PILLAR GUIDE

Text Message Scams: The Complete Smishing Guide (2026)

Fake delivery texts, unpaid toll demands, bank fraud alerts, tax refunds, prize wins, and "wrong number" openers. One reference page covering every major smishing type, the 30-second check that catches almost all of them, and exactly how to report each one.

SB

SafeBrowz Team Security ResearchJune 6, 202611 min read

What smishing is and why it surged

Smishing is the text-message cousin of email phishing. The word blends "SMS" and "phishing." The mechanics are identical to email phishing, only the delivery channel and the screen are smaller, which works in the attacker's favor. A phone is held close, read in seconds, and usually trusted more than an inbox crowded with marketing.

The volume is not subtle. The FTC's Consumer Sentinel data for 2024 (published February 2025) again ranks text messages among the top contact methods reported in fraud, with fake-package and fake-bank texts leading the categories consumers flag. The FBI Internet Crime Complaint Center logged more than $16 billion in reported losses across all internet-enabled crime in its 2024 Annual Report, and the FBI has issued repeated public alerts on the unpaid-toll text wave specifically. The FCC maintains an active consumer advisory on robotext scams, and the GSMA, the global mobile-operator body, has documented the industry shift toward criminal "SMS blaster" hardware and bulk messaging kits.

Three things drove the surge. Phone numbers are cheap and easy to spoof or rotate. Link shorteners and throwaway domains hide the real destination until you have already tapped. And ready-made phishing kits, sold and rented in underground forums, let a low-skill operator launch a believable bank or courier page in minutes. The result is industrial-scale texting at almost no cost per message.

The 30-second universal check

Use this on any text before you tap anything. It catches the overwhelming majority of smishing without you needing to recognize the specific scam.

1. Did you expect it? An unexpected delivery fee, toll, refund, fine, or "account locked" alert is the single strongest signal. Surprise plus a link is the smishing signature.
2. Read the full link, do not tap it. Press and hold the link to preview the destination. A real courier or bank link ends in the company's own domain (usps.com, fedex.com, chase.com). A stacked or hyphenated lookalike, a random string, or a cheap top-level domain like .top, .xyz, .icu, or .cfd is hostile.
3. Check the sender. Banks and couriers use short codes or verified business numbers, not a personal mobile number, an email address texting your phone, or a number from another country.
4. Go direct instead. Do not act from the text. Open the official app, or type the company's web address into a fresh browser tab and sign in. Any real delivery, toll, refund, or account issue will be waiting there. If nothing is there, the text was fake.

That is the whole defense. Everything below is the field guide to the specific lures so you can recognize them on sight.

Fake delivery text (USPS, FedEx, DHL, UPS)

The most common smishing type worldwide. "Your package is held at our facility due to an unpaid shipping fee of $1.99. Update your address: [link]." The tiny amount is deliberate; it feels too small to argue with, and the goal is your card number on the next screen, not the $1.99. The FBI and the USPS Postal Inspection Service have warned about this pattern repeatedly.

What a fake delivery link looks like:

• usps-tracking-fee.icu
• fedex-redelivery-pay.top

The real tracking domains, for comparison, are plain: tools.usps.com, fedex.com, dhl.com, and ups.com. None of them charges a redelivery fee by text. Track a real package by opening the carrier app or typing the carrier address yourself.

Unpaid toll text (E-ZPass, FasTrak, SunPass, and clones)

The fastest-growing smishing wave of the past two years. "You have an outstanding toll of $6.99. Pay now to avoid a late fee and a report to the DMV: [link]." The FBI IC3 issued a dedicated public alert on this campaign, noting it spread across nearly every state under the names of whichever toll authority operates locally. The texts often arrive in places that have no toll roads at all, which is itself a giveaway.

The illustrative fake link reads like a toll authority but lives on a throwaway domain, for example thetollroads-pay[.]xyz or ezpass-toll-invoice[.]top. Real toll agencies use their own established sites such as ezpassva.com, thetollroads.com, and sunpass.com, and they do not collect tolls by SMS with a same-day deadline. Our deep-dive on the mechanics, the state-by-state names, and recovery steps is in the unpaid toll text scam guide.

Bank or payment fraud alert text (Zelle, Chase, Wells Fargo)

"Did you authorize a $750 Zelle payment to John D.? Reply YES or NO." You reply NO, relieved you caught it. Seconds later a "fraud department" agent calls from a spoofed bank number and walks you through "reversing" the charge, which actually moves your money out. This is the most financially dangerous category because it combines a text, a phone call, and social engineering in real time.

The lookalike sites behind the links look almost right:

• chase-fraud-verify.xyz
• wellsfargo-secure-alert.com

The real ones are simply chase.com and wellsfargo.com. The rule never changes: your bank will never ask you to move money to "keep it safe," and a real fraud alert can be confirmed by calling the number printed on the back of your card, not the number that texted or called you. Full breakdown in the Zelle fraud alert text guide.

