← Back to Scams & phishing

Smishing - text message scams

Smishing (SMS + phishing) has exploded in recent years, with success rates far exceeding email phishing. In this chapter, you’ll learn why text message scams are so effective and how to protect yourself.

The Smishing Threat Landscape

The statistics are alarming:

• 22% increase in smishing attacks in Q3 2024 alone
• 18% global increase in smishing incidents in 2024
• 19-36% click-through rate for smishing (vs. 2-4% for email)
• 27.6% of mobile users tapped on 6+ smishing links
• 76% of businesses hit by smishing attacks
• 174% increase in delivery service smishing scams
• Average loss: $8,199 per person for tax-related smishing

Why Smishing Is More Effective Than Email

Higher Trust Factor

• Text messages feel more personal
• Less spam than email (historically)
• Mobile notifications create urgency
• Shorter format seems less suspicious

Mobile Behavior Patterns

• People check phones 96+ times daily
• Respond quickly to texts
• Harder to verify on small screens
• More likely to click on mobile

Reduced Visibility

• Can’t hover over links on mobile (easily)
• Sender spoofing is common
• Shortened URLs hide destination
• Limited context/information visible

Platform Evolution

Smishing has shifted from traditional SMS:

• Q2 2024: 39.6% via KakaoTalk, only 1.5% via traditional SMS
• WhatsApp, Telegram, Signal increasingly targeted
• Harder to filter on messaging apps
• Perceived as more secure platforms

Common Smishing Tactics

1. Fake Delivery Notifications

The #1 smishing tactic - 174% increase in 2024.

Example texts:

“USPS: Your package is awaiting delivery. Confirm address: [link]”

“FedEx: Package held due to incomplete address. Update here: [link]”

“Amazon: Your order #12345 couldn’t be delivered. Reschedule: [link]”

Why it works:

• Everyone expects packages
• Creates urgency (package waiting)
• Timed with holidays/shopping seasons
• Links to realistic fake websites

Red flags:

• Unexpected delivery notifications
• Requests to click links
• Claims of fees ($1.99 redelivery)
• Urgent action required
• Shortened URLs (bit.ly, tinyurl)

Verification:

• Check official app for tracking
• Type carrier website manually
• Verify with retailer directly
• Don’t click text links

2. Bank Security Alerts

Example texts:

“Bank Alert: Unusual activity detected on account ending in 4567. Verify now: [link]”

“Your card has been locked due to suspicious activity. Call 888-555-0123 to unlock.”

“Fraud alert: $5 00 transaction declined. Confirm it was you: [link]”

Why it works:

• Banking security is critical
• Creates immediate concern
• Appears official with account details
• Time-sensitive nature

Red flags:

• Links to “verify” account
• Phone numbers to call (not from your card)
• Requests for PIN or password
• Generic account info (last 4 digits could be guessed)

What real banks do:

• Use official app notifications
• Call from known bank numbers
• Never ask for PIN/password via text
• Provide ways to verify in-app

3. “Verify Your Account” Messages

Example texts:

“PayPal: Your account has been limited. Verify identity: [link]”

“Apple: Your iCloud account requires verification within 24 hours.”

“Netflix: Payment method failed. Update billing info: [link]”

Why it works:

• Account suspension is concerning
• Urgent timeframes
• Familiar services everyone uses

Red flags:

• Account services you use sending texts unexpectedly
• Links to “verify” or “update”
• Threats of suspension
• 24-48 hour deadlines

Verification:

• Log into account directly (app or browser)
• Check for actual notifications there
• Contact company via official channels
• Never click text message links

4. Toll Road and Traffic Scams

Example texts:

“E-ZPass: You have an unpaid toll of $12.51. Pay now to avoid $50 fine: [link]”

“Tollway Notice: Outstanding balance of $3.75. Pay within 72 hours: [link]”

Why it works:

• Specific to your geographic region
• Realistic amounts ($3-15)
• Threat of escalating fines
• Many people use toll roads

Red flags:

• Texts about tolls (most use mail)
• Immediate payment demands
• Links to pay
• “Fines” for small amounts

Verification:

• Log into official toll account
• Check statements there
• Toll agencies send mail first
• Never pay via text link

5. Two-Factor Authentication Scams

Example texts:

“Your verification code is 123456. Never share this code.”

