Smishing Attacks: Text Message Scams and How to Block Them

Why smishing matters right now

Smishing (SMS phishing) uses text messages to trick you into clicking links, revealing passwords or codes, or calling fraudulent numbers. Losses to text message scams rose sharply: U.S. consumers reported $470 million in losses to text‑message scams in 2024, underscoring that these attacks are growing in scale and sophistication.

Federal agencies and law‑enforcement bodies have issued warnings about large waves of smishing that impersonate delivery services, toll agencies, banks, and government offices. These campaigns often send thousands of messages at once, trying to generate even a small percentage of victims. If you receive an unexpected message demanding payment or asking you to confirm personal information, stop and verify it independently before doing anything.

This guide shows realistic examples of the texts scammers send, the red flags to watch for, and practical steps to change your phone and carrier settings to reduce the risk of getting smished.

Realistic smishing message examples (what to watch for)

Below are typical templates scammers use. These examples are representative — scammers constantly change wording, but the tactics are the same: urgency, fear, or the promise of a reward to prompt a fast reaction.

• Delivery scam — “Your package (tracking # 123456) could not be delivered. Pay $2.99 to reschedule: http://example‑link”

• Toll/fine scam — “Unpaid toll fee. Pay now to avoid license suspension: http://example‑pay”

• Bank alert fake — “We detected a suspicious charge of $1,250. Reply "STOP" to cancel or click: http://fakebank”

• Account verification / code grab — “Use this 6‑digit code to verify your account: 834219. If you did not request this, call 1‑800‑XXX‑XXXX”

Common red flags:

• Unexpected sense of urgency or threats (pay now, verify now).
• Poor grammar, strange punctuation or odd formatting.
• Links with unfamiliar domains or shorteners; the displayed sender name doesn’t match the link target.
• Requests for one‑time codes, login credentials, or payment via gift cards/crypto.
• Asking you to reply or call an unknown number — replying confirms your number is active and may invite follow‑ups.

Official consumer and state guidance emphasizes: don’t click links, don’t reply, and verify suspicious texts using known contact information. Forward spam texts to your carrier (see reporting steps below) and report scams to the FTC.

How to configure phone and carrier settings to block smishing

There’s no perfect defense, but a combination of phone settings, carrier tools, and safe habits drastically reduces risk. Follow these platform‑specific steps and reporting actions.

Quick actions every user should take

• Never reply to suspicious texts or click links in unexpected messages.
• Enable multi‑factor authentication (MFA) on important accounts — preferably using an authenticator app or hardware key rather than SMS when possible.
• Forward spam texts to your carrier by sending them to 7726 (SPAM); this is supported by major U.S. carriers and helps block bulk senders.

iPhone (iOS) — built‑in filters and reporting

1. Open Settings > Messages.
2. Turn on Filter Unknown Senders to move messages from people not in your contacts into a separate list (silences notifications for those senders).
3. When you see a suspicious iMessage, use Report Junk (tap the message and follow prompts) or forward the message to 7726. Do not reply to the sender.

Note: Apple continues expanding automated filtering and categories for messages; keep iOS updated and check the Messages settings after major updates.

Android (Google Messages and others)

1. Open your Messages app (Google Messages is common) > Settings > Spam protection and turn on Enable spam protection. This allows the app to identify suspected spam and flag it.
2. Use Block & report spam when you get an unwanted message; this sends data to Google and your carrier to improve filtering.
3. Google has introduced AI‑powered scam detection in Messages to warn users about suspicious texts—keep Google Messages updated to receive the latest protections.

Carrier and third‑party options

• Many carriers offer enhanced spam filtering and the ability to block messages that originate from the internet (a common vector for smishing). Check your carrier’s fraud/spam settings in your account or carrier app.
• Consider reputable third‑party apps (Hiya, Robokiller, etc.) if your device’s built‑in filters are insufficient; compare privacy and permission requirements before installing.

When a smishing attempt succeeds

• If you clicked a link or gave credentials, immediately change passwords for affected accounts and enable MFA (use an authenticator app if possible).
• If you shared financial data or paid money, contact your bank or card issuer to dispute charges and freeze accounts if necessary.
• Report the incident to the FTC at ReportFraud.ftc.gov and file a complaint with your carrier; if you lost money, consider filing a police report and contacting local law enforcement.

Bottom line: Smishing is rising, but simple precautions — don’t click, don’t reply, forward spam to 7726, enable device filters, and use MFA — block most attempts. Stay current with your phone’s security updates and periodically review your messaging settings to take advantage of new protections.