Do not use the link, phone number, reply thread, or payment page in the text to verify the message. Open the official app or website yourself, use a saved bookmark, or call a known number from a card, statement, bill, or official site.
The risk depends on what happened after the text arrived. Only receiving a scam text is different from tapping a link, entering a password, sharing a code, paying a fee, installing something, or seeing account changes.
Scroll sideways to see all columns.
| What happened | Do first | Check next |
|---|---|---|
| You only received the text | Do not reply, tap, or call | Report junk/spam, forward to 7726 if supported, then delete |
| You tapped the link but entered nothing | Close the page and do not reopen it | Check for downloads, app/profile prompts, permissions, or account alerts |
| You replied | Stop the conversation | Block/report; treat any private details you sent as shared |
| You entered a password or code | Open the real account and change the password | Review sign-ins, recovery settings, devices, and security alerts |
| You entered card, bank, or payment details | Contact the provider through the official app/site/number | Ask about replacement, disputes, pending charges, and monitoring |
| You paid a fee or sent money | Save the receipt and contact the payment provider quickly | Recovery depends on method, timing, and provider rules |
| You entered SSN, ID, tax, or full identity details | Save the text and use IdentityTheft.gov if misuse applies | Watch for targeted follow-up texts, calls, or emails |
| You installed an app, profile, file, or permission | Remove unknown installs and review phone settings | If it involved work or school, contact IT before cleanup |
Verify outside the text
A real-looking logo, familiar company name, short code, or urgent fee does not make the text safe. Check the claim somewhere else.
Use the official app, a saved bookmark, the number on your card or statement, or the official website you type in yourself. For a package, check the retailer, carrier, or USPS site directly. For a toll, use the state toll agency's real site or known phone number. For a bank alert, open the bank app or call the number on the card.
Clicking is different from submitting information
A common fear is that one tap means the phone was hacked. A link can be risky, and some links can lead to harmful downloads, fake login pages, or unwanted prompts. Most scam texts still try to push a next action: enter a password, share a code, pay a fee, call a fake number, or install something.
After a click, ask:
- Did a page load?
- Did you type or submit anything?
- Did your phone ask to install an app, profile, file, or permission?
- Did a password manager fill anything?
- Did you see a bank, card, payment, or account alert afterward?
Common smishing patterns
Scroll sideways to see all columns.
| Text pattern | What it asks for | Safer check |
|---|---|---|
| Package delivery problem | Address, redelivery fee, card details | Open the retailer, carrier, or USPS site yourself |
| Unpaid toll | Small fee, card, bank, driver's license details | Use the state toll agency's official site |
| Bank or card alert | Login, code, callback, card details | Open the bank app or call the card number |
| Account locked | Password, Apple ID, Google, Microsoft, or email login | Open the real account directly |
| Fake invoice or failed payment | Card, payment app login, fake support call | Check real account history |
| Verification code request | Code for login, reset, device, or payment | Do not share it; review the account |
| Wrong-number text | Friendly reply that moves into trust or investment | Stop replying if it becomes personal, financial, or secretive |
These are patterns, not exact scripts. A familiar company name does not make the text safe.
If the text asked for a code or password
A one-time code can approve a login, password reset, new device, recovery change, phone-number transfer, or payment.
- Stop sharing codes, screenshots, reset links, or passwords.
- Open the real account yourself.
- Change the exposed password.
- Change the same password anywhere else you reused it.
- Review recent sign-ins, devices, recovery email, recovery phone, and security alerts.
- Contact the provider if the account shows unknown activity.
Prioritize email, banking, payment apps, Apple ID, Google, Microsoft, phone carrier, and workplace accounts.
If you entered payment or personal information
A small delivery or toll fee can be bait. The larger risk may be the card, bank, address, date of birth, phone number, or SSN entered on the page.
- Save the text, URL, screenshots, amount, date, and transaction ID.
- Contact the card issuer, bank, payment app, or provider through the official app, site, card, or statement.
- Ask about card replacement, pending charges, disputes, account monitoring, and recurring charges.