Followed by phishing call:

“This is [Bank] security. We need that code you just received to verify it’s you.”

Why it works:

• Legitimate codes look the same
• Creates confusion
• Urgent phone call adds pressure
• Exploits security features

Red flags:

• Unsolicited 2FA codes (you didn’t request)
• Anyone asking for your 2FA code
• Phone calls about codes
• Multiple codes in short period

What to do:

• Never share 2FA codes
• Ignore unsolicited codes
• Hang up if asked for codes
• Change passwords if receiving unexpected codes

6. COVID and Health-Related Scams

While declining, still prevalent:

Example texts:

“You’ve been exposed to COVID-19. Schedule free test: [link]”

“Vaccine appointment available. Confirm within 2 hours: [link]”

Why it works:

• Health concerns override caution
• Government/health authority impersonation
• Urgent medical nature

Red flags:

• Unexpected health notifications via text
• Links to schedule appointments
• Requests for insurance info
• Payment for “free” services

7. Prize and Gift Card Scams

Example texts:

“Congratulations! You’ve won a $500 Walmart gift card. Claim here: [link]”

“You’ve been selected for Amazon rewards program. Click to redeem: [link]”

Why it works:

• Everyone likes free money
• Appears randomly selected
• Quick claim process
• No obvious harm in checking

Red flags:

• Winning contests you never entered
• Free money offers
• Links to “claim”
• Time-limited offers

Shortened URLs: The Smishing Weapon

Why Scammers Use Them

• Hide actual destination
• Look less suspicious
• Bypass some filters
• Can track clicks

Common URL shorteners:

• bit.ly
• tinyurl.com
• goo.gl
• t.co
• ow.ly

How to check shortened URLs:

1. Use URL expander services (getlinkinfo.com, urlex.org)
2. Never click first - expand first
3. Look for the actual destination domain
4. If suspicious, don’t click at all

Geographic Targeting

Smishing campaigns often target specific regions:

Regional toll road scams:

• E-ZPass (Northeast US)
• FasTrak (California)
• SunPass (Florida)
• TxTag (Texas)

Local government impersonation:

• State DMV messages
• Local utility companies
• Regional delivery services

Why geographic targeting works:

• More believable (services you actually use)
• Realistic context
• Harder to fact-check quickly

Platform-Specific Smishing

Traditional SMS

• Direct carrier messages
• Can spoof sender names
• Harder to block at scale

WhatsApp/Telegram/Signal

• Appear more trustworthy
• Group message scams
• Forwarded message chains
• Fake business accounts

iMessage

• Difficult to spoof from iPhone users
• Green bubble (SMS) vs. blue (iMessage) confusion
• FaceTime phishing attempts

Mobile-Specific Vulnerabilities

Why Mobile Makes You Vulnerable

Limited screen space:

• Can’t see full URLs
• Less context visible
• Harder to spot details

Tap-to-action mentality:

• Designed for quick interactions
• Less deliberate decision-making
• Muscle memory clicking

Notification urgency:

• Push alerts create pressure
• Fear of missing something
• React before thinking

Harder verification:

• Switching apps cumbersome
• Can’t hover over links
• Copy-pasting URLs difficult

Verification Procedures for Text Messages

Golden Rule: Never Click Links in Texts

Instead:

1. Open official app - For the service mentioned
2. Type URL manually - In your browser
3. Call official number - From company website/card
4. Visit in person - For local services

Before Any Action:

Ask yourself:

• Was I expecting this message?
• Does this company text me normally?
• Is there urgency/threat language?
• Am I being asked to click a link?
• Does the number look official?

If any answer is “yes” to red flag questions: Don’t click. Verify through official channels.

