The Federal Bureau of Investigation (FBI) has warned about a rising “smishing” scam targeting iPhone and Android users. Smishing, short for SMS phishing, is a cyber attack in which scammers send fraudulent text messages to trick victims into revealing sensitive personal information.
These deceptive messages often impersonate banks, delivery services, government agencies, or tech companies, urging users to click on malicious links. Once clicked, these links may lead to fake login pages, install malware, or steal personal and financial data.
With smishing attacks on the rise, the FBI advises smartphone users to stay vigilant, recognize fake texts, and take steps to protect their data from cybercriminals.
What Is Smishing and How Does It Work?
Smishing is a form of phishing where attackers use text messages instead of emails to deceive victims. These scams typically rely on social engineering, creating a sense of urgency to make people respond quickly.
Common tactics used in smishing attacks include:
- Fake banking alerts – Messages claiming your account has been locked, or a suspicious transaction was detected, urging you to verify your details.
- Delivery scams: Texts pretending to be from FedEx, UPS, or USPS state that package delivery is pending and requires confirmation.
- Tech support scams – Fake alerts from Apple, Google, or Microsoft, saying your device has been compromised and needs immediate action.
- Government impersonation – Messages claiming to be from the IRS, Social Security Administration, or law enforcement demanding personal information or payments.
These messages often contain malicious links or phone numbers that lead to phishing sites, tricking users into providing login credentials, credit card numbers, or Social Security details.
FBI’s Official Warning on Smishing Scams
The FBI’s Cyber Division has reported a sharp increase in smishing attacks, mainly targeting smartphone users across the U.S. Cybercriminals are exploiting text messaging as an easy way to bypass traditional email security filters.
According to the FBI:
- Smishing scams have increased by over 300% in the last year.
- iPhone and Android users are equally vulnerable, despite security differences in iOS and Android.
- Most scams impersonate banks, retailers, and government agencies, preying on fear and urgency.
The FBI urges users to verify messages before clicking links, report fraudulent texts, and avoid sharing personal information via SMS.
How Smishing Attacks Target iPhone and Android Users
Cybercriminals use smishing tactics differently depending on the operating system of the target.
iPhone Users
Smishing attacks on iPhones often rely on iMessage phishing links disguised as security alerts from Apple, iCloud, or trusted services. These messages may claim that a user’s Apple ID has been compromised, iCloud storage is complete, or a login attempt was detected from an unknown device. Clicking the provided link often leads to a fake Apple login page designed to steal login credentials.
Since Apple does not allow third-party antivirus apps on iOS, users must rely solely on Apple’s built-in security settings to filter spam and block phishing attempts. However, Apple’s strict security measures also mean that when users fall for a smishing scam, attackers can gain significant control over accounts tied to their Apple ID, including payment information stored in Apple Pay or iCloud Keychain.
Outdated iOS versions also present a security risk. Devices that have not been updated with the latest security patches may be more vulnerable to exploits used by attackers in smishing campaigns. Cybercriminals often take advantage of known iOS vulnerabilities patched in newer updates but remain exploitable on older devices.
Android Users
Android users experience smishing attacks more frequently due to the platform’s open-source nature, which allows a wider variety of apps and software modifications. Attackers exploit this flexibility to distribute phishing messages that appear to come from Google services, financial institutions, or popular online platforms. These messages often contain fake links, leading to malware-infected apps that can bypass Android security measures.
Android devices are more susceptible to malicious APK installations from sources outside the Google Play Store than iPhones. Clicking on a phishing link can trigger the download of spyware or keyloggers, which secretly monitor user activity and capture sensitive information such as banking credentials or passwords.
Google’s Play Protect is designed to scan and detect malware, but some phishing apps bypass security checks and get onto devices. Once installed, cybercriminals use fake app updates or hidden permissions to steal user data.
Even though Google has strengthened its Play Store security, smishing remains a significant threat because attackers can distribute malware outside official app stores through direct APK downloads or deceptive websites.