- If SSN, ID image, tax information, or full identity details were entered, use IdentityTheft.gov if identity theft or misuse applies. ScamClarity's information exposure page can help sort lower-risk contact details from higher-risk identity details.
- Watch for follow-up messages that use the same topic to ask for more information.
Do not pay anyone who contacts you claiming they can fix the scam for a fee.
If the phone or account looks different
Do not assume every battery drain, slow page, or spam message means the phone is hacked. Look for specific changes:
- unknown app install
- iPhone configuration profile
- Android APK or new permission
- browser notification permission
- calendar/profile change
- unfamiliar account sign-in
- changed recovery details
- new payment or password-reset alert
If those happened, treat it as a phone/account issue and check the affected account from the real app or website. Use ScamClarity's phone or account change checks if the issue goes beyond the text itself.
Should you reply STOP?
Reply STOP only when you recognize the sender and trust that you signed up for the messages. For an unknown or suspicious text, do not reply. Use report junk/spam, block, or 7726 instead.
Replying does not by itself prove someone controls your phone, but it can confirm the number is active and invite follow-up messages.
What to save before reporting
Save:
- screenshot of the text
- sender number or short code
- date and time
- full link or domain, if visible
- what you clicked or typed
- payment receipt or transaction ID
- account alerts
- delivery, toll, bank, or invoice claim
- any follow-up messages or calls
Do not post full card numbers, SSNs, codes, passwords, or private screenshots in public forums.
Where to report or get help
Use the path that matches what happened:
- Forward scam texts to 7726 when your carrier supports it. CTIA explains 7726 reporting for wireless providers.
- Use report junk or spam in Apple Messages or Google Messages when available.
- Report consumer fraud to FTC ReportFraud.
- Report internet-enabled crime, toll smishing, major loss, or account compromise to IC3.
- Report USPS-style package texts to USPIS.
- File an FCC complaint for unwanted calls or texts when appropriate.
- Contact the bank, card issuer, payment app, carrier, platform, or impersonated company through official channels.
- Use IdentityTheft.gov if SSN, ID, tax, or identity misuse is involved.
- Contact work or school IT if a managed phone, account, or login was involved.
Sources checked
Sources checked May 27, 2026.
- FTC spam text guidance: spam text recognition, personal-information risk, 7726, app reporting, and FTC reporting.
- FTC top text scams data spotlight: current text-scam patterns and reporting recommendations.
- FTC toll text scam alert: toll text verification and reporting guidance.
- USPIS package smishing guidance: USPS/package text reporting details and evidence to include.
- IC3 toll smishing PSA: road-toll smishing details and IC3 report information to include.
- FBI IC3: internet-enabled crime reports.
- FCC Consumer Complaints Center: unwanted call and text complaint options.
- Apple Messages spam reporting: iPhone reporting, blocking, and report-after-reply limitation.
- Google Messages spam reporting: Android reporting, blocking, and carrier-copy behavior.
- CTIA spam text reporting: 7726 carrier reporting context.
- CISA phishing guidance: phishing recognition and reporting across message types.
- IdentityTheft.gov: identity theft recovery plans when identity misuse applies.
FAQ
Is smishing the same as phishing?
Smishing is phishing by text message. The broader phishing page is better when the issue involves email, QR codes, fake login pages, attachments, or non-text messages.
What if I clicked a scam text link but entered nothing?
Close it and do not reopen it. Check for downloads, app/profile prompts, permissions, and account alerts. A click is different from entering a password, card number, bank login, SSN, or code.
Should I reply STOP to a scam text?
Only if you trust the sender and know you signed up for the messages. For unknown or suspicious texts, report, block, or forward to 7726 when supported.
Can a scam text link hack my iPhone or Android?
Do not assume the phone is hacked from one tap. Look for a next event: app install, profile, permission, file download, login, payment, account alert, or changed settings.
What if I entered my card number from a text link?
Contact the card issuer using the number on the card, statement, official app, or official website. Ask about replacement, pending charges, disputes, recurring charges, and monitoring.