Safe Practices for Mobile Security

Enable Security Features

iOS:

• Enable “Filter Unknown Senders”
• Turn on “Silence Unknown Callers”
• Report Junk messages

Android:

• Enable spam protection
• Block unknown numbers
• Use Google Messages filtering

Carrier-Level Protection

• Enable spam blocking through carrier
• AT&T Call Protect
• Verizon Call Filter
• T-Mobile Scam Shield

Be Cautious With Your Number

• Don’t share unnecessarily
• Use alternative numbers for sign-ups
• Register with Do Not Call Registry
• Opt out of marketing

Enable Two-Factor Authentication

• But never share 2FA codes
• Use app-based 2FA when possible
• Biometric authentication preferred

Red Flag Checklist for Text Messages

❌ Immediate red flags:

• Unexpected messages with links
• Requests to verify accounts
• Payment demands via text
• Prize/gift card notifications
• Unsolicited 2FA codes
• Packages you didn’t order
• Account suspension threats

❌ Suspicious patterns:

• Shortened URLs (bit.ly, etc.)
• Misspelled company names
• Generic greetings
• Poor grammar
• Urgent deadlines (hours/days)
• Requests for personal information
• “Click here” language

✓ Safer indicators (but still verify):

• Expected messages (you initiated)
• No links, just information
• Matches official communication style
• Can be verified in official app

Real-World Smishing Examples

Example 1: USPS Delivery

Text received:

USPS: Package delivery failed.
Pay $1.99 redelivery fee:
bit.ly/usps-1234

Analysis:

• USPS doesn’t text for redelivery fees
• Shortened URL hides destination
• Small fee makes it seem legitimate
• Creates urgency (package waiting)

Correct action:

• Check USPS.com with tracking number
• Or check retailer’s shipping info
• Don’t click link
• Report to USPS ([email protected])

Example 2: Bank Alert

Text received:

Bank Alert: Suspicious $500
transaction on card ending 4567.
Reply Y to confirm or N to block.
www.secure-bankverify.com

Analysis:

• Banks don’t verify via text reply
• Wrong domain (not actual bank)
• Last 4 digits could be guessed
• Designed to get quick response

Correct action:

• Call bank using number on your card
• Check account via official app
• Don’t reply or click
• Report to bank’s fraud department

Example 3: Tax/IRS Scam

Text received:

IRS NOTICE: You have unclaimed
refund of $1,247. Claim within
48 hours: [link]
Ref #IRS-2024-78945

Analysis:

• IRS never initiates contact via text
• Refund amounts vary to seem personal
• 48-hour urgency
• Reference number adds false legitimacy

Correct action:

• IRS only contacts via mail
• Check IRS.gov for actual refund status
• Never click IRS-related texts
• Report to [email protected]

If You’ve Clicked a Smishing Link

Immediate actions:

1. Don’t enter information - Close browser
2. Disconnect internet - Turn off WiFi/data
3. Don’t download anything - If prompted
4. Screenshot the text - For reporting
5. Run security scan - Mobile antivirus

Within hours:

6. Change passwords - For accounts on that device
7. Enable 2FA - If not already active
8. Monitor accounts - Check for unauthorized activity
9. Contact bank - If you entered financial info
10. Report it - Carrier, FTC, affected company

Follow-up:

11. Watch statements - For several months
12. Monitor credit - Consider freeze
13. Update security - On all devices
14. Learn the lesson - To spot future attempts

Key Takeaways

• Smishing has 19-36% click-through rate (vs. 2-4% for email)
• 174% increase in delivery scams in 2024
• Never click links in unexpected texts
• Verify through official apps instead
• Enable spam filtering on phone and carrier
• Shortened URLs hide destination - expand before clicking
• Banks never verify via text reply
• IRS never initiates contact via text
• 2FA codes should never be shared
• When in doubt, don’t click - verify independently

Remember: Your phone feels personal and trustworthy, which is exactly why smishing is so effective. Always pause before clicking, and verify through official channels. A few extra seconds can save you thousands of dollars.

Next chapter: We’ll explore social media scams - how attackers exploit Facebook, Instagram, LinkedIn, and other platforms to target victims.