Smishing ALERT: What you need to know and do
Scammers, spammers and other cyber-criminals are endlessly adaptable, switching to new attack vectors as rapidly as users catch on to old ones. Most users have raised their guards against email phishing scams, but “smishing” - a mashup of SMS and phishing - is a growing threat due to the ubiquity of mobile phones. Read on for the scoop on how to outsmart these attacks, with practical tips, fresh statistics, and examples of real-world smishing scams... |
What is Smishing?
“Smishing” stands for “SMS phishing.” It’s a social-engineering technique that relies on text messages to dupe users into taking actions that reveal their sensitive personal information, or lure them to a rogue website that will trick them into handing over a credit card, or sneakily infect their phones with malware. Scammers send these fake texts that appear to come from trusted organizations. Commonly spoofed in these attacks are banks, delivery services, and well-known tech companies.
One report I saw said that Amazon customers are targeted in about 38% of all smishing attempts, imitating that company's frequent order and shipping updates. Apple, Google, PayPal, Facebook, Walmart and major banks are among others often mentioned in smishing messages. To be clear, none of these companies are sending the offending texts.
A smishing message includes the usual elements of a scam: the false appearance of a trusted sender; a message designed to grab your attention; and an urgent call to action that promises a reward or a solution to a problem. You’ll have much bigger, real problems if you perform the suggested action. Here's how a typical smishing scam goes down.
Ding! A text message arrives unexpectedly. The action requested may be a voice phone call to “account services” at your bank. It may be a demand that you click a link apparently leading to Amazon, FedEx, or another large company that most people know and trust. A smishing text might urge you to “reset a password,” “track a missed delivery,” or “claim a prize". Messages may claim there’s an urgent tax payment needed. Less often, it’s a request for a reply that leads to a text message dialogue with a scammer, or an automated bot that seems to be a person.
Whatever the action is, it leads to subtle requests for more and more information: Social Security Numbers, addresses, credit/debit card info, login credentials, etc. These are things that no legitimate company will ever ask you to provide or “verify” via text message, email, or over the phone.
Smishing has been around for many years, but recently there has been a surge of smishing attacks that has security experts sounding the alarm more loudly. There has been a significant surge in smishing attacks this year, with reported losses to these text message scams hitting $470 million in 2024, a fivefold increase since 2020. So it’s important to be extra cautious with SMS messages.
Scammers are moving away from roboCALLing to roboTEXTing, while refining their evil craft with more aggressive and effective pitches. The U.S. Federal Communications Commission (FCC) adopted rules to address the problem of scam texting in March of 2023, requiring mobile service providers to block robotext messages that are "highly likely to be illegal". They also introduced new regulations in 2024–2025 to impede SMS-based scams. Mobile carriers are required to block texts from flagged numbers and shut down senders who violate consent rules or send illegal messages. In addition, the Do-Not-Call protections have been extended to text messages, shielding users from unsolicited outreach if they’ve opted out.
Since tightening the rules, the FCC reports a 99% drop in auto warranty scam robocalls and an 88% decrease in student loan text scams. But more needs to be done, as the number of spam texts reached 19.2 billion in August 2025, averaging over 60 spam texts per person. (I think I got my share, how about you?)
One thing you can do reduce that number is to forward a spam text message to 7726 (SPAM). After sending, you may receive a reply from your mobile carrier asking for the phone number the spam text originated from. This reporting helps your service provider investigate and block malicious senders.
Why is Smishing a Growing Concern?
The response rate of email phishing has fallen considerably, as more users become aware of the telltale signs of phishing and refuse to take the bait. But many people still trust their phones, and are unaware of the techniques that scammers can use. Another factor is that people are often distracted and on the move when they receive a text, and may respond without thinking.
A smishing message might include a warning purportedly from your bank, informing you of an unauthorized purchase, or some other company telling you that your account was frozen due to fraudulent activity. Another common one is the "You just won a prize (or gift card)" message. These scams may encourage you to call a phone number. Don't -- instead call the company (with a phone number you know is correct) and report the message to their security department. Or just chuckle, and delete it.
Bogus text messages that appear to be from FedEx include a tracking number and a request to "set up delivery preferences" for a package that's en route. Of course there's a link to click, which takes the unsuspecting to a page that (drumroll, please...) informs them that they've won a fabulous prize! All you have to do is complete a survey, and pony up your credit card to cover the shipping fee. That's where things get worse.
