Suspicious text message or smishing link? What to do next

Smishing is phishing by text message. The text is trying to make you act from your phone before you check whether the message is real: tap a link, reply, call a number, enter a code, pay a small fee, or verify an account.

The risk depends on what happened after the text arrived. A message you ignored is different from a link you opened. A link you opened is different from a form you submitted. A verification code or card number changes the situation again.

Why scam texts feel urgent on a phone

Text scams work because phones are fast, small, and personal. A short message can arrive while you are driving, working, half-awake, or waiting for a real package. The link may be shortened, the sender may look unfamiliar, and the amount may be tiny enough to feel harmless.

That is why the safest rule is simple: do not use the text itself as proof. If the message says a package is stuck, open the shopping account or carrier site yourself. If it says a bank account is locked, open the bank app yourself. If it says a toll is unpaid, search for the state toll agency yourself.

Clicking is not the same as submitting information

A common fear is that one tap on a text link means the phone was hacked. A link can be risky, and some links can lead to malware or unwanted downloads, but most scam texts are trying to push you into the next action: entering information, approving a prompt, installing something, calling a number, or paying.

After a click, slow down and separate what happened. Did the page load? Did it ask for a login, code, card number, SSN, address, or small fee? Did your phone ask to install an app, profile, file, or browser permission? Did you submit the form or only close it?

Fake delivery, toll, and bank text patterns

The details change, but smishing texts often use the same pressure points. They put a familiar task on your phone and make the fastest action look like tapping the link.

If the text asked for a code

A one-time code is not just a random number. It can approve a login, password reset, new device, account recovery change, phone-number transfer, or payment. If someone texts you asking for a code, treat the code as access to whatever service sent it.

If the text asked for payment or personal information

A small fee can be the bait. Delivery and toll smishing often ask for a few cents or a few dollars because the payment feels too small to question. The card, bank, address, date of birth, phone number, or SSN entered on that page can be more valuable than the fee itself.

• Card number: contact the issuer about replacement, pending charges, disputes, and monitoring.
• Bank login or account details: contact the bank quickly using the official app or known phone number.
• Payment app login or transfer: use the official app or support site and save transaction details.
• SSN, date of birth, ID image, or tax information: use IdentityTheft.gov when identity theft or misuse applies.
• Name, address, email, and phone only: expect more targeted texts, calls, or emails, and be careful with follow-up messages.

If the link opened something on your phone

For iPhone and Android, the most useful question is not only whether you tapped. It is whether the text led to an install, download, profile, permission, login, or payment. A blank page or closed browser tab is different from approving an app install or entering account details.

• Page did not load: close it, avoid reopening it, and report the text if useful.
• Page loaded but you entered nothing: check for downloads, prompts, redirects, or permission requests.
• App install prompt: do not install it; remove unknown apps if you already did.
• Configuration profile or calendar/profile prompt: do not approve it; remove unknown profiles or calendar subscriptions if added.
• File download: do not open it again; delete it if you know it came from the text and run trusted device checks.
• Phone acting different: look for unknown apps, profiles, browser changes, account alerts, and payment activity before assuming the worst.

Should you reply STOP?

Reply STOP only when the sender is a service you already know and trust, such as a business or organization you signed up with. If the text is from an unknown sender, looks like a scam, or asks for money or account access, replying can confirm that your number is active.

For suspicious texts, use the phone's report junk or spam option, block the sender, or forward the message to 7726 when applicable. If you already replied, stop the conversation and watch for follow-up texts, calls, or messages that build on what you said.

What not to do next

• Do not tap the same link again to test it.
• Do not call the number in the text.
• Do not share one-time codes, password reset links, or screenshots of codes.
• Do not enter card, bank, or SSN details from a text link.
• Do not install an app, profile, file, or permission because a text says it is required.
• Do not reply with private information or keep the conversation going.
• Do not pay a recovery service that promises to undo the scam.

Where to report scam texts

Reporting is still useful if you did not lose money. It helps carriers, messaging platforms, companies, and agencies identify scam campaigns.

• Forward unwanted scam texts to 7726, which spells SPAM, when your carrier supports it.
• Use the report junk or spam option in your messaging app when available.
• Report consumer fraud to the FTC at ReportFraud.ftc.gov.
• Report internet-enabled crime, toll smishing, major losses, or account compromise to IC3.gov.
• For USPS-style package texts, USPIS asks for the message body, screenshot, sender number, date, and details about whether you clicked, lost money, or shared information.
• Report unwanted calls or texts to the FCC Consumer Complaint Center when appropriate.
• Contact the bank, card issuer, payment app, carrier, platform, or impersonated organization through official channels when their account or payment system was involved.
• Contact work or school IT if a managed account, phone, or work-related login was involved.

When a scam text becomes a broader issue

A smishing page should answer the text-message problem first. After that, the issue may become account recovery, payment fraud, identity risk, device cleanup, or a platform impersonation problem. For this launch version, use the official provider or agency that matches what was exposed.

• Account issue: password, code, email, Apple ID, Google account, Microsoft account, bank login, or payment app login.
• Payment issue: card, debit, bank transfer, payment app, gift card, or crypto payment.
• Identity issue: SSN, date of birth, tax information, ID image, or full personal profile.
• Phone issue: app install, configuration profile, file download, unknown permissions, or persistent browser changes.
• Impersonation issue: USPS, a toll agency, bank, carrier, retailer, government agency, or account provider name used in the text.

Official sources used

FTC sources support the spam text, unexpected text, toll text, reporting, and 7726 guidance. USPIS supports the USPS/package smishing details. IC3 supports toll smishing reporting and internet-enabled crime reporting. FCC sources support unwanted calls/text complaints. CISA supports phishing recognition across text, email, direct message, and phone channels.

FAQ

Is smishing the same as phishing?

Smishing is a text-message version of phishing. Phishing is the broader category. Smishing focuses on SMS, iMessage, RCS, short links, replies, phone prompts, carrier reporting, and mobile behavior.

What if I clicked a scam text link but entered nothing?

Close the page and do not reopen the link. Check whether anything downloaded, whether an app/profile/permission prompt appeared, and whether the page asked for login, payment, code, or identity details. A click alone is different from submitting information.

Should I reply STOP to a suspicious text?

Only reply STOP to a sender you already know and trust. For unknown or suspicious texts, use report junk, block, or 7726 instead. Replying can confirm the number is active.

Can a scam text link hack my iPhone or Android?

Do not assume the phone is hacked from one tap. Look for the next event: a download, app install, profile, permission, login, payment, account alert, or changed settings. If those happened, check the device and affected accounts more closely.

What if the text asked for a small delivery or toll fee?

Treat the fee as a way to collect card, bank, address, or identity details. Check the real delivery, retailer, USPS, or toll account outside the text. If you entered payment details, contact the provider quickly.

What if I entered my card number from a text link?

Contact the card issuer using the number on the card, statement, official app, or official website. Ask about replacement, pending charges, disputes, recurring charges, and monitoring.

How do I report a scam text?

Use your messaging app's report junk or spam option, forward the text to 7726 when supported, report consumer fraud to ReportFraud.ftc.gov, and use IC3.gov when internet-enabled crime, account compromise, or loss is involved.

What does forwarding to 7726 do?

Forwarding a scam text to 7726, which spells SPAM, sends the message to your wireless provider so it can help identify and block similar messages. It does not replace reporting fraud, payment loss, identity exposure, or account compromise to the relevant official channel.