As soon as I sat down to write this, I got a text that simply said, “Hi.” In another era, I may have been intrigued by the mysterious message from an unknown number. Maybe I would’ve been curious about who wanted to say hello, and texted back. But this is not my first time playing this game.
Scam texts are a growing multibillion-dollar industry. As robocalls become less common — thanks, in part, to a 2009 law that forced phone companies to do more to stop them — complaints about text scams increased 500 percent from 2015 to 2022. While it’s hard to nail down an exact number of spam messages sent in a given day, the problem is getting worse. It’s not just that you’re getting bombarded with more text scams than ever. The texts are also starting to get really sophisticated.
Vox Technology
Dispatches from senior correspondent Adam Clark Estes about how technology is changing the world — and how it’s changing us.
I’d like to say I’ve never clicked on a link in a spam text, but I’d be lying. Maybe it was about an issue with a mysterious package or an unpaid parking ticket or some political thing — it doesn’t really matter. With so much of our personal data now appearing online and with the help of AI, text scams are getting smarter, more targeted, and more dangerous. The software we need to stop spam texts is being outpaced by the software used to generate them, which does not bode well for our ever-evolving relationship with technology.
So that’s the bad news and the worse news. The good news is that humans are, so far, smarter than the machines. With a combination of savvy and software, you can reduce your exposure to text scams or, at the very least, your likelihood of actually becoming the victim of a scam.
Robocalls don’t seem so bad in retrospect
Another text scam I got this week involved an alleged unpaid toll, with a link to pay and a friendly sign-off (“The Toll Roads team wishes you a great day!”). As it happens, I probably do owe somebody money for an unpaid toll, but it’s not “The Toll Roads team.” The link in the text, which ended in “.world”, was the biggest red flag. I did not click this link, but if the text had been more personalized — perhaps by using my name or mentioning that the toll was in the state of New York, where I live — maybe I would have.
This is where we’re heading. Common scams, like those involving unpaid fines, job recruiters, the IRS, and undelivered packages, can become exponentially more dangerous if they include your personal details, including your email and home address. And following years of data breaches, a growing amount of data about you is available for scammers to leverage. Meanwhile, generative AI makes it easy for bad actors to craft convincing, typo-free messages on a massive scale. Sometimes all you have to do is read the text to give the scammer more leverage.
Common scams, like those involving unpaid fines, job recruiters, the IRS, and undelivered packages, can become exponentially more dangerous if they include your personal details.
“Depending on what your read receipts are like, then the bad guy might know that you opened the text,” Teresa Murray, a consumer watchdog at the US PIRG Education Fund, told me. “And then, God forbid, if you click on any links or anything like that, or call the number that’s on the text, then it’s off to the races.”
There are multiple ways for scammers to win here. If you click a link, you could be tricked into giving them money or misled into giving up more personal information, which is its own currency in the fraud marketplace. Many text scams are also phishing schemes, and the links point to a webpage designed to steal your login credentials. At best, clicking the link proves to bad actors that you’re alive and willing to go along with the scheme.
The total amount of money lost to phone scammers in 2024 was over $25 billion, which works out to an average of about $450 per victim. Older adults are actually less likely to fall for certain scams, mostly because they’ve learned not to pick up their phones. The vast majority of Americans over 65 say they don’t answer if they don’t recognize the number, and 57 percent of the same group have put their names on the national Do Not Call registry — a database run by the Federal Trade Commission since 2003 — according to a recent report from the call blocking service Truecaller.
Younger Americans have it worse. The same report found that people between the ages of 18 and 44 are three times as likely as older Americans to fall for phone scams, including spam texts, and 25 percent of that group have reported being a victim more than once. Only 30 percent of them say they’re on the Do Not Call registry.
What you can and can’t do to escape text scams
Because it was designed to stop unwanted calls from telemarketers, the Do Not Call registry doesn’t do too much to cut down on spam texts. Furthermore, many of those texts come from abroad, and without an international phone police patrolling the lines, a scammer running a SIM farm in Southeast Asia can blow up your phone with alerts about undelivered packages to their heart’s content.