Tax refund text (IRS, HMRC, CRA, ATO)

"You are eligible for a tax refund of $482.30. Confirm your bank details to receive it: [link]." Tax authorities are blunt about this: the IRS does not initiate contact by text or email to request personal or financial information, and the same holds for HMRC in the UK, the CRA in Canada, and the ATO in Australia. A refund text with a link is always a scam.

An illustrative lure such as irs-refund-claim.top impersonates the agency on a cheap domain. The real one is irs.gov, and refunds are handled inside your existing tax account, never through a texted link. More region detail in the tax refund text scam guide.

Prize, giveaway, and "you have won" text

"Congratulations! Your number was selected for a $1,000 Amazon gift card. Claim within 24 hours: [link]." You did not enter anything. The claim page asks for a card number to "cover shipping" or a small "release fee," which is the entire point. A real prize never requires a payment to receive it.

A fake claim page like amazon-prize-winner.top impersonates a trusted brand to lower your guard. The real retailer is amazon.com, and genuine Amazon promotions live inside your account, not behind a texted countdown.

"Is this you in this photo?" text

"OMG is this you in this video?? [link]" or "Someone posted a photo of you, look 😳 [link]." Curiosity and a flash of social anxiety do the work here. The link leads to a fake social-media or cloud-storage login that harvests your password, or to a page that prompts a malicious app install. The image is always just bait; there is no photo. If a friend's account sends this, their account was likely already compromised the same way. Do not tap. Message the friend through a separate channel to warn them.

Account-locked and verification text

"Your Apple ID has been locked due to unusual activity. Verify now to restore access: [link]." or the same for a Netflix, PayPal, or bank account. The link opens a pixel-perfect login page that captures your credentials and, often, the one-time code you type next. Treat every "account locked, verify now" text as hostile. Open the app or type the service address yourself; a genuine lock shows up there. For the broader pattern of one-time-code theft and account takeover, see our SIM swap fraud guide.

Family-emergency and "Hi Mom" text

"Hi Mom, I dropped my phone in the toilet, this is my temporary number. I need help paying a bill, can you send it to this account?" No link, just urgency and a new number. The attacker plays the role of a child, grandchild, or close relative in trouble. The fix is simple and old-fashioned: call the family member on their known number before sending anything. The AARP Fraud Watch Network has tracked this "wrong number relative" variant closely because it targets older parents and grandparents.

Wrong-number opener (the pig-butchering on-ramp)

"Hi David, are we still on for golf Saturday?" You reply that they have the wrong number. They apologize warmly, the conversation stays friendly, and over days or weeks it drifts toward a "great crypto investment" the new friend is making. This is the opening move of pig butchering, a long-con romance-and-investment fraud documented by the UN Office on Drugs and Crime and on-chain investigators like ZachXBT, often run from organized scam compounds in Southeast Asia. The tell is that an innocent wrong number turns chatty instead of ending. A real wrong number says sorry and disappears. We cover the full arc in the pig butchering scam explainer.

Red flags that apply to every scam text

• You did not expect it. An unsolicited fee, fine, refund, prize, or alert is the strongest single signal.
• A link to "fix" something. Real companies route you to their app or site, not a tap-through in a text.
• Urgency and a deadline. "Within 24 hours," "final notice," "to avoid a fine." Pressure is engineered to stop you from checking.
• A tiny, plausible amount. $1.99 shipping, $6.99 toll. Small enough to wave through, and the real prize is your card details.
• A lookalike or junk domain. Hyphenated brand names, stacked subdomains, or cheap TLDs (.top, .xyz, .icu, .cfd).
• Wrong sender. A personal mobile number, an email texting your phone, or an unfamiliar country code instead of a business short code.
• A request for a code or password. No legitimate company asks you to read back a one-time code sent to your phone.
• An odd reply prompt. "Reply Y to confirm." Replying anything confirms your number is live and invites more.

What to do if you tapped the link or replied

Tapping a link by itself rarely causes harm. The damage starts when you enter information or install something. Work through these in order.

1. Stop entering anything. Close the page. Do not type a password, card number, or one-time code. If the page is asking for those, it is the phishing site.
2. If you entered a password, change it now on the real site, and change it anywhere you reused it. Turn on two-factor authentication, preferably an authenticator app or hardware key rather than SMS.
3. If you entered card or bank details, call your bank using the number on the back of your card. Ask them to watch for or block the card and reverse any unauthorized charge.
4. If you sent money, act fast. Contact your bank or the payment app immediately; some transfers can still be stopped within a short window.
5. If you installed an app or profile, remove it and run your phone's built-in security check. When in doubt, a factory reset after backing up clean data is the safe option.
6. Then report it using the channels in the next section so the number and domain can be taken down faster.

