Have you gotten a text from a “delivery service” about a package you never ordered? Or a text that looks like it is from your bank, warning about suspicious account activity? If so, you have likely encountered one of the many text message scams flooding phones right now, also known as smishing, or SMS phishing.
In 2024, the Federal Trade Commission (FTC) reported that consumers lost $470 million to text message scams. That is five times what was lost in 2020. And the trend has not slowed down. 2025 has seen a fresh wave of scam text messages impersonating state DMVs, toll agencies such as E-ZPass, and crypto platforms such as Coinbase, according to state transportation departments and the FBI Internet Crime Complaint Center (IC3).
Table of Contents
ToggleThis guide breaks down exactly how these scams work, the newest variations to watch for, and what to do if you get one.
Book a Free Demo Call with Our People Security Expert
Enter your details
What Are Text Message Scams (Smishing)?
Text message scams, or smishing, are fraudulent SMS messages designed to appear to be from a legitimate source. A bank, a delivery carrier, a government agency, or a company you already use. Scammers use urgency and fear (“your account is locked,” “pay now or face penalties”) to push you into clicking a link or replying with personal information before you have had time to think it through.
The FBI IC3 has flagged smishing as a fast-growing threat in every annual Internet Crime Report since 2021, when fake “missed delivery” texts first surged. Today, scam text messages are far more targeted, often referencing real events (a package you are actually expecting, a toll road you actually drove on) to feel more believable.
Text Message Scams by the Numbers
Text messaging has overtaken phone calls and email as scammers preferred channel for reaching consumers, according to the FTC. Losses have grown every year:
| Year | Text Scam Losses (FTC) | Total Consumer Fraud Losses | Notes |
|---|---|---|---|
| 2020 | $90 million | $9.8 billion | Pre-pandemic baseline |
| 2022 | $326 million | $10.2 billion | Surge in smishing |
| 2024 | $470 million | $12.5 billion | Smishing among top 3 fraud types |
| 2025 | Ongoing surge | Estimated $13B+ | DMV/toll and crypto-impersonation texts flagged by 10+ state DMVs and FCC |
The FBI IC3 notes that text-based phishing scams frequently lead to identity theft, malware installation, or drained financial accounts. Simply clicking a link in a suspicious text can be enough to put you at risk.
How to Detect a Scam Text Message
A scam text message almost always shares five traits: an unfamiliar sender number, urgent language, a suspicious link, poor grammar, and a request for personal information. Legitimate businesses and government agencies never ask for sensitive information over SMS. If a text asks you to act immediately, stop and verify using a phone number or website you look up independently, not the one in the text.
Unrecognized or Spoofed Number
Legitimate companies typically use short codes or known business numbers. Scammers spoof these or send from random-looking numbers.
Sense of Urgency
“Your bank account will be locked!” “Legal action pending!” The goal is to make you panic and click before you think.
Suspicious Links
Look closely. “wellsfargo.com” is not the same as “wells-fargo-secure123.biz.” Scammers also increasingly use link shorteners and QR codes to hide the real destination.
Grammatical Errors
Misspellings, odd spacing, and awkward punctuation are common tells of a fraudulent message.
Unsolicited Requests for Personal Data
No legitimate organization asks for your password, Social Security number, or one-time login code by text.
Common Types of Text Message Scams
Scammers impersonate the brands and agencies people trust most. Four of the most-reported scam text messages right now are DMV, E-ZPass, Coinbase, and package-delivery impersonation scams.
DMV Text Message Scam
A DMV text message scam is a fake text claiming you owe an unpaid traffic ticket, toll, or registration fee, threatening license suspension or legal action if you do not pay through a link in the message. State DMVs across the country, including California, Virginia, Connecticut, West Virginia, Delaware, and Iowa, have issued public warnings about this exact scam in 2025.
A typical message reads something like: “State DMV Final Notice. Non-Payment Will Trigger Mandatory Penalties. Your traffic ticket remains outstanding. Failure to pay by [date] will result in registration suspension.” The link leads to a fake payment page designed to steal your card details and personal information.
The California DMV has stated plainly that it will never text you asking for money or personal information. Neither will any other state DMV. If you get one of these:
- Do not click the link or reply.
- Verify directly through your state DMV official phone number or website, never the contact info in the text.
- Report it by forwarding the message to 7726 (SPAM) and to reportfraud.ftc.gov.
E-ZPass Text Message Scam
An E-ZPass text message scam is a fraudulent SMS claiming you have an unpaid toll balance and urging you to click a link to “settle” the balance immediately. The FCC has received a high volume of complaints about impersonators posing as E-ZPass (used across the mid-Atlantic and Northeast) as well as FasTrak and I-PASS in other regions.
These texts spoof the sender number to make it appear it’s really coming from your toll agency, then link to a phishing page designed to look like the real E-ZPass site. Real toll agencies do not collect overdue balances by text and will not ask you to pay by gift card or wire transfer. A request for either is an instant giveaway of a scam.
If you receive one: do not click, do not reply, and check your actual toll account by logging in directly or calling a customer service number you find independently, not the one in the text.
