The package delivery notification looks legitimate. So does the bank alert about unusual activity, the toll road bill, and the message from your boss asking for a quick favor. Text scams, known formally as smishing, have become the fastest-growing fraud category in most developed countries, and the people falling for them are not who you might expect.
The format works because it bypasses defenses we built for email and weaponizes habits the phone trained us to have.
Why texts beat email at the scammer’s job
Email filters have spent two decades learning to recognize phishing. Major providers now block billions of suspicious messages a day before they reach an inbox. SMS infrastructure has nothing comparable. Carriers run basic spam detection, but the sheer volume of legitimate transactional texts, from delivery codes to two-factor authentication, makes filtering harder without breaking the texts users actually want.
Texts also exploit a different psychology. People treat their phones as personal in a way they no longer treat email. A message that reaches the lock screen feels closer, more urgent, and more trusted than the same message in a Gmail tab. The format is short, which removes the awkward grammar and overly formal salutations that used to flag classic email scams. Shortened links, common in legitimate texting, neutralize the URL-inspection habits security training built up over years.
The scam categories that actually work
The dominant smishing playbook is dull and effective. Fake delivery notifications, supposedly from USPS, FedEx, or Amazon, ask users to click a link to “reschedule” or “confirm” a package. The link leads to a credential or payment-card harvest site. Toll road scams have surged in the United States, with messages claiming unpaid balances on agencies like E-ZPass or SunPass and threatening fees for non-payment.
Bank fraud alerts are another favorite, often using urgency and the recipient’s actual bank name pulled from data breaches. Romance and pig-butchering scams begin with seemingly innocent wrong-number texts that escalate over weeks into investment fraud. Job offer scams, IRS impersonation, and family-emergency messages round out the top categories. Each one is engineered to provoke a single tap before the brain catches up, which is the entire game.
Defenses that actually help
The single most effective habit is to never click links inside a text message, regardless of the sender. If a message claims to be from your bank, your delivery service, or a government agency, open the official app or website manually and check there. Legitimate institutions will repeat any genuine alert through verified channels.
Reporting helps. In the US, forwarding suspicious texts to 7726 (SPAM) feeds carrier-level filters. Major mobile operating systems now include built-in spam reporting that meaningfully improves detection. Treating any urgent text from a number you do not recognize as guilty until proven innocent is a low-cost mental rule that catches most attacks. Two-factor authentication using an authenticator app, rather than SMS, removes one of the highest-value targets from your phone entirely.
The takeaway
Smishing works because it slips past habits we never built. Build them now. Skepticism, manual app checks, and reporting are unglamorous but consistently outperform every fancy security app on the market.
Leave a Reply