How to report a scam text

Reporting is quick and it genuinely helps shut down the infrastructure behind these campaigns.

• Forward to 7726 (SPAM). In the United States, the UK, and many other countries, forwarding the text to the short code 7726 sends it to your mobile carrier's spam team for free. On most phones you can also long-press the message and choose "Report Junk" or "Report Spam."
• FTC. File a report at reportfraud.ftc.gov. This feeds the Consumer Sentinel database used by law enforcement.
• FBI IC3. For financial loss or a serious scam, file at ic3.gov, the FBI Internet Crime Complaint Center.
• Your carrier and the impersonated brand. Major carriers and companies like banks, USPS, and Amazon run abuse inboxes; the impersonated brand's official site lists where to report fraud.
• Outside the US: Action Fraud (UK) at actionfraud.police.uk, the Canadian Anti-Fraud Centre, and Scamwatch (Australia) take the equivalent reports.

How to prevent scam texts

• Never tap links in unexpected texts. Go to the app or type the address yourself. This one habit defeats most smishing.
• Turn on carrier spam filtering and your phone's built-in junk-message filtering (both iPhone and Android offer it).
• Never share one-time codes. No real company will ask you to read one back.
• Use unique passwords and an authenticator app so a single stolen password cannot unlock everything.
• Run a link checker before you trust a URL. A browser extension that screens links the moment you tap stops the page from loading at all.
• Keep your number off public listings where bulk-texting tools harvest it, and treat any "reply STOP to unsubscribe" from an unknown sender as confirmation bait, not a real opt-out.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection engine: Local + APIs + AI. The extension cannot read your text messages. It activates the instant you tap a link from any text and a phishing page tries to load in your browser, then it judges the destination before the page can ask for a card number or a login.

• Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (with Cyrillic and Punycode homograph detection) and community whitelist/blacklist, all running inside the extension before the page renders. Catches usps-tracking-fee.{tld}, fedex-redelivery-pay.{tld}, chase-fraud-verify.{tld}, and irs-refund-claim.{tld} families instantly.
• Layer 2 - API checks: aggregates threat-intelligence feeds (Google Safe Browsing, PhishTank, URLhaus) plus 30+ scam-TLD heuristics for known malicious domains.
• Layer 3 - AI deep scan (Premium): content analysis in 100+ languages identifies the impersonated brand and the scam pattern on a freshly registered domain that no blocklist has seen yet, which is exactly how smishing domains behave.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

What is smishing in plain terms?

Smishing is phishing sent by text message instead of email. A scam text uses a small fear (a held package, an unpaid toll, a locked account) or a small reward (a refund or a prize) to push you toward tapping a link and entering a card number, a password, or a one-time code. The defense is the same for every variant: do not act from the text, open the official app or type the company's address yourself.

Is it dangerous to just open a scam text or tap the link?

Opening the text is safe. Tapping the link is usually safe by itself too; the harm starts when you enter information or install something on the linked page. The risk is that a convincing fake login or payment page captures your credentials or card details. If you only tapped and then closed the page without typing anything, you are almost certainly fine. Do not enter anything, and report the message.

How do I report a scam text message?

Forward the text to the short code 7726, which spells SPAM, to send it to your mobile carrier for free. File a report at reportfraud.ftc.gov, and for financial loss or a serious scam file at ic3.gov, the FBI Internet Crime Complaint Center. Outside the US, use Action Fraud (UK), the Canadian Anti-Fraud Centre, or Scamwatch (Australia). You can also long-press the message and choose Report Junk or Report Spam.

Why am I getting toll texts when I have not used a toll road?

Because the campaign is sent in bulk to enormous lists of numbers, many of which belong to people in areas with no toll roads at all. The FBI IC3 has flagged this nationwide. A toll text that arrives where you have not driven a toll road is one of the clearest signs the message is a scam. Real toll agencies do not collect payments by SMS with a same-day deadline.

Should I reply STOP to make the scam texts stop?

No. Replying anything, including STOP, only confirms to the sender that your number is active and being read, which usually leads to more messages. Do not reply at all. Forward the text to 7726 and delete it. A real STOP opt-out only works with companies you actually signed up with.

How does SafeBrowz protect me from text-message scams?

SafeBrowz does not read your messages. It activates when you tap a link and a page tries to load. A 3-layer engine (Local URL patterns plus threat-intelligence APIs plus AI content analysis) judges the destination before it can show a fake login or payment form. The brand database covers 550+ companies, including the couriers, banks, and retailers most often impersonated in smishing, plus their typosquat and homograph variants. Free on Chrome, Firefox, and Edge.