Decode suspicious texts from USPS, Amazon, banks, or strangers. Learn smishing red flags & what to do if you clicked.
Take these steps immediately:
7726 (SPAM)Good news: Simply clicking usually doesn't compromise your phone unless you also entered info or downloaded something. Still, take precautions.
Smishing = SMS + Phishing
It's a cyberattack where scammers send fake text messages pretending to be from trusted sources—your bank, Amazon, USPS, the IRS, or even a friend—to trick you into:
98% of text messages are opened (compared to 20% of emails), and 60% of people click links in texts without verifying the source. Scammers exploit this trust because:
Result: Smishing attacks are up 328% since 2020.
What it looks like:
The scam: There is no package. The link leads to a fake page that steals your credit card or installs malware.
Why it works: Everyone's expecting deliveries. Creating fake urgency bypasses critical thinking.
How to verify: Open the USPS/FedEx/Amazon app or website directly (don't click the text link). Check your account for real tracking info.
What it looks like:
The scam: Your bank never texts links for "fraud alerts." The fake site harvests your login credentials.
Red flag: Real fraud alerts say "Call the number on the BACK of your card"—they never provide a number in the text.
What it looks like:
The scam: This is the start of a long-con romance/investment scam. The "wrong number" is intentional. They build trust over weeks, then pitch crypto investments or ask for money.
Warning: Often features attractive person profile pics. They'll quickly suggest moving to WhatsApp or Telegram.
What it looks like:
The scam: "Too good to be true" jobs that either: 1) Steal your SSN/bank info during "onboarding," or 2) Send you a fake check to buy "equipment," then you owe the bank when it bounces.
What it looks like:
The scam: The "prize" requires you to pay "processing fees" or complete endless surveys that harvest your data.
Truth: Legitimate sweepstakes never require payment or sensitive info to claim prizes.
What it looks like:
The scam: They want you to enter your real login credentials on a fake site. Then they hijack your actual account.
How to check: Log in to the service DIRECTLY (not through the text link). Check for real alerts.
What it looks like:
Critical fact: The IRS, SSA, and DMV NEVER text, call, or email first. All official communication is by physical mail.
What it looks like:
The scam: A hacker already has your password and is trying to log in. They need YOUR 2FA code to complete access. If you receive unexpected codes:
What it looks like:
The scam: They impersonate your child/family member to exploit parental anxiety for quick money.
Protection: ALWAYS verify by calling your family member's KNOWN number. Ask a question only they would know.
What it looks like:
The scam: Creates panic about fines. The link steals your credit card.
How to verify: Log into your E-ZPass/ParkMobile account directly. Real violations appear there first.
Scam texts share common patterns. If you spot 2 or more of these, it's almost certainly fake:
Scam: bit.ly/abc123, tinyurl.com/xyz, or misspelled domains (anazon.com, paypa1.com)
Legit: Full official domains (usps.com, amazon.com, chase.com)
Why scammers do this: Shortened links hide the real destination. Hover over links on desktop to see the real URL.
Common phrases:
Why: Urgency bypasses logic. Legitimate companies give you time to respond.
Real companies NEVER text asking for:
If a text asks for these, it's 100% a scam.
Example: Sender shows as "noreply@service.txt" or "alerts@domain.email"
Why it's suspicious: Legitimate businesses text from:
Email-to-SMS is almost exclusively used by scammers to evade carrier filters.
Examples:
Real companies have professional copywriters and QA teams. Typos = red flag.
If you receive 2FA codes, password reset links, or verification texts that you didn't request:
⚠️ Someone is trying to hack you RIGHT NOW. Change your passwords immediately and enable 2FA.
Examples:
Rule: If you didn't enter a contest or apply for something, you didn't win it.
Paste the URL into these free services:
On iPhone: Long-press the link (don't tap). A preview window shows the full URL.
On Android: Long-press the link and select "Copy Link" - paste into Notes to see the full URL.
What to look for:
| 🚫 FAKE/SCAM | ✅ LEGITIMATE |
|---|---|
|
anazon.com paypa1.com usps-tracking.net |
amazon.com paypal.com usps.com |
|
bit.ly/xyz tinyurl.com/abc Short, random URLs |
chase.com/fraud-alert fedex.com/tracking Full, readable paths |
|
http:// (no 's') IP addresses (192.168...) Random subdomains |
https:// (secure) Clean, official domains Recognizable company name |
Copy the exact text of the message and Google it in quotes:
If it's a known scam, you'll find Reddit threads, FTC complaints, and news articles about it.
Don't panic. The damage depends on what you did AFTER clicking:
Good news: Simply visiting a malicious page rarely installs malware on modern smartphones.
What to do:
You're probably fine. Stay alert for the next few days.
What to do:
Act within the hour to minimize risk.
URGENT ACTIONS (Do in order):
iPhone: Settings → Messages → Filter Unknown Senders (ON)
Android: Messages app → Menu → Spam protection (ON)
This separates texts from non-contacts into a separate "Unknown Senders" tab.
Instead: Open the company's official app or website DIRECTLY. Check for alerts there.
Google the phone number or short code sending the text. Legitimate company codes are publicly listed.
Use a password manager (Bitwarden, 1Password, LastPass) to generate and store unique passwords. If one is compromised, the rest remain safe.
Even if scammers steal your password, they can't log in without the second factor (authentication app, SMS code, hardware key).
Text: 7726 (spells SPAM)
Steps:
Visit reportfraud.ftc.gov and select "Text Message" as the contact method.
Use our free tools to verify unknown numbers and assess threats:
Check This Number → Take Risk Assessment →