signing up for Aura’s all-in-one digital security solution.