Text Message Scams (Smishing): How They Work and What to Do
You almost tapped it. That’s the part worth thinking about.
A text lands while you’re in the middle of something else. A package can’t be delivered. A toll went unpaid. Your bank flagged a charge. Your thumb is already drifting toward the link before the rest of your brain has caught up. Most people stop themselves in time. The ones who don’t aren’t careless. They’re using a phone the way a phone is designed to be used.
I spent more than twenty years building identity protection products, and here’s what I want you to know about text scams. The message isn’t the clever part. The writing is usually plain, sometimes misspelled, and almost always recycled. The leverage is the screen itself and the one-tap reflex you’ve built over years of ordinary phone use. Smishing is just phishing delivered by text, and it converts because the phone strips away the cues you’d lean on anywhere else. The FTC counted roughly $470 million lost to scams that started with a text in 2024, more than five times the 2020 figure, and that curve hasn’t been bending down.
Why the phone is the weak point, not the message
Sit at a desktop and a scam email has a lot working against it. You can see the full sender address. You can hover over a link and read where it actually goes. The browser keeps the address bar in front of you the whole time. None of that survives the move to a phone.
Mobile browsers hide the address bar once a page loads. They cut off long links so you never see the real destination. Researchers at Temple University who studied mobile phishing found that small screens, hidden URLs, and the hassle of switching between apps all make it harder to check where you’re actually headed. On a phone you get a sliver of information and a lot of pressure to act on it.
Then there’s timing. The FCC points out that scam texts are nearly always read, and usually read right away. An email can sit unopened for a day. A text gets a glance within minutes, and that glance is the whole game.
What people check in that glance is the part that should worry you. In a 2024 study of mobile users published through USENIX, participants paid attention to the content, the formatting, and the link, not the sender’s number or short code. They were reading the story of the message, not inspecting the machinery behind it. About half the people in that study flagged sloppy formatting, odd characters, a misspelling, a strange company name, as their main clue. A clean-looking text clears that bar for a lot of folks who think they’re being careful.
The last piece is habit. A team at UC Berkeley looked at a hundred popular apps and found that 89 of them sent users off to another app or website at some point, often to log in. We’ve all been trained to tap a link and then type a password on the other side, because that’s how legitimate apps work too. A scam just borrows that familiar motion. Carnegie Mellon researchers studying QR codes saw the same thing from another angle: 85 percent of people who scanned a code went on to visit the site it pointed to. Once the action is tap and open, the inspection step tends to vanish.
None of this needs a brilliant message. It needs a believable-enough reason to do the thing your phone already makes easy.
The four texts you’re actually getting
You don’t need to memorize a hundred variations. A handful of templates account for most of the volume, and they barely change from one year to the next. The FTC hand-coded a sample of text-scam reports for 2024 and found the top five types made up about half of everything people reported. These are the ones you’ll see most.
The package that can’t be delivered
This is the big one. Fake delivery texts were the single most reported smishing type in 2024, and the reason is simple. On any given day, a lot of people are actually waiting for something. The text claims there’s a problem, a missed delivery, an address to confirm, a small fee to release the package, and sends you to a look-alike site to pay or hand over details.
The Postal Inspection Service gives one clean rule that cuts through it. USPS only texts you tracking updates if you asked for them, those texts come from a five-digit short code, and they don’t contain a link. An unsolicited delivery text with a link in it is the scam, full stop. The same logic holds for the private carriers. If you didn’t sign up for the alert, treat the alert as fake.
The unpaid toll
Toll texts work on a clever bit of math. The amount is tiny, a dollar or two, small enough that paying feels easier than arguing. The threat stapled to it is not tiny: a late fee, a penalty, a hold on your registration. IC3, the FBI’s complaint center, started tracking a toll-smishing wave in early 2024 and logged thousands of complaints across multiple states in a matter of weeks. The messages were near-identical from state to state, same wording, same fake balance, with only the phone number swapped out.
That sameness is the tell, and it’s also the point. If a recycled message keeps working unchanged across the whole country, the scam isn’t winning on craft. It’s winning on the channel.
The bank fraud alert
This one does the most damage because it flips your guard around. Instead of asking for money, it offers to protect money you already have. A text says your account shows suspicious activity and tells you to call a number or reply YES or NO to confirm a charge. Reply or call, and you’re routed to a fake fraud department that walks you through handing over exactly what they need.
