Your phone buzzes and an unknown number pops up on your screen. You open the text and find an urgent warning from your bank’s fraud protection department. You follow the instructions and dial the phone number in the message.

A voice asks, “Have you made a recent purchase in Chicago? No? Well, let’s shut your card down to prevent further activity. But first, we’ll verify your identity by sending another text message to your phone. Can you please share your account credentials?” Assuming text scams can’t possibly be a thing, you comply.

Boom. You just got “smished,” another name for text message scams.

“Readers must slow down and not respond immediately,” said Tim Uittenbroek, Founder of online privacy education company VPNMash. In fact, he went so far as to suggest deleting any text you receive that you can’t connect to a family member, friend, coworker, or other known acquaintance.

How text scams work

With each passing year, cybercriminals’ scams grow more sophisticated. Spotting a scam used to be as simple as looking for spelling errors and checking the sender’s email address. And though scammers still make those mistakes, they’ve elevated their game and sometimes use legitimate information to steal from their targets.

“Smishing,” as text scams are often called, is the latest iteration. It works similarly to email phishing, and the goal is the same: to collect personal data from unsuspecting victims. In many ways, it’s worse because of the amount of sensitive data you have stored on your phone. Online banking, credit card apps, and password managers—this information gives a cybercriminal all the information they need to at least make fraudulent transactions or at worst, steal your identity.

CERT-In Finds Multiple Vulnerabilities in Android, Advises Users to Update

According to Uittenbroek, smishing scams nearly always have hyperlinks or “reactivation codes.” They also frequently impart a sense of urgency that encourages the reader to respond quickly or use an 11-digit number.

A typical text scam might look like any of the following:

Urgent notice from your bank or credit card company. The fraud department at your bank noticed unusual activity and your account has been suspended. It’s only after you supply your security credentials and your PIN that you realize your information has been stolen.

The urgent notice from a relative or friend traveling overseas. This is a repurposed email phishing scam. Always assume a request like this is fraudulent until you speak to your family member or friend.

The urgent notice that announces you’ve won a raffle you didn’t enter. And all you have to do is click on the link and buy credits to claim it!

The urgent notice from the IRS or another government agency. The IRS and other government agencies won’t send you a text message announcing you owe them money, period.

The urgent refund notice. In this one, you’re accused of racking up charges on a legitimate account and the text will prompt you to click on a link for a refund. Except there weren’t any extra charges.

Notable text message scams

There are some well-known instances of sophisticated text message scams ensnaring unsuspecting mobile users.

The Wells Fargo text scam

In this one, the cybercriminal pretends to be from Wells Fargo. The message delivers news that the reader’s bank account has been disabled. Many who receive this text scam don’t even have a Wells Fargo account, but that doesn’t matter, because all the scammer needs are a few victims to click the link and enter sensitive personal data. This complicates matters for Wells Fargo customers since the bank does sometimes reach out over text. This is a classic “urgent attention needed” message.

FBI Recovers 7,000 LockBit Keys, Offers Lifeline to Ransomware Victims
Buy Me A Coffee

The Uber code text scam

Uber is another company that cyberthieves mimic. You may have been one of the thousands of mobile phone users who mysteriously received Uber text codes similar to what’s received when a customer orders a car. But in this case, the messages are from bots trying to open an account using your phone number.

How to spot text scams

Hints that indicate your phone is being attacked by a cybercriminal include:

  • The text contains incorrect spelling and grammar.
  • You receive a text about a service you didn’t order (like Uber), an account you don’t have (like Wells Fargo) or a raffle you didn’t enter.
  • You go to the company’s website but you cannot verify the text’s claims.
  • The text wants you to reveal logins, passwords, your PIN or other private information.
  • You don’t recognize the number the text came from.
  • You’re asked to respond to a survey or told that you’re a “number neighbor”—in these cases, the scammer just wants to find out if there’s a person on the other end of the number dialed by the bot.

Here’s what to do—and what not to do—if you think you’ve received a smishing message:

Don’t: click any link or dial any number in the text message. That could result in malware being planted on your phone, or you could accidentally reveal private information.

Do: verify a text message’s claims on the company website. A real issue, such as a shutdown bank account, will also appear on the website.

Chinese Hackers Breach Over 20,000 FortiGate Systems Worldwide in Extensive Cyber Espionage Campaign

Don’t: respond to any message you suspect is a text scam. That only verifies your number is real and active and could subject you to more smishing attempts.

Do report smishing attempts. You can do this by forwarding the text to 7726 (SPAM). These texts will not count against your text plan. You can also file complaints with the Federal Trade Commission and the Federal Communications Commission. Both websites offer a wealth of information and tips on how to stay safe online.

Don’t: let yourself be rushed. Your bank, the IRS, your credit card company and other legitimate organizations won’t insist that you do important, time-sensitive business over text.

“Readers can protect themselves by not answering texts from unknown numbers,” said Colin Ma, a security consultant and software developer. “If it’s important, the sender will provide identifying information.”

Every new technology brings new scams

Cybercriminals may create new ways to take advantage of people every year, but the basics remain the same. Use common sense, never reveal personal data when you don’t have to, verify all claims with the company itself and look for spelling and grammar errors. A reverse phone number search may also reveal more information about the potential scammer.

“Remember how your mother used to tell you not to take candies from strangers on the road? That applies to this as well,” said cybersecurity expert Abdul Rehman of “Don’t trust strangers on the internet.”

New York Times Source Code Stolen Using Exposed GitHub Token

This article is republished with permission from Melan Villafuerte, the Content Specialist at This article originally appeared on

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.