May 20, 2025

Text Message Scams: Don’t Get Smished!

How many text (Short Message Service, or SMS) messages do you receive on your smartphone in a given week? What used to be simply a way to stay in touch with friends and family has evolved into a vital tool for people and organizations to deliver information. Today, messages from retailers, educational institutions, healthcare providers and countless other organizations fill our inboxes.

This constant barrage of legitimate text messages can lead to a false sense of security. When a text message comes in purportedly from your favorite retailer or your doctor, the natural inclination is to click it. Stop and think before you click! Threat actors and scammers rely on our willingness to quickly interact with a text and not think carefully before clicking links or replying. These criminals will pose as legitimate organizations, sending “SMS phishing” or “smishing” messages to trick you into taking actions that will give them access to your financial and private data.

Smishing scams are especially dangerous and effective, since anyone can send a text message. The ability to spot the differences between a regular text and a smishing message is crucial to staying safe online.

These deceptive messages use social engineering tactics to create a sense of urgency, dread, greed or curiosity to trick you into clicking a link that takes you to a malicious site where criminals will collect your personal or financial information. Follow the tips below so you can fight back against threat actors and educate those around you to avoid these scams.

Learn the Types of Smishing Attacks

Prize or Lottery Scams

These texts claim that you won a large sum of money, followed by urging you to click a link to claim the prize.
The message may require you to pay a fee in order to receive your supposed winnings.

Account Verification Scam

This message warns you that your account information has been exposed in a data breach, directing you to click on a fraudulent link in order to reset your password.
The sender may claim that multiple unauthorized login attempts have been observed, and prompt you to “secure” your account immediately through a fraudulent link in the message.

Tech Support Scam

Scammers will impersonate technical support representatives by claiming there is a problem with your device.
They will often ask for your login information to “fix” the issue.
Once you start conversing with them, the scammers aim to fool you into purchasing fake services or downloading malicious software that they claim will repair issues with your device.

Bank Fraud Alerts

Scammers will pose as a financial institution and will notify you of a suspicious or unauthorized transaction, urging you to take immediate action by following a fraudulent link.
Cybercriminals may claim large sums of money have been sent from your account to a person or company you are not familiar with. They may provide a fake number to call or a suspicious link to follow.

Tax Scams

Scammers pose as tax advisors or government officials in an attempt to gain access to your information.
Scammers might also try to use your information, in order to pose as you and claim your tax returns.
Read the ITS newsletter for more information on tax smishing and other tax-based scams.

Service Cancellation

This text claims a service you may (or may not) use will be canceled unless you update your payment details via the provided link.
The message may mimic legitimate promotions or service renewal notifications.
If you believe a message may actually be from your service provider, take the time to call them at a phone number you obtain from their official website.

Malicious App Download

This scam attempts to trick you into downloading an app that appears legitimate but will contain ransomware or viruses.
Some apps may appear harmless and even something you have used in the past, but once downloaded to your device can steal your information.
Always download apps from an official app store, not a link or text message.

Learn How to Recognize Smishing Scam Messages

Texts from cybercriminals often refer to recent actions you may have actually taken (e.g., package shipping, recent purchases, appointments, etc.).
Scam texts create a sense of urgency by setting fake deadlines or using intimidating language to instill fear. Scammers rely on this anxiety to drive you to click a link.
These messages will often mention large sums of money, either due to you or owed by you. Both tactics are meant to catch your eye and trick you into clicking the malicious link.
All smishing messages will include either a link to click or a phone number to call; sometimes they include both!
Once you call a number or click a link, the bad actor will attempt to get you to enter information.

The following examples are taken from actual smishing messages

Fraudulent Department of Motor Vehicles (DMV) Message (Service Scam)

“Your toll payment for E-ZPass Lane must be settled by Apr 19, 2025. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.”

This text included a malicious link, mimicking the payment gateway for E-Z Pass.

Fraudulent Local Financial Institution Message (Bank Smishing Message)

“Your payment of $1.750.20 to “[NAME]” was approved,if this wasn’t you? Visit here”

This text also included a malicious link. Within smishing texts such as this one, note grammar issues and unusual formatting, which can be as simple as incorrect spacing or punctuation. The large sum of money in the text is meant panic the user so they click the link quickly, without thinking about the action.

Protect Yourself from Smishing Attacks.

Use your phone’s settings or apps to filter and block suspicious text messages.
Never respond to, click on or open links in text messages you suspect are smishing attempts.
Utilize multifactor authentication (MFA) on all services that support it for added protection.
Reread messages and check for incorrect or unusual grammar/tone that could indicate fraud.
If you believe a message may be legitimate, contact the organization directly using verified channels from their official website. Go to the organization in person if at all possible.
Keep all devices and apps updated with latest software and security patches.
Report spam or phishing texts to Federal Trade Commission (FTC).

Already Clicked a Malicious Link? Take These Steps Immediately.

Report the scam to the FTC at ReportFraud.ftc.gov and forward text scams to 7726 (SPAM).
Monitor the targeted account for any suspicious activity.
Update and change account passwords, especially for linked accounts.
Report the smishing attempt to the company that was impersonated.
Smishing scams are constantly evolving making them difficult to detect, especially as scammers increase the sophistication of the messaging used. But by learning to recognize common patterns and practicing proactive prevention, you can better defend yourself against these threats.

Cyber Habit of the Month

Scammers utilize a variety of methods when crafting a convincing email. While phishing email scams remain a constant and persistent threat, they can be effectively countered by staying alert and following key safety practices.

Quishing (QR Code Phishing)

Quishing scams use malicious codes embedded in the QR code to redirect the users to phishing sites, steal credentials or install malware. With QR codes being used in a variety of places, from marketing materials to restaurant menus, hackers can exploit quick scan habits. Before scanning a code, verify the source. Never scan a QR code sent to you in an email unless you’re confident of the sender.

Embedded Malware in Images

Scammers are now able to embed malicious code within images in emails. These can activate just by opening the message, without any additional interaction! Be cautious with emails from unknown senders, even if they contain images that appear harmless, like a company’s logo or an inoffensive picture.