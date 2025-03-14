Smishing is a type of phishing scam that works through text messages.

The name comes from a mix of "SMS" and "phishing," since scammers use fake messages to trick people into giving away personal information. It’s been around for a while, but lately, it’s gotten so bad that even the FBI and several U.S. cities have started warning people.

Hackers have set up over 10,000 fake websites to keep these scams going, targeting both iPhone and Android users with texts designed to steal their personal and financial information.

What you need to know

Cities across the United States are warning residents about an ongoing mobile phishing campaign in which scammers impersonate parking violation departments. The fraudulent text messages claim recipients have unpaid parking invoices and threaten a $35 daily fine if left unpaid. As reported by cybersecurity publication BleepingComputer , the latest wave of phishing texts has prompted alerts from multiple cities, including Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego and San Francisco.

The campaign, which began in December, remains active. The smishing texts claim to be from a government authority and instruct recipients to click a link to pay an alleged overdue fine.

"This is a final reminder from the City of New York regarding the unpaid parking invoice. A $35 daily overdue fee will be charged if payment is not made today," one fraudulent message says.

The same phishing template has been observed in similar scams targeting residents of other cities. The FBI has also raised concerns about a broader smishing campaign affecting U.S. residents. In a recent alert, the agency warned that scammers have expanded beyond parking fines and are now impersonating road toll collection services.

"Since early March 2024, the FBI Internet Crime Complaint Center (IC3) has received over 2,000 complaints reporting smishing texts representing road toll collection services from at least three states," the agency stated. "IC3 complaint information indicates the scam may be moving from state to state."

Smishing scams are evolving

A new report from cybersecurity firm Palo Alto Networks’ Unit 42 , the company’s cybersecurity division specializing in threat intelligence and incident response, has uncovered that these scams are designed to steal sensitive information, including credit card and bank account details.

What started as a scheme involving fraudulent toll payment notifications has now expanded to include fake delivery service alerts, tricking users into clicking malicious links.

The scam appears to be operated by local cybercriminals using a toolkit developed by Chinese hacking groups. Notably, research from Unit 42 shows that many of the scam's root domains and fully qualified domain names use the Chinese .XIN top-level domain (TLD).

6 ways you can protect yourself from smishing scams

1. Verify before you trust: Treat unsolicited texts with caution. If a message claims to be from a government agency or company, don’t click any links or act immediately. Instead, verify the claim by contacting the organization directly using an official phone number or checking their verified website.

2. Avoid clicking suspicious links and use strong antivirus software: Scammers use links to direct you to fake websites that can steal your personal or financial information. Instead of clicking on any link in an unexpected text, manually type the known URL into your browser or search for the organization’s official website.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices .

3. Keep your devices secure: Regularly update your devices’ operating systems and apps to ensure you have the latest security patches. Consider installing reputable security software that can help detect phishing attempts and warn you about potentially dangerous websites or messages.

4. Use a password manager: A trusted password manager can help protect your sensitive information by automatically filling in credentials only on verified sites. This minimizes the risk of entering details on fraudulent websites and can alert you if a site doesn’t match what’s expected. Get more details about my best expert-reviewed Password Managers of 2025 here.

5. Report suspicious activity: If you receive a text that seems off, report it immediately to your mobile carrier, local law enforcement or the FBI’s Internet Crime Complaint Center (IC3). Reporting helps authorities track down scammers and prevent further attacks.

6. Consider using a personal data removal service: Personal data removal services can help reduce your exposure to smishing attacks by removing your sensitive information — like phone numbers, addresses and email details — from data broker websites. Scammers often rely on these publicly available databases to target victims with personalized phishing texts. These services aren’t foolproof, but they can make it harder for cybercriminals to find and exploit your information. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Check out my top picks for data removal services here.

Kurt’s key takeaways

I've been tracking these smishing scams, and it's clear they're evolving fast, from fake parking fines to bogus toll notifications. With the FBI and cities like New York, San Francisco and others sounding the alarm, I'm stepping up my own security game. As a general rule, if you receive a text from an unknown number or email address that's an out-of-the-blue greeting, asks you to click a link, pay a bill or respond in any way, just block it and report the number. It's better to be safe than sorry when it comes to protecting your personal information.