How to Identify a Smishing Scam
To avoid becoming a victim, look for these warning signs of fraudulent SMS messages:
- Unsolicited messages from unknown senders requesting sensitive information.
- Poor grammar, spelling errors, or unusual formatting indicates a scam.
- Messages with urgent language such as “Act Now!” or “Immediate Action Required!”
- Shortened or suspicious links that hide the proper destination (e.g., bit.ly links).
- Requests for banking details, Social Security numbers, or login credentials via text.
If you receive a suspicious message, never click the link or reply. Instead, verify the sender by contacting the company through their official website or customer support.
How to Protect Your iPhone or Android from Smishing Attacks
The FBI recommends the following security measures to safeguard against smishing:
Enable Security Features on Your Phone
Activating built-in security settings can help filter out suspicious text messages before they reach your inbox. Spam filters detect and block messages from unknown or potentially fraudulent senders, reducing the chances of falling for a scam.
Enabling two-factor authentication (2FA) adds an extra layer of security to online accounts, making it harder for cybercriminals to access personal data even if login credentials are compromised.
Keeping your device software updated is also critical. Apple and Google regularly release security patches to fix vulnerabilities that attackers may exploit. If a known security flaw is left unpatched, cybercriminals can exploit it to distribute malware or bypass security protections.
Avoid Clicking on Links in Unverified Messages
A common smishing tactic is to trick users into clicking on malicious links disguised as legitimate websites. Suppose you receive a message claiming to be from your bank, a delivery service, or a government agency.
In that case, visiting the official website manually is safer than clicking the link provided. Scammers often create fake login pages resembling real banking or financial portals, aiming to steal credentials.
Another risk is downloading attachments or apps from unknown sources. Attackers may disguise malware as a security update, document, or file attachment, tricking users into installing harmful software.
To stay safe, always download apps from official stores like the App Store or Google Play and avoid sideloading applications unless absolutely necessary.
Report Suspicious Messages
If you receive a suspected smishing attempt, reporting the message can help prevent future scams from targeting other users. Both Apple and Google have built-in mechanisms to report fraudulent text messages.
- iPhone users can report spam texts by forwarding them to 7726 (SPAM), which helps Apple improve its spam detection systems.
- Android users can report phishing messages using the Google Messages app. This app flags suspicious SMS content and helps Google refine its security features.
- Users should file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov to assist in cybercrime investigations if the scam involves financial fraud or identity theft.
What to Do If You Fall Victim to a Smishing Scam
If you suspect that you clicked on a fraudulent link or shared personal data, take immediate action:
- Change your passwords for all affected accounts, especially banking and email accounts.
- Contact your bank if financial details were compromised and request to block unauthorized transactions.
- Monitor your accounts for suspicious activity and enable fraud alerts.
- Scan your device for malware using security tools or reset your phone if necessary.
- Report the scam to authorities, including the FBI, FTC, and your mobile carrier.
Taking quick action can minimize the damage and prevent further unauthorized access to your accounts.
The Future of SMS Security and Anti-Smishing Technologies
Tech companies and mobile carriers are actively working to combat SMS-based phishing attacks through new security technologies.
- Apple and Google are enhancing their built-in SMS filtering and spam detection tools.
- AI-powered security software is improving the detection of fraudulent messages.
- Government agencies are working with telecom providers to block known phishing numbers.
Despite these advancements, human awareness remains the best defense against smishing. Staying informed and recognizing scam messages will always be the most effective way to avoid becoming a victim.
Final Thoughts
The FBI’s warning on smishing scams highlights the growing threat of SMS-based phishing attacks targeting iPhone and Android users. Cybercriminals use text messages to impersonate trusted organizations, tricking victims into revealing personal and financial information.
To stay safe, be skeptical of unexpected texts, avoid clicking suspicious links, and follow the FBI’s recommended security steps to protect your data.
If you found this guide helpful, share it with friends and family to help them stay protected from smishing scams. Have you encountered a smishing attempt? Comment with your experience and help others learn how to spot these scams.