Coinbase Text Message Scam
A Coinbase text message scam is a fake SMS pretending to be a Coinbase security alert, usually claiming “unusual login detected” or “account locked”, designed to steal your login credentials, 2FA code, or seed phrase. Coinbase security team confirms it does send legitimate one-time 2FA codes by SMS during an active login, but it does not send account-lockout warnings, security alerts, or “verify now” links by text.
Because cryptocurrency transactions cannot be reversed once confirmed, this scam is especially costly. Scammers only need one clicked link and one entered 2FA code to drain a wallet. Red flags Coinbase itself calls out:
- Any link asking you to “log in” or “verify” your account
- Any request for your password, 2FA code, or recovery or seed phrase
- Urgent or threatening language pushing you to act immediately
- A sender number that is not Coinbase official short code (and even that can be spoofed)
If you get a suspicious message, do not click, do not reply, and report it to [email protected] in addition to forwarding it to 7726.
Other Widely Reported Scam Texts
- Fake Package Delivery Notifications: “Your item failed delivery. Click here to reschedule.”
- Banking Notifications: “There is suspicious activity on your account. Verify now.”
- Government Impersonation: “This is the IRS. Your refund has been suspended. Update your information here.”
- Prize or Lottery Scams: “Congratulations. You have won a $1,000 gift card. Claim it now.”
- Subscription Renewal Scams: “Your Netflix subscription has expired. Click here to update your billing details.”
Tactics that are underrated but growing:
- QR-code smishing: scammers embed QR codes in texts that, when scanned, lead to spoofed websites. This bypasses link-based spam filters entirely.
- Group text spam: sending to a recipient inside a larger group thread can slip past individual spam filtering.
- SIM swap scams: scammers submit a fraudulent request to your carrier to take over your phone number, giving them control of your calls, texts, and any SMS-based 2FA codes.
What Happens If You Open a Text from a Scammer?
Simply opening a text does not put you at risk. Acting on it does. If you follow a link, you typically land on a fake website built to steal whatever credentials you enter or to install malware on your device. The FBI notes this can lead to financial account theft, identity theft, or a scammer gaining remote access to your device.
Replying to a scam text confirms your number is active, which usually means more spam and scam attempts in the future. Even a “STOP” reply can confirm activity to some operations.
Can a Scammer Hack My Phone If I Reply to a Text?
Replying itself will not install malware, but many scam text messages include links that download malicious software the moment you tap them, or redirect you to a harmful site. The FBI Cyber Division has tracked a rise in scammers using malware delivered this way to hijack devices, steal personal data, or gain access to banking and email apps. See our breakdown of scareware attacks for how this plays out in practice.
Separately, some scams work toward a SIM swap. Tricking your carrier into transferring your number to a SIM card the scammer controls. This usually requires the scammer to already have some of your personal information, and it is not a direct result of simply replying to a text. Setting a PIN or password on your carrier account is one of the most effective ways to block this.
What to Do If a Scammer Keeps Texting You
Blocking and reporting a scam text also helps protect other potential targets. Your mobile carrier can trace the source and take action, and the FTC uses these reports to pursue fraudsters. Many phones also have a built-in spam-detection feature worth turning on.
Steps to take:
- Do not engage with or reply to the message.
- Block the number on your phone.
- Forward the message to 7726 (SPAM) so your carrier can act on it.
- Report it at reportfraud.ftc.gov.
- Use a spam-filtering or phishing URL checker to verify any suspicious link before you ever click it.
Recommendations from the FTC and FBI
FTC:
- Always report smishing at reportfraud.ftc.gov.
- Never respond to a scam text message.
- Use spam filters and keep security software updated.
FBI (IC3):
- Keep software and firmware up to date.
- Treat unexpected links with suspicion by default.
- Report suspicious texts even if you did not lose money. The pattern data helps investigators.
Conclusion
The best defense against text message scams is vigilance. Scammers rely on getting you distracted and rushed, whether the message claims to be from your state DMV, E-ZPass, Coinbase, or your bank. Slow down, verify through channels you look up yourself, and report every suspicious text to your carrier and the FTC. And if you are responsible for protecting a workforce from these tactics, look into smishing awareness and simulation training to build that vigilance at scale.
FAQs
What is a text message scam?
A text message scam (smishing) is a fraudulent SMS that impersonates a trusted sender, a bank, delivery service, government agency, or company, to trick you into clicking a malicious link or sharing personal information.
How do I know if a text message is a scam?
Look for an unfamiliar sender number, urgent or threatening language, a link that does not match the real company domain, poor grammar, and any request for personal or financial information. Legitimate organizations do not ask for that by text.
Is the DMV text about unpaid tolls or tickets real?
No. State DMVs, including California, Virginia, and Connecticut, have confirmed they never send text messages demanding payment for tickets, tolls, or registration fees. Any text that does is a scam.
What should I do if I clicked a link in a scam text?
Do not enter any information on the page. If you already did, change your passwords immediately, enable two-factor authentication through an authenticator app, and monitor your accounts for unauthorized activity.
