Home Advice & How-ToSafety 6 Smishing Scams to Watch Out for in 2025
Home Advice & How-ToSafety 6 Smishing Scams to Watch Out for in 2025
Safety

6 Smishing Scams to Watch Out for in 2025

by Dan Ketchum
by Dan Ketchum 3647 views
FacebookTwitterLinkedinEmailCopy to clipboard

“Smishing” might sound like the latest Fortnite dance, but it’s no game.  In reality, it’s a variation of phishing – where scammers under the guise of reputable organizations “fish” for personal data – except the bogus message comes in the form of text messages rather than emails.  Short Message Service, or SMS, is the tech that powers many texts; so mash phishing up with SMS and you get smishing.  

Unfortunately, people have a tendency to be a little more trusting of texts, which means that scammers have a higher success rate with text-based rackets – and that in turn makes smishing rather popular.  There’s plenty of smish in the sea, but here are six to watch for in 2025. 

Spokeo logo

Who's Calling Me?

Search any phone number to learn more about the owner!

1. Bogus Delivery Messages

Ever since COVID hit, online shopping and delivery services have been in a boom period – even here in 2025, data from UPS indicates that same-day delivery demand is expected to grow by more than 20%.  What was once thought to be a pandemic trend might just end up being a “new normal” staple.  Likewise for the type of smishing that increased delivery demand has inspired:  bogus “delivery failure” notifications. 

You’ll get a text saying that your package couldn’t be delivered, asking you to click a link (or sometimes, call a number) to sort it out.  The message may appear to come from the delivery company or the seller (often Amazon), but it’s often a trap.  Clicking the link may take you to a fake retail or shipping page where you’ll be prompted to log in – thus providing smishers with your account credentials – or perhaps be asked to verify your payment information.  The sketchy site might even skip all that and jump straight to loading malware onto your devices.  In any case, it’s no bueno. 

Similarly, scammers have taken advantage of all that online shopping to send texts that appear to look like shipping updates from USPS, but are in fact smishing attacks. You can check out our full guide to spotting fake USPS text here. 

2. The Toll Scam 

Wake up, babe, new scam just dropped:  it’s the smishing toll scam.  In some cities, if you hop on a speedier toll road, your municipality will automatically send you a bill for the service, based on info tied to your license plate.  In the toll scam, con artists pretend to be your local toll service, and you’ll get a text prompting you to click a link to pay your “outstanding balance.”  Pay that phony bill and, bingo, smishers now have your payment info on file.      

Just in the first quarter of the year, the FBI’s Internet Crime Complaint Center received more than 2,000 complaints on this one, so be sure to keep your eyes peeled.  In particular, the FBI warns that truck drivers are popular targets of the toll scam.

understanding 2FA smishing scams

3. 2FA Shams

Ironically, another popular smishing technique works precisely because people are wising up to very real security concerns.  The truth is, usernames and passwords are inexpensive to purchase via shady online black markets, and once they’re in the hands of criminals, they can be used to take over accounts through a technique called “credential stuffing.” 

To counter this, more and more apps and sites now require or offer a login option called two-factor authentication (2FA) or multi-factor authentication (MFA).  You know that thing where you enter your username and password, but then need to enter another code texted to your phone?  That’s 2FA – the first “factor” is your login info, and the second is the verifying text code.  The 2FA scam works by sending you an authentication code that says someone is attempting to log in to one of your accounts.  There will also be a “helpful” login link to tap, so you can log in to sort it all out.  If only. 

Of course, when you click that link to put a stop to whoever’s trying to scam you, you’ve actually played right into the hands of the scammers themselves.  


4. Tax-Related Smishing 

Just like death and taxes, this smishing scam is perennial.  Whether it’s by phone, email, or text, tax-adjacent fraud is a total catnip to scammers worldwide.  You can especially expect tax-related smishing attacks in the US to peak every year in spring when tax time rolls around.  But that doesn’t mean tax-related smishing is exclusive to April, by any means. 

Scammers typically pretend to be from the IRS, and the messages often inform you (in no uncertain and often threatening terms) that you’ve messed up on your taxes, that you owe them money, and that you’ll be in a world of hurt if you don’t settle up post-haste.  Like most smishing and phishing scams, there are plenty of variations on the theme, including some with (phony) links to dispute resolution sites or a warning that your myIRS account may have been compromised – and that, of course, you’ll need to click a link “to verify the information on file.”  Emphasis on those quotation marks.

It’s wild that this kind of attack has been so successful for so long, given that the IRS just plain doesn’t contact taxpayers by text message.  Ever.  We’re pretty sure the IRS doesn’t even know what a text message is yet.  

man receiving suspicious smishing text message

5. Faux Surveys, Giveaways, and “Special Offers”

Another evergreen scam that’s still paying those smishing bills in 2025?  The survey, giveaway, or “special offer” shakedown.  The thing is, it’s totally true that legit companies do work hard to build engagement with customers with exactly this kind of communication – and that’s what makes it so easy for scammers to hitch a ride on their coattails with this smishing variant. 

You know the drill:  you get a text inviting you to offer your feedback or enticing you with swag or discounts, and all you need to do is click a link to get there.  If that link doesn’t infect your device with malware off the bat, you’ll surely have to exchange some tasty personal info in exchange for your prize.

If it’s a brand or retailer you’re actually familiar with, there’s an even better chance of falling victim.  That’s why bad actors most often impersonate popular brands, with names like Microsoft, Adobe, DHL and Google topping the list.  Expect these scams to peak during strategic shopping seasons, like Black Friday/Cyber Monday and the holidays, but stay vigilant year-round. 

