Guides

Scam Texts and Calls: How to Spot Smishing and Vishing

Heads up: this article contains affiliate links. If you buy through them we may earn a commission at no cost to you. We only recommend tools we trust — see our disclosure.

If your phone buzzes more than it used to with weird texts about packages you never ordered or calls from numbers you don't recognize, you're not imagining things. Scammers have largely moved off email and onto your phone, because that little device in your pocket feels personal and urgent in a way email never did.

The good news is that almost every one of these scams follows the same handful of scripts. Once you learn the patterns, you'll spot them in seconds and feel a quiet little flicker of satisfaction instead of panic. Let's walk through it together, the way a friend would over coffee.

Why scammers moved to texts and calls

For years, email was the scammer's playground. But spam filters got smart, people got cautious, and a sketchy email started looking obviously sketchy. So the bad guys followed us to where we actually pay attention: our phones.

Two fancy words describe this shift. Smishing is phishing by SMS, that is, scam text messages. Vishing is phishing by voice, meaning scam phone calls. They're the same old con tricks, just delivered through a channel you trust more and check more often.

Texts feel intimate. We read them within minutes, usually without thinking hard. Phone calls add a live human voice that can pressure you in real time, adjust to your hesitation, and keep you from stopping to think. That immediacy is exactly what scammers want, because their whole game depends on you reacting before you reason.

The scam texts you'll actually see

Smishing messages recycle a small set of themes. Here are the ones that land in real inboxes constantly, so you'll recognize them on sight.

The fake package delivery

"USPS: Your package is held due to an incomplete address. Update here: [link]." It works because most of us have something on the way most of the time. Real carriers don't text random links demanding you "update" anything, and they certainly don't hold a package hostage over a missing apartment number.

The unpaid toll

"You have an outstanding toll of $6.99. Pay now to avoid a late fee: [link]." These exploded in the last couple of years. The small dollar amount is deliberate, it feels too trivial to argue with, so you just pay. Real toll agencies bill through accounts you already set up, not surprise texts.

The bank or card alert

"Did you authorize a $480 charge at Best Buy? Reply YES or NO." Reply anything and a "fraud agent" calls you back to "secure your account," which means handing over your login or a verification code. Your bank already has an app and a number on the back of your card for this.

The "is this you?" message

"Hey, is this you in this photo? [link]" or "I can't believe you posted this." Curiosity is a powerful hook. The link leads to a fake login page designed to harvest your password.

The IRS or government threat

"Final notice: your Social Security number has been suspended due to suspicious activity." The IRS and Social Security Administration do not text you, and your SSN cannot be "suspended." Any message claiming otherwise is a scam, full stop.

The prize or refund

"You've been selected for a $100 reward" or "Your refund of $94.20 is ready, confirm your details." Free money is the oldest bait there is. The "details" they want are your card number or login.

The wrong number that turns into romance

"Hi Jessica, are we still on for lunch?" You reply that they have the wrong number. They're friendly, apologetic, chatty, and over days or weeks a warm conversation builds, eventually steering toward a "can't-miss" crypto investment. This long con is sometimes called "pig butchering," and it's one of the most financially devastating scams out there. The tell is simple: a stranger who texted the wrong number should not become a daily pen pal.

The scam calls you'll actually hear

Voice scams use the same emotional levers with a live person on the line. Knowing the cast of characters helps you hang up faster.

Fake tech support

A caller (or a scary pop-up that gives you a number to call) claims to be from Microsoft, Apple, or your internet provider, warning that your computer is infected. They want remote access to your machine or a payment to "fix" a problem that never existed. No legitimate tech company calls you out of the blue about a virus.

The bank fraud department

"This is the fraud department. We've detected suspicious activity and need to verify your identity." They sound calm and official, then ask for your password, full card number, or the one-time code you just received by text. Real fraud departments never ask for your password or codes, because they don't need them.

Government or police threats

"This is Officer Daniels with the county sheriff. There's a warrant for your arrest, but you can resolve it today by paying a fine." Real law enforcement does not call demanding payment over the phone, and certainly not in gift cards or cryptocurrency. Threats of immediate arrest are pure theater.

The grandparent or family emergency

"Grandma? I'm in trouble, I got in an accident and I'm in jail, please don't tell Mom, I need bail money." The voice may sound shaky, and increasingly, scammers use AI to clone a relative's voice from social media clips. The urgency plus secrecy plus money is the giveaway.

Robocalls and the car warranty classic

"We've been trying to reach you about your car's extended warranty." A recorded voice, often nudging you to "press 1." Pressing anything just confirms your number is live and invites more calls. The safest move is to not engage at all.

