The Two-Question Gut Check
While most of these smishing attempts are novel, some might be downright heinous—claiming your car will be towed for a traffic violation or you’ll lose access to a utility unless you act. In moments like this, don’t rush or panic. Ask yourself:
- Did I start this? If they started it, I’m cautious.
- Are they rushing me? “Act now,” “final notice,” “verify in 10 mins.” If it’s urgent and unexpected, I slow down.
If either answer feels off, don’t tap.
What These Texts Look Like (in the wild)
Here are some variations of what these messages might look like to you:
- Package drama: “Your parcel is held. Pay $1.50 to release:
bit.ly/...” - Money panic: “Fraud alert: reply YES to approve/NO to block.” (Replying tells scammers your number is active.)
- Account lock: “Reset your password here:
secure-paypaI.com” (that’s a capital I, not a lowercase L). - Code grab: “If this wasn’t you, reply with the code to secure your account.” No legitimate organization asks for your MFA code in a text reply.
What I Do (and you can too)
These are the methods I use to keep myself safe:
- I open the app myself. Bank, delivery, payroll—no link-tapping from texts. I type the site or use a saved bookmark.
- I use authenticator apps. Like Duo for Fordham, and Google Authenticator elsewhere, to add 2FA. Read more on 2FA here.
- I let my password manager be the bouncer. If it won’t autofill, the site’s probably fake.
- I report and block in 20 seconds. Forward the text to 7726 (SPAM), then block the sender.
- I keep filters on:
- iPhone → Settings → Messages → Filter Unknown Senders (on)
- Android (Google Messages) → ⋮ → Settings → Spam protection (on)
If You Already Clicked
If instinct took over, here’s what to do next:
- Close it. If you installed anything, turn on Airplane Mode.
- Change the password for any account you typed into, and sign out of other sessions.
- Re-do MFA (new codes, re-enroll authenticators).
- Scan your phone and delete sketchy apps or “profiles.”
- Bank info involved? Call the number on the back of your card.
- Tell us. If university data might be affected, report to Information Security & Assurance. More info here.
Quick ways to say “Nope”
- “Didn’t order anything, deleting.”
- “I’ll check the official app instead.”
- “Nice try, scammer.” (…or just forward to 7726 and block.)
Red Flags I Watch For
- Weird sender or email-to-text address
- Tiny typos and almost-right links
- “Keep this secret” or “resolve in minutes” vibes
- Requests for gift cards, wire transfers, or your MFA code
Bottom line: if a text creates the crisis, it isn’t the cure. Take ten seconds to breathe, open the real app yourself, and move on—and if you do get snagged, report it so the next person doesn’t.
Sources & further reading
- Federal Trade Commission — How to recognize and report spam text messages (Consumer Advice)
- CTIA — How to report spam texts to 7726 (CTIA)
- Apple Support — Filter/Screen unknown senders; report & block texts (Apple Support)
- Google Support — Spam protection and reporting in Google Messages (Google Help)
- FBI IC3 PSA — Recent smishing/vishing campaigns (IC3)