6. “Your Account Has Been Locked”

This one is another evergreen favorite, and its longstanding success tells you that it’s insidiously effective.  Think of this one as the opposite of a “special offer” scam:  Instead of acting quickly to make something good happen, you’re urged to act quickly in order to prevent something bad from happening. 

Here, a text will typically tell you that your account has been locked for one reason or another (i.e. “suspected fraud” or a payment failure, occasionally even “violation of our terms of service”).  To set things straight, you’ll need to – say it with us, now – click the embedded link.  The beauty of this scheme, at least from the scammer’s perspective, is that if you fall for the setup, they’ve got a plausible reason to ask you for your personal and payment information. 

More Hits from 2024

Grifters love to play the hits, but just like phishing, smishing messages are virtually limitless in terms of themes and variety.  We’d be here till 2026 to list them all, but here are a few more trends from the trenches to take note of:

  • Customer support smishing.  A text claims to offer a refund or a reward from a customer loyalty program (retailers and wireless providers are common guises, here).
  • Bank account text scams.  People tend to heed messages from their banks, and criminals know this well.  According to the Federal Trade Commission, 10 percent of all smishing scams involve bank impersonation. 
  • Free apps.  As if you don’t already have enough apps to deal with, some smishing texts offer yet another app to download.  Problem is, these apps do more than just take up space on your phone; they’re vectors for malware or ransomware, and convenient locations for you to input valuable data. 
  • Wrong number hoaxes.  A much more long-form variety of smishing, these texts start with a simple “wrong number” situation, which turns into a friendly convo, which can then turn into a weeks or months-long catfishing deception.  Once a certain level of long-distance trust is there, the scammer comes for your personal info.

Know Smishing When You See It

As wide-ranging as smishing may be, there are a few consistent traits that can help you spot potential attacks.  Watch out for these red flags in 2025 and beyond: 

  • Messages that come from unknown phone numbers, or numbers that appear off-kilter (bear in mind that phone numbers and emails can also be “spoofed” or imitated, so they may not look unfamiliar).  Your phone’s automatic caller ID and spam detection features can help cut through at least some of this noise. 
  • Messages that create urgency and emphasize the need to act immediately, whether through fear (tax scams, account-locked scams) or the promise of rewards (giveaways, bogus deliveries).
  • Messages containing incorrect or inappropriate language, or grammatical and spelling errors (Amazon or your bank won’t call you “Dear Customer,” and genuine marketing messages from major retailers seldom contain misspellings).
  • Where payment is demanded, scammers will usually specify offbeat payment methods such as gift cards, wire transfers, or cryptocurrency.  Why?  Because each one is tough to trace, or to reverse once sent.
  • When info is demanded – usually because a link has taken you to a sham site –  smishing scams often ask for information a legitimate organization would either already have, or never ask for (your SSN or banking information, for instance).

Generally speaking, legit companies or agencies seldom if ever embed links in a text message, precisely because they’re susceptible to smishing and similar types of abuse.  On the flip side, a lot of smishing messages will even take a second shot at reeling you in by including multiple links, often to “unsubscribe” or “stop receiving messages.” 

The bottom line, as with any form of phishing, remains the same:  Don’t.  Tap.  That.  Link.

Smishing vs. Phishing 

Speaking of phishing, a lot of these rules of thumb apply to that side of the scummy pond, too.  So what’s the difference, if any? 

Like we said upfront, it’s all about the delivery method.  Both phishing and smishing involve baddies posing as real-life companies or institutions in order to get a hold of your valuable private data, commonly including bank account information, passwords, social security numbers, credit card numbers, PINs, and the like.  Phishing scams even commonly use lots of the same themes or hooks as smishing scams, and both usually encourage victims to click sketchy links.  Phishing uses emails and smishing uses text messages to engage potential victims – which means they target different age groups and demographics, with smishing skewing younger – but the red flags remain the same.       

Oh, and here’s a bonus:  vishing, which is the same deal, but lures in its targets via a phone call or voice mail instead.

What To Do if You Suspect a Smishing Attack

If you receive a sus message, the simplest thing to do is to block the number ASAP.  If there’s any question in your mind as to the text’s legitimacy, though, there are some ways you can verify it: 

  • Call the company or agency directly at its listed, public number and ask for the customer service or fraud prevention department.  If there’s any legitimate issue with your account, or if the offer is for real, they’ll know.  Alternatively, you could screenshot the message and send it to the company’s customer service email address for vetting. 
  • Check the originating phone number or email address using Spokeo’s search tools.  If they don’t belong to the company or person that supposedly sent the message, that’s one more scam avoided.  Even if it’s a legitimate number, check the included reputation score on the reverse phone number lookup.  A spate of recent complaints about that number may indicate that the number has been successfully “spoofed” by criminals. 
  • Search the number or the text of the message itself on Google.  If others were scammed by the same message, there’s a good chance it’ll show up online. 

If you’re sure you’ve got a smishing message on your hands, consider reporting it to the FBI’s Internet Crime Complaint Center (IC3) or the FTC’s Report Fraud website.  In the case of a tax-related scam, report it to the IRS as well. 

Smishing is every bit as irritating as it sounds, and it won’t likely go away any sooner than text messaging will.  Stay informed, hit Spokeo, and always remember:  Block, report, and above all else, don’t tap that fishy link!

As a freelance writer, small business owner, and consultant with more than a decade of experience, Dan has been fortunate enough to collaborate with leading brands including Microsoft, Fortune, Verizon, Discover, Office Depot, The Motley Fool, and more. He currently resides in Dallas, TX.