The job offer that's too easy

"We saw your resume and want to offer you a remote position, $35/hour, flexible hours, reply to start onboarding." Real employers don't hire over a cold text without an interview. These "jobs" eventually ask you to deposit a check (which bounces), buy equipment through their "vendor," or hand over your bank details for "direct deposit." If a job lands in your texts unsolicited and sounds wonderful, it's almost always a setup.

The two-factor code request

Sometimes the scam is just: "Reply with the 6-digit code we just sent to verify it's you." A scammer who already has your password triggers a real login, which sends a real code to your phone, and then tries to trick you into handing it over. Never, ever share a verification code with anyone who contacts you. Those codes exist precisely so that even someone with your password can't get in, unless you give it away.

The psychology they're exploiting

Every scam, text or call, pulls the same four levers. Naming them out loud strips away their power.

  • Urgency. "Act now," "final notice," "your account will be closed in 24 hours." Pressure stops you from pausing to think, which is the only thing that protects you.
  • Authority. They borrow the badge of a bank, the government, a big tech brand. We're trained to comply with authority, so they fake it.
  • Fear. Arrest, a drained account, a relative in danger. Frightened people make fast, bad decisions.
  • Reward. A refund, a prize, a hot investment. Excitement clouds judgment just as effectively as fear.

Here's the reassuring part: real organizations almost never operate this way. Your actual bank gives you time. The IRS sends letters. Your grandkid can wait two minutes while you call their parents. When something demands that you act right now, that pressure itself is the red flag.

There's a fifth lever worth naming, too: familiarity. Scammers work hard to feel like someone you already trust, a brand you use, an agency you've heard of, even a relative's cloned voice. The whole con rests on borrowed trust. So a useful mental reframe is this: trust the relationship, not the message. You trust your bank, yes, but a random text claiming to be your bank hasn't earned that trust, it's just wearing the costume. Separating the two in your mind is most of the battle.

Scammers also lean on a quirk of human nature called commitment. Once you've answered "yes" to a small question, you feel a subtle pull to keep cooperating. That's why so many scams open with a harmless-sounding hook, a "wrong number" hello, a quick yes/no about a charge. Each tiny reply makes the next, bigger ask feel more natural. Knowing this lets you cut it off at the very first message instead of getting drawn in one inch at a time.

The universal red flags

You don't need to memorize every scam variant. You just need to recognize the warning signs that show up across all of them.

  • It arrived unexpectedly and pushes you to act immediately.
  • It contains a link you didn't ask for, or a number to call that you can't independently verify.
  • It asks for a password, a one-time verification code, your full card number, or your SSN.
  • It wants payment in gift cards, wire transfer, cryptocurrency, or a payment app like Zelle or Cash App.
  • It insists on secrecy ("don't tell anyone," "don't hang up").
  • The greeting is generic, or the details are vague where a real institution would be specific.

Hit two or more of these and you can be confident it's a scam. If you want to sharpen this instinct in a low-stakes way, our phishing quiz is a quick, friendly way to practice spotting fakes.

Exactly what to do when one arrives

Let's make this concrete. Here's the simple playbook for the moment a suspicious text or call hits.

  1. Don't tap the link. Not even to "see what it is." Some links can load malicious pages or confirm your number is active. Just don't.
  2. Don't call the number they gave you. A scammer's whole setup, including the callback number, leads back to the scammer. The number in the message is part of the trap.
  3. Hang up on the call. You owe a cold caller nothing, not even politeness. Just hang up. You can't be argued out of a scam if you're not on the line.
  4. Verify independently through official channels. If a message claims to be your bank, open the bank's app or call the number printed on the back of your card. If it claims to be a delivery, go to the carrier's website directly and check your tracking. You contact them, on a number you looked up yourself, never the other way around.
  5. Slow down. Genuine emergencies survive a five-minute pause to verify. Scams do not.

That habit, "I'll verify this myself, on my own terms," is the single most powerful one you can build. It defeats nearly every version of these scams at once.

What if you already clicked or replied?

First, take a breath, this happens to plenty of careful people and it's usually fixable. If you only tapped a link but entered nothing, you're very likely fine; just close the page and avoid typing anything into it. If you entered a password, change that password right away on the real site, and change it anywhere else you reused it. If you shared a card number, call your bank using the number on your card and ask them to watch for or block fraudulent charges.

If you handed over a one-time code or gave someone remote access to your computer, treat it as urgent: contact the affected company directly, turn on two-factor authentication, and if a stranger had access to your machine, disconnect it from the internet and run a security scan. Acting quickly limits the damage, and there's no shame in it. The people who recover best are the ones who tell someone fast instead of hiding it.

