Skip to main content

Text Message Scams: Smishing

The practice of sending fraudulent emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, or to click on links that install malware, is called phishing.  

Smishing has the same goal but comes in the form of a text message. The scammer entices the victim by claiming a victim must provide them with a password, account number, or even social security number to stop an alleged fraudulent transaction. Once this information is provided, the scammer can gain access to the device and any personal information stored on it, including email, bank, credit card, or other types of accounts including social media.

The latest smishing scam involves an alleged delivery notification with a tracking link. The increase in online shopping and home deliveries has provided opportunities for criminals to masquerade as delivery companies. Clicking on the link will take the victim to a fake site where they will be asked to enter more details to prove identity or to pay a non-existent fee. Clicking the link could also potentially download malware on the user’s device.  

More than 20 billion text messages are sent every day in the United States. 

A growing number of texts are from criminals attempting to scam their victim. They can send millions of smishing texts at the same time. And because smartphone users are three times more likely to fall for fake text messages than computer users are to fall for fake email messages, text message scams are on the rise.

A common smishing tactic is to send a text warning about a fake problem with one of your accounts and ask follow-up questions to confirm your identity. The initial text may look like it came from your bank or credit card company, expecting you to rely on the legitimacy of the source and react quickly. Scammers know that you will do anything to protect your hard-earned money and take immediate action by responding and following instructions.

Many people receive texts claiming to be their bank’s fraud department asking them to confirm if they made suspicious charges or withdrawals by texting back a ‘yes’ or a ‘no’. After responding NO, the consumer receives a call from the alleged fraud department directing them to log in to their online account to produce the authentication PIN number from the bank which is used to reset the account password. The caller asks the consumer to provide the PIN to the caller, which will purportedly allow them to freeze the account and any suspicious activity. Once the caller has this code, they can use it to access the account, change the password, and start removing money from the account.

Funds may be transferred out of the account using a pay app, such as Zelle or Venmo. These pay apps are not regulated and provide no protection to users. And because the account holder voluntarily provides account credentials authorizing a transaction, they may be held liable as the financial institution bears no responsibility in “authorized” transactions.

What you need to know about smishing.

Federal law makes it illegal to send commercial text messages to a mobile device without first getting the consumer's permission. This ban applies even if you have not placed your mobile number on the Do Not Call Registry.  But there are two issues. First, you may unknowingly give your consent, and second, criminals don't follow the law.

Sharing the number for your device, buying apps, and using free or inexpensive ring tones or downloads puts you at more risk.  And those apps or free downloads often come with "terms of agreement," that if not read carefully, may allow your number to be shared or sold. 

  • Protect your mobile phone number.
  • Don't share your phone number unless you know the person or organization well.
  • Don't assume a text is legitimate because it comes from a familiar phone number or area code. Spammers use caller ID Spoofing to make it appear the text is from a trusted or local source.
  • Don't provide personal or financial information in response to the unsolicited text or at a website linked to the message.
  • Don't click on links in suspicious text; they could install malware on your device or take you to a site that does the same.
  • Don't reply, even if the message says you can "text STOP" to avoid more messages. That tells them your number is active and can then be sold to other bad actors.
  • Never follow a text's instructions to push a designated key to opt out of future messages.
  • Do forward all questionable texts to 7726 (SPAM), so wireless carriers can investigate and block that sender.
  • Do be aware of the fine print in user agreements for products or services that may use your phone number, like mobile apps and free ring-tone offers.
  • Do report scam texts to the Federal Communications Commission online; by phone 888-225-5322; or by mail: FCC Consumer Complaints, 445 12th Street, S.W., Washington, DC 20554.
  • Don't be a victim! The Attorney General's Consumer Protection webpage is always available as a resource for consumers to turn to.

To file a consumer complaint or get additional information, contact the Michigan Department of Attorney General:

Consumer Protection Team
P.O. Box 30213
Lansing, MI 48909
Fax: 517-241-3771
Toll free: 877-765-8388
Online complaint form