It shows up on your phone like any other message — a short alert, maybe a company name, maybe just a number. “Your package could not be delivered. Click here to reschedule.” Or: “Your account has been locked. Verify your information immediately.”
For a moment, it seems reasonable. You were expecting a package. You do have a bank account. So you tap the link.
This is smishing — a form of text message scam that has exploded in recent years. The word combines “SMS” (text messaging) and “phishing,” and it works by creating just enough urgency to get you to act before you think. Here’s how to spot it before you tap.
What Is Smishing?
Smishing is when a scammer sends a text message designed to look like it’s from a legitimate source — UPS, FedEx, your bank, the IRS, Medicare, or even a government agency. The goal is to get you to click a link that leads to a fake website, where they’ll ask for personal information: your Social Security number, your credit card, your login credentials.
Some scammers don’t even need a website. Just replying to the message can confirm your number is active, opening the door to more targeted scams.
Red Flag #1: You Weren’t Expecting It
Legitimate delivery companies only send text alerts if you signed up for them — and usually only after you’ve given them your number. If you get a delivery notification and you’re not expecting a package, or you didn’t sign up for tracking texts, be skeptical.
Red Flag #2: There’s Pressure to Act Quickly
“Your account will be closed in 24 hours.” “Respond before midnight or your delivery will be returned.” Urgency is a scammer’s most reliable tool. It pushes you to react instead of stopping to verify. Legitimate companies almost never threaten immediate consequences over a text.
Red Flag #3: The Link Doesn’t Look Right
Before you tap any link in a text message, look at it carefully. Real company links go to official domains. Scam links often use misspellings, random strings of letters and numbers, or URL shorteners that hide where they actually go. When in doubt, don’t tap — go directly to the company’s website by typing the address yourself.
Red Flag #4: They’re Asking for Information a Text Should Never Need
If a text asks for your Social Security number, Medicare ID, bank account information, or password, stop. No legitimate company will ask for sensitive information over a text message. This is always a scam.
Red Flag #5: The Number Doesn’t Match the Company
Scammers can “spoof” phone numbers to make them look like they’re coming from a real business. But many smishing messages come from ordinary 10-digit numbers or even overseas numbers with unusual country codes. If you get a text from a bank or government agency, call the number on the back of your card or on their official website to verify.
What to Do If You Receive a Suspicious Text
Don’t reply. Don’t tap any links. If you’re curious whether the alert is real, go directly to the company’s website or call their official customer service number.
You can report smishing texts by forwarding them to 7726 (SPAM) — this is a free reporting service supported by most major carriers and helps protect others.
If you already clicked a link or entered information, change your passwords immediately and monitor your accounts for unusual activity. Contact your bank if financial information was involved.
How LurkAlert Helps
Text message scams are often just the first step. Once a scammer has your login credentials or personal information, the next phase usually involves your computer — remote access attempts, account takeovers, or unauthorized transfers. LurkAlert monitors for exactly those kinds of follow-on threats, so even if a scam starts on your phone, you have a safety net protecting your computer in the background.
Because one click shouldn’t put everything at risk. We’re here to make sure it doesn’t.