Texts impersonating banks have climbed sharply over the last several years. A few years back the FTC put the median loss on this type in the low thousands of dollars, and the pattern hasn’t softened. The defense is one sentence, and it comes straight from the Consumer Financial Protection Bureau: your bank does not ask you to verify account information by text. If a message asks you to do that, you already have your answer. Don’t reply, don’t call the number in the text, and don’t tap the link. Open your bank’s app, or call the number on the back of your card.
The wrong number that wants to keep talking
A text arrives that looks like a mistake. “Hi, are we still on for Thursday?” “Sorry, is this Dr. Lee’s office?” You write back to correct them, because that’s the polite thing to do, and now you’re in a conversation. That was the whole goal.
The FTC has flagged these for a while. The misdial is a pretext. A reply tells the sender the number is real and that the person behind it answers strangers. From there it turns into friendly chat, sometimes with a romantic edge, and eventually a nudge toward a too-good investment or a crypto platform that doesn’t exist. The content of your reply doesn’t matter. The fact that you replied does.
The tells that actually matter
Most advice about spotting scam texts fixates on tone and grammar, and that advice is half useless now. Plenty of these messages are well written. Plenty borrow a real brand name, because impersonating a name people trust is the entire strategy. Good spelling proves nothing.
The reliable tells are about process, not polish. Here’s what to watch for.
- It showed up unsolicited, about something you didn’t start.
- It pushes you to act fast, with a deadline or a threat attached.
- It wants you to click a link or call a number printed in the message itself.
- It asks for a password, an account number, a card number, or a verification code.
- It doesn’t match how that company actually reaches you.
Any one of those is reason to stop. More than one, and there’s no real question left.
The deeper tell people miss: engagement itself is the trap.
The FCC notes that some scam texts exist only to confirm your number is live, so it can be sold or targeted again. A YES, a NO, a polite “wrong number,” a tap that loads a blank page, any of it tells the sender something useful. On a phone, where the keyboard pops up and a reply takes two seconds, that small act of responding is often the whole win. The safest reply is none.
What to do if you already tapped
First, breathe. A tap by itself is usually less serious than the panic suggests. Loading a scam page doesn’t empty your account. What matters is what came after the tap.
If you only opened the page and entered nothing, you’re most likely fine. Close it, delete the text, and don’t go back.
If you typed something in, a login, a card number, a verification code, move quickly. Don’t use any contact information from the text. Call your bank using the number on your card, or open the app you already trust, and tell them what happened. If you reused that password anywhere else, change it there too, because a password entered on a fake site is a password the scammer now has. For anything financial, watch the account closely and dispute charges you don’t recognize.
If you tapped a toll or delivery link and gave up information, IC3 is the right place to report it, and securing your accounts comes before the report. For a USPS-themed text, the Postal Inspection Service runs its own reporting path.
For the texts you didn’t fall for, there’s a quick civic move that actually helps. Forward the message to 7726, which spells SPAM, and your carrier uses it to spot and block similar messages. Apple Messages and Google Messages both have a built-in report option too. It takes ten seconds and makes the next one a little less likely to land in someone else’s inbox.
The honest bottom line
Smishing isn’t a writing problem. It’s an interface problem. The delivery text, the toll text, the bank alert, and the wrong-number opener are four different stories told for one reason. Your phone reads fast, hides the cues you’d use to check, and rewards the quick tap. The message is the lure. The mobile screen is the leverage.
So the fix isn’t learning to spot every variation, because the variations are endless and the next one will look a little different. The fix is one habit. Treat every text as a notification to verify somewhere else, never as an instruction to act inside the thread. Bank app, not the link. Number on the card, not the number in the message. The toll site you’ve used before, not the one you were just handed. Build that reflex and the cleverness of any single text stops mattering.
If you already tapped something and want to know exactly what a click can and can’t do to your phone, I walked through that in a separate guide on what actually happens after you click a phishing link. And if the text leaned on authority instead of urgency, someone claiming to be from a government agency or a fake support line, those run the same playbook from a different angle. I covered both in the pieces on government impersonation scams and tech support scams.
Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.
Recommended resources:
- How to Recognize and Report Spam Text Messages (FTC): official guidance, including the 7726 reporting step
- IC3.gov: the FBI’s Internet Crime Complaint Center, the reporting path for toll and delivery smishing
- USPS-related text scams (U.S. Postal Inspection Service): how to report fake delivery texts