SIM farms, also known as phone farms or SIM banks, are systems equipped with multiple SIM cards that can send large numbers of texts or place calls simultaneously, and cost just a few hundred dollars to set up. It’s virtually free for scammers to acquire phone numbers, and unlike robocalls, which happen in real-time, spam texts get sent in big batches in a split second. If a number gets blocked, the scammer can just start using a new number and keep spamming. Now, they can also use generative AI to craft more convincing, personalized messages.
Meanwhile, phone companies face fewer regulatory requirements to protect their customers from these spam texts. The TRACED Act, which was implemented in 2021, gave the Federal Communications Commission (FCC) tools to prevent robocalls, including a caller ID verification framework called STIR/SHAKEN. But it wasn’t until 2024 that the FCC enacted its first rule specifically targeting spam texts.
You’d think that stopping spam texts should be as easy as using a spam filter, like email providers have been doing for decades. But text messages are not nearly as sophisticated as email technology. The basic technology — SMS, or Short Message Service — dates back to the 1980s and is hardly secure.
“SMS lacks built-in security controls, such as email authentication protocols” Adam Meyers, head of counter adversary operations at the cybersecurity firm CrowdStrike, explained in an email. “While phone carriers and software makers implement filters and blocking mechanisms, adversaries constantly evolve their tactics.”
The challenge is to filter out the unwanted messages, without blocking legitimate ones. That means distinguishing texts from your friends, your bank, your DoorDash driver, or your new friend who’s not yet in your contacts list from spam texts.
Many companies and organizations also do send legitimate messages in bulk, using short codes — five- or six-digit numbers that must be registered with the CTIA, the wireless industry’s trade association, which also governs how people can interact with these texts.
Pro tip: Don’t delete trusted messages
You probably get tons of automated messages from trusted sources, like your pharmacy, bank, or food delivery service. That also includes verification codes if you use your phone number for two-factor authentication as well as texts from short codes, including political campaigns.
Don’t delete these messages right away. This way, if you get a new message from a trusted source, it will likely show up in the same thread and spare you the stress of wondering if it’s the real deal. “Even better: Go ahead and put a label on it, put it in your contacts,” said PIRG’s Teresa Murray. “And then if you get what looks like a verification code from XYZ bank, but it’s not coming from the saved contact, then that could be a red flag for you.”
Unfortunately, scammers don’t care much for laws or rules, and phone companies will only do so much to combat the never-ending torrent of spam texts. It costs money to build filters that can attempt to keep up with the scammers’ methods, and some carriers include those tools in the cost of their service. Others charge for better tools. Verizon, for instance, offers basic filters for free, and “plus” filters for an extra $4 a month.
“It’s real work to do this. There’s a significant amount of analysis,” Alex Quilici, CEO of the call-blocking service YouMail, told me. “I’m sympathetic, but carriers have a fairly hard problem.”
When it comes to avoiding text scams, you have options. In addition to whatever your carrier offers, there are apps like Truecaller, TextKiller, RoboKiller, and Hiya.
I’ve never paid for one of these services, so I can’t say how well they work. I can say that not answering your phone continues to be a solid way to avoid robocallers — and a great way to miss a call from your doctor’s office. Caller ID can be easily spoofed, so don’t pick up if you’re not expecting a call. If in doubt, skip the call, and call the legitimate number back.
You can also report scammers to the FCC by forwarding the message to 7726, which spells SPAM, or file a complaint on the agency’s website. You can report all kinds of fraud to the FTC or to your state’s attorney general.
The most important thing to do is not engage with scammers. Even if they’re saying “Hi” and seem friendly, responding to or even reading a spam text just tells the bad actor that you’re a real human and a target. For now, know that you’re smarter than the AI, and ignore it.
A version of this story was also published in the Vox Technology newsletter. Sign up here so you don’t miss the next one!