Both FedEx and UPS do offer customers the option to sign up for text message alerts about packages they have sent or received. That's why this particular smishing scam has credibility at first glance. Recently I've gotten a couple of texts purporting to alert me to high-dollar purchases on Amazon, and advising me to click a link to confirm. It was easy enough to check my Amazon account to see that no such purchase was made.
There's also the "long con" smish to be aware of. Recently I've been getting unexpected texts from numbers I don't recognize that say something like "Hey, how are you?" or "I missed your call." After doing some research, I learned that responding to these messages will lead you down a path where the sender attempts to befriend you and over the course of days or week, the scam unfolds. It often takes the form of a romantic interest developing, followed by sad stories, requests for money, excuses for not meeting in person, etc. Don't engage with texts from unknown senders.
The cost of sending smishing messages is virtually zero, allowing more bad actors to get into the smishing game with ever-higher volumes of bogus messages. Some bad guys run SMS servers that they rent out to other bad guys, making smishing attacks as easy as writing a bogus message and clicking on a few options. These scam-as-a-service operators even provide bogus websites that look very much like those of familiar banks and other trusted companies.
There are no apps that detect smishing messages effectively. Verizon, AT&T and other mobile providers have the big-data advantage of seeing this flood of robotexts at the network level. With a bit of AI magic, it should be reasonably easy to identify and block the majority of them. Until that happens, it’s incumbent upon you to know the telltale signs of a scam and just refuse to go along with it. Never call a phone number in a text that purports to be your bank’s. Never click on a shortened URL in a text message; you have no idea where it will lead. Keep your mental guard up at all times.
If you're not sure who the sender of a text message is, my advice is to delete it and move on. Have you ever gotten a suspicious text message, or one that was just spam? Your thoughts on this topic are welcome. Post a comment or question below...
This article was posted by Bob Rankin on 15 Sep 2025
For Fun: Buy Bob a Snickers. |
![]() |
Prev Article: A Second Line for Your Smartphone |
![]() The Top Twenty |
Next Article: What is the Worst Place to Buy a Smartphone? |
![]() |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Smishing ALERT: What you need to know and do (Posted: 15 Sep 2025)
Source: https://askbobrankin.com/smishing_alert_what_you_need_to_know_and_do.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Smishing ALERT: What you need to know and do"
Posted by:
Fred
15 Sep 2025
Making this even worse is Microsoft's phone link.
So these messages pop up on your pc as well.
Posted by:
Steve
15 Sep 2025
Like many others I have received unwanted texts to "Dad" from "my child" who has of course lost his phone & wants me to use his "new" phone number. I generally just block them but I used to ask them " Oh, which child are you ? Answer came there none !
Posted by:
Charley
15 Sep 2025
I have used YouMail on my phone for years. It was (and still is) a better voicemail service than the carriers provide. And they also do a pretty good job of blocking or at least warning you about scam calls and texts. There is a free plan. I use the plus plan which has a few more features for $5.99/month.
Posted by:
Wild Bill 99
16 Sep 2025
Glad the scammers are moving to txt. I don't use txt and maybe I will get my land line back. Seriously, the only real defense is observational integrity.
Posted by:
Wolf
16 Sep 2025
Another great article! Referring back to your article about spam email, I'm glad that I have been receiving very little of that.
On the other hand, I have been getting a lot of text spam messages. Some of those messages come from banks that I don't do business with. I receive fake FedEx messages, and, since I don't have any pending shipping orders, I just delete those. I have received quite a few fake messages that "inform" me that I have fines to pay. I even received a couple of text messages stating that there is a warrant out for my arrest. Then there are the messages involving fake job offers. Once, I received a text message telling me that they detected a virus on my computer. Oh! Really! I laughed at that one! It gets even funnier, when I received a text message from someone claiming to be a psychic. Here is an example of this type of fraud: https://www.youtube.com/watch?v=wvqgbf6iL-c
My practice has been to use the option to delete and report junk. I'm glad you included additional information on reporting such text spam, by sending the junk message to 7726 (SPAM).
Thank you, Bob, for another interesting article!
Posted by:
Citellus
16 Sep 2025
Just like email, when I get a text that looks possibly legitimate and asks me to call my bank or some company, I do call. Only I use the number that I have, not the one they offer. But they have to look fairly legitimate to bother the bank.