Unmasking the Top Five SMS Scams of 2024–2025

In 2024, consumers reported losses of $470 million from SMS-initiated scams—more than five times the 2020 total—even as the overall number of reports declined (ftc.gov). Roughly half of these reported losses can be traced to five core schemes: “wrong number” investment lures, package-tracking frauds, bank-alert phishing, SMS multifactor-authentication bypass attacks, and fake government or promotional relief offers. By preying on recipients’ trust and sense of urgency—whether through a friendly misdirected text, an unpaid delivery notice, or a too-good-to-be-true rebate—each scam convinces victims to click malicious links, divulge sensitive credentials, or authorize fraudulent transactions.

Now that we’ve established the scale and ingenuity of these SMS-based schemes—ranging from feigned delivery alerts to counterfeit relief offers—let’s examine the first and perhaps most insidious variant: the “Wrong Number” investment scam, which begins with an innocuous misdirected text and evolves into a persuasive, romance-tinged lure toward fake trading platforms (ftc.gov).

1. “Wrong Number” Investment Scams

SMS begins with a benign message (“Hey, is dinner still on for tonight?”), prompting a polite reply. Once engaged, scammers feign rapport—often with romantic undertones—then pivot to bogus investment pitches, steering victims toward fraudulent trading platforms (ftc.gov, themerrimack.com).

• How it works: Scammers strike up a “wrong-number” chat, build trust, then “recommend” a high-return opportunity and share a link.
• Impact: In 2024 these romance-style scams, sometimes called “pig butchering,” have netted criminals millions; one FBI-linked operation funneled over $300 million globally (nypost.com).
• Red flags: Unexpected friendly SMS from unknown numbers; rapid intimacy or investment talk; links promising quick profits.
• Protection: Never invest via unsolicited texts. Independently verify any opportunity, research the platform, and consult a trusted advisor before transferring funds.

Now that we’ve seen how a simple “wrong number” text can spiral into an elaborate investment scam, the next tactic trades on our reliance on shipment alerts—masking malware and credential phishing as urgent delivery notices in what’s known as package-tracking smishing.

2. Package-Tracking (“Smishing”) Scams

Texts purporting to be from USPS, FedEx, or DHL notify you of “undelivered” packages or unpaid postage and urge you to click a link to reschedule delivery (consumer.ftc.gov). The link installs malware or harvests login and payment details.

• How it works: You click a URL to “resolve” a delivery issue. The site captures credentials or pushes malicious software.
• Impact: FTC data show these smishing scams rank among the top sources of SMS-fraud losses (ftc.gov).
• Red flags: Links in texts for deliveries you didn’t order; requests for personal information; misspellings or non-branded URLs.
• Protection: Don’t click links—track shipments via official carrier websites or apps. If in doubt, call the carrier’s verified customer-service number.

While package-tracking smishing capitalizes on delivery anxieties, the next wave of SMS fraud preys on banking fears—spoofed “bank alerts” prompt you to call fake hotlines or click malicious links, then harvest your account numbers, PINs, and one-time codes.

3. Bank-Alert and Account-Verification Phishing

Fraudulent texts mimic your bank’s alerts about “suspicious transactions” and instruct you to call a provided number or click a link to “verify” your identity. The fake hotline or website then prompts for account numbers, PINs, and OTPs (thesun.ie).

• How it works: Urgent language (“Your card was just used at…”) pressures you to act without thinking, leading to credential theft.
• Impact: Banks worldwide report surges in SMS-phishing; Bank of Ireland shut down over 20 fake phone lines in April 2025 alone (thesun.ie).
• Red flags: Sender numbers that don’t match your bank; requests for full account or password; links to non-bank domains.
• Protection: Independently verify by logging into your bank’s official app or calling the number on your card—not the one in the text.

Building on these credential-harvesting schemes, attackers have shifted their focus upstream in the authentication process—exploiting the very safeguards designed to protect us. By intercepting SMS one-time passcodes or bombarding users with repeated MFA prompts until they relent (“MFA fatigue”), they bypass SMS-based multi-factor authentication altogether.

4. SMS MFA-Bypass and “MFA Fatigue” Attacks

Attackers steal or intercept one-time passcodes (OTPs) sent via SMS, or repeatedly trigger MFA prompts until victims approve them out of annoyance (“MFA fatigue”) (blog.1password.com, csa.gov.sg). Once they have your OTP, they can breach accounts, transfer funds, or reset passwords.

• How it works: Phishing pages request your OTP, or attackers bombard you with MFA push notifications until you accept.
• Impact: In December 2024, the FBI and CISA warned against SMS-based 2FA, citing interception risks and urging stronger alternatives like authenticator apps (blog.1password.com).
• Red flags: Unexpected MFA prompts when you’re not logging in; texts asking “Is this you?” with a code.
• Protection: Switch from SMS OTPs to app-based or hardware-key authenticators (e.g., Google Authenticator, YubiKey). Never share codes, even if prompted by someone claiming to be support.

With multi-factor safeguards now under attack, scammers have shifted tactics to prey on economic anxieties—posing as government agencies or major brands to promise “tariff relief” credits, tax rebates, or gift cards in exchange for personal data or payments.

5. Fake Government Relief and Promotional Offers

Scammers pose as government agencies or popular brands, offering “tariff relief” credits, tax rebates, or gift cards via SMS-linked surveys or quizzes (washingtonpost.com). The final step asks for personal data or payment to “unlock” funds.

• How it works: A sponsored-ad or text promotes a too-good-to-be-true benefit (e.g., $750 import-tax refund) that requires filling out personal or banking details.
• Impact: Meta removed dozens of such ads in early 2025, but losses mount as these schemes adapt with quiz-style engagements (washingtonpost.com).
• Red flags: SMS linking to non-governmental domains; requests for Social Security, banking, or credit-card numbers; urgent deadlines.
• Protection: Never provide sensitive information for unsolicited offers. Confirm any government program on official websites (e.g., .gov domains) and avoid sponsored-post engagements.

Stay Vigilant and Protected

By remaining aware of these five SMS-based scams—wrong-number investment lures, delivery-tracking smishing, bank-alert phishing, MFA-bypass schemes, and fake relief offers—you can dramatically reduce your exposure to fraud and identity theft. Always pause before clicking on any link or sharing personal information, verify requests through official channels, and strengthen your security with app-based or hardware authenticators wherever possible.

Take control of your inbox and your security—because the best defense against SMS scams is informed vigilance.