A note on screenshots and evidence

Before you delete a scam message, it's worth taking a quick screenshot, especially if you lost money or shared information. That record helps when you report to your bank, your carrier, or the authorities, and it helps you remember the details accurately. It's a small step that costs nothing and occasionally matters a lot.

Why caller ID and sender names lie

Here's something a lot of people don't realize: the name or number you see on an incoming text or call can be completely fake. Scammers use a trick called spoofing, which lets them make a call or text appear to come from any number or name they choose.

That means a call really can show "Bank of America" or your local police department's actual number on your screen while a scammer is on the other end. A text can drop into the same thread as legitimate messages from a company because the sender ID was faked. So when you see a trusted name, treat it as a claim, not proof. The only reliable way to know who you're really dealing with is to reach out to them yourself through a channel you trust.

The SIM-swap risk and protecting your number

Your phone number is more valuable than it feels, because so many accounts use text messages to send login codes. In a SIM swap, a scammer convinces your mobile carrier to move your number to a phone they control. Suddenly your texts and calls, including those security codes, go to them, and they can break into your accounts.

Here's how to lock your number down:

  • Add a PIN or passcode to your carrier account. Every major carrier offers this, and it's the main defense against a SIM swap. Call your carrier or check your account settings and set one today.
  • Move away from text-message codes where you can. Use an authenticator app or a physical security key like a YubiKey for two-factor authentication on important accounts. These don't rely on your phone number, so a SIM swap can't touch them.
  • Don't post your phone number publicly, and be stingy about which apps and sites you give it to.

If your phone suddenly loses all service for no reason, take it seriously, that can be a sign your number was swapped. Contact your carrier immediately from another phone.

How to report scam texts and calls

Reporting takes seconds and genuinely helps shut these operations down and protect other people.

  • Forward scam texts to 7726 (which spells "SPAM" on the keypad). This is a free service that sends the message to your carrier's spam-fighting team. On most phones you can long-press the message, choose to forward it, and send it to 7726.
  • Report to the FTC at ReportFraud.ftc.gov for any scam, text or call. It's quick and helps regulators track trends.
  • Use your phone's built-in tools. Both iPhone and Android let you report and block junk messages and calls right from the message or recent-calls screen.
  • Use your carrier's spam tools. The major carriers offer free apps and settings that label or block likely-scam calls.

You don't have to report everything. But forwarding a clear scam to 7726 is an easy good deed that costs you nothing.

Helping older or less-techy relatives without nagging

It's tempting to fire off warnings to your parents or grandparents, but lectures rarely stick and can feel patronizing. A warmer approach works better and lasts longer.

  • Lead with a story, not a rule. "Mom, I almost got got by a fake toll text the other day, here's what tipped me off." Sharing your own near-miss makes it feel collaborative instead of corrective.
  • Give them one simple rule. The single most protective habit is: "If anyone calls or texts asking for money, codes, or passwords, hang up and call me first." One rule beats ten.
  • Offer to be the verification line. Tell them you're always happy to be the person they check with, no judgment, no eye-rolling. Knowing they have a safe person to ask prevents a lot of panicked decisions.
  • Set up the easy protections together. Add a carrier PIN, turn on spam filtering, and walk through a couple of example scams side by side. Doing it together is far kinder than sending a link and hoping.
  • Normalize being fooled. Make it clear that smart people fall for these every day, so if it ever happens, they should tell you right away rather than hide it in embarrassment. Early disclosure limits the damage.

If you want a gentle, structured starting point to go through with them, our start here guide and our training walk through the basics at a comfortable pace.

The quick version

Scammers moved to texts (smishing) and calls (vishing) because phones feel personal and urgent. Almost every scam recycles a few scripts: fake deliveries, unpaid tolls, bank alerts, government threats, prizes, tech support, family emergencies, and the slow "wrong number" romance con.

They all pull the same four levers, urgency, authority, fear, and reward, and they all share red flags: unexpected contact, pressure to act now, requests for passwords or codes, and demands for gift cards or crypto. When one arrives, don't tap the link, don't call their number, hang up, and verify independently through a channel you look up yourself.

Remember that caller ID and sender names are easily faked, so a trusted name is a claim, not proof. Protect your phone number with a carrier PIN and move important accounts off text-message codes to an authenticator or a YubiKey. Report scams by forwarding texts to 7726 and filing with the FTC. And help your relatives with warmth, not nagging, by giving them one simple rule and being their safe person to call. Practice your instincts anytime with our phishing quiz, and you'll find these messages lose their power fast.

Liked this?

Get one short, useful security email when we publish something new.

More in Guides

Get the plain-English security newsletter

One short email when we publish something useful. No spam, no fearmongering. Unsubscribe anytime.