Skip to main content

How a Simple Text Message Can Lead to Fraud

By Diane Amato

Published March 8, 2024 • 6 Min Read

You receive a text message from what looks like a delivery company, your bank, or a friend. You open it and click the link, not realizing that the message is a fake. What happens next? Discover how a fraudulent message can lead to stolen data and money – and how to avoid becoming a victim.

Phishing attacks – where a cybercriminal sends a deceptive message designed to fool the recipient into giving up sensitive data – continue to be on the rise. As people have become more wary of fake emails in recent years, fraudsters have shifted their attacks to mobile communications, sending fake texts in their attempts to steal money and information.

Phishing attempts sent by text – also known as “smishing” – are successful for a few reasons. For one, people generally trust texts, and they have an open rate of 95 per cent to 99 per cent. And, fraudsters send texts that are highly convincing, using current events and everyday scenarios that are very believable.

Here are some common fake texts that trick people into clicking the link:

Fake delivery notifications:

Package and delivery scams are highly effective spam texts. Scammers will pose as Amazon, FedEx, Canada Post or USPS and ask people over text for their personal information about their package or order. 

For example, a text might include a link for you to “update your delivery preferences” for a package en route. Others may claim there was a failed delivery attempt on an expensive item. The link you click to try to rectify the situation – which often asks you to pay to secure a later delivery or confirm your address and other details – will give fraudsters personal data about yourself and/or access to your device.

Suspicious login attempts:

If you get an SMS notification about suspicious activity on one of your bank or credit card accounts, the tendency is to act quickly to protect your money. The thing is, scammers use your fear of getting hacked to their advantage. 

Fake text messages about suspicious log-in attempts are designed to get you to click on a link and “update” your password – when really, you’re giving a fraudster your private login credentials.  

Lottery and giveaway scams:

“Congratulations, your IP address has been chosen as this week’s winner of a new iPhone!” Scammers know that it often takes the promise of a great prize to get you to click on a link. Because some of the more common scams claim to be from companies you know and trust, like Walmart, Amazon, or Apple, it’s easy to be drawn in and click the link to claim your prize. 

Fake bills:

In this kind of scam, you may get a text telling you that you missed the payment – and if you don’t pay in the next week, your plan will be disconnected. Even if you recently paid your bill, the threat of disconnection may cause you to act quickly and send money without doing a double check.

What happens when you click

When you click on the link in a fake text, one of two things can happen:

  1. The link directs you to a fake website

  2. Malicious files or viruses will begin automatically downloading to your device

Here’s what can happen next:

Path 1: You’re directed to a fake website

Once you land on the website, you may be asked for personal details such as your login credentials or your credit card information. Any information you enter on this page will get into the hands of the fraudster behind the attack and can ultimately lead to identity theft and financial fraud.

Path 2: Malicious software is automatically downloaded to your device

If the link you click begins to download malicious files or viruses onto your device, your machines and systems become compromised. What does this mean? There are a few outcomes. Hackers can:

  • Steal data directly from your system

  • Take control of your devices

  • Gain access to business data, which can lead to theft of business funds, client information or employee data – or all of the above

How to spot a phishing text

While fake texts tend to look real – and appear to be from companies you know and trust – there are a few tell-tale signs to watch for. Here’s how you can spot a fake:

  • The text comes from an unusually long phone number (10 or 11 digits) with an area code you don’t recognize.

  • The text includes a link that is shorter than usual or in a strange format.

  • The text is written with a sense of urgency or even includes threatening language – i.e., you must act to avoid being charged, arrested, or disconnected.  

  • The text contains grammar or spelling mistakes.

  • It promises a reward or prize if you respond or click a link.

  • The text claims to be from a company you use but weren’t expecting to hear from – such as a courier company when you have nothing out for delivery.

  • It claims to be from a colleague, family member, or friend but doesn’t sound like them.

How to protect yourself

To avoid falling for a text scam, the best piece of advice is to do nothing:

  • Do not open a suspicious text message

  • Do not click on a link within that text

  • Do not send any personal information to unknown parties

  • Delete the email or text message immediately

Here are other ways to guard against a smishing attack:

  • Take 6 seconds. If you receive an urgent message to take action in some way, take 6 seconds to ask yourself if it seems suspicious.

  • Call the “sender” directly. Confirm any requests received by text by calling the organization’s official number (i.e., one on their website, not the number in the text message).

  • Remember that legitimate companies and financial institutions don’t ask for account updates or login information via text.

  • Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.

  • Avoid storing banking information on your phone. If an attacker installs malware on your device, your information could be compromised.

It is critical that we all become more Cyber Aware and safeguard our online activities. Visit Be Cyber Aware for more tips.

Stay informed about any new or ongoing scams by checking RBC Current Scam Alerts.

This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.

Share This Article


Cyber Crime Cyber Security