Bank-impersonation texts are the single most reported type of text message scam, according to a Federal Trade Commission analysis of consumer-reported messages. Reported fraud losses across all categories hit $12.5 billion in 2024, and a growing share of those losses trace back to messages designed to look like urgent alerts from a financial institution. For anyone who has ever received a text warning of suspicious activity on an account, the difference between spotting the fake and tapping the link can mean the difference between a minor annoyance and an emptied bank account.
Why bank-impersonation texts are surging right now
The pattern is consistent and well documented. The FTC analyzed a sample of consumer-reported text messages and found that fraudulent bank alerts topped every other scam category. These messages typically claim unauthorized charges have appeared on an account or that a login attempt needs immediate verification. The goal is to provoke a fast, emotional response before the recipient has time to think.
The FBI uses the term “smishing” to describe this SMS-based form of phishing. A clicked link routes the target to a spoofed website built to harvest login credentials, and the FBI has issued a specific alert on account takeover fraud via impersonation of financial institution support. Once credentials are captured, attackers can drain accounts, change contact information, and lock the real account holder out entirely.
What makes these messages effective is the combination of trust signals and artificial urgency. Scam texts and fake bank websites often display “Member FDIC” branding or mimic a bank’s color scheme to appear legitimate, yet that seal alone proves nothing about the sender. Pair a familiar logo with a one-hour deadline to “secure your account,” and the pressure to act fast can override skepticism. No publicly available controlled experiment has measured the exact click-rate increase when a bank logo and a tight deadline appear together versus either element alone, but the pattern of combining authority cues with time pressure is a consistent feature of the most-reported scam texts in FTC data.
Scammers also adapt quickly to news cycles and seasonal patterns. When a major bank suffers a public outage, fake texts may reference “system upgrades” or “restored access.” During tax season, messages may claim a refund has been deposited and ask the recipient to “confirm” account details. The underlying script is the same: create a believable pretext, insist that immediate action is required, and funnel the victim toward a link or phone number controlled by the fraudster.
Red flags regulators have identified in fake bank texts
Federal regulators have drawn a clear line that consumers can use as a first filter. The Consumer Financial Protection Bureau states that banks and credit unions do not ask customers to verify account information via email or text. Any message requesting login details, Social Security numbers, or PINs through a reply or a link is, by that standard, not from the bank. That single rule eliminates most scam texts on contact.
Beyond direct requests for sensitive data, wording and formatting offer additional clues. Messages that start with a generic greeting like “Dear customer” instead of a name, contain obvious spelling errors, or come from random ten-digit numbers instead of the bank’s usual short code are all warning signs. Even when a message appears in the same text thread as legitimate alerts, consumers should remember that phone numbers can be spoofed and that message-thread placement is not proof of authenticity.
NIST and other security standards bodies highlight cues that apply directly to bank-impersonation messages: unexpected requests to click links, language that creates urgency, and demands for credentials. The Federal Reserve and other regulators echo this guidance, advising consumers to treat any unsolicited message claiming to come from a financial institution with skepticism and to verify by calling the institution directly using a number printed on a card or statement, not the number in the text.
The FTC’s practical checklist for handling suspicious texts adds a reporting step. Rather than tapping a link or replying, consumers should forward the message to 7726, the universal spam-reporting short code used by wireless carriers. They can also file a report at reportfraud.ftc.gov. These reports feed the datasets that regulators use to identify new scam patterns and issue public warnings, including the FTC’s data spotlight on the top text scams of 2024 published in April 2025.
For anyone who has already tapped a link or entered information, the FTC directs them to identitytheft.gov for a personalized recovery plan. Speed matters here: changing passwords, contacting the real bank, and placing fraud alerts on credit reports within hours can limit the damage from a compromised credential. If an attacker has already initiated transfers, documenting the timeline and preserving screenshots of the text messages can help banks and law enforcement investigate.
Gaps in the data that leave consumers guessing
The regulatory guidance is direct, but several gaps in the public record make it harder to measure the full scope of the problem. Neither the FTC nor the FBI has published click-through or conversion rates for bank-impersonation texts, so there is no official benchmark showing how often people who receive these messages actually tap the link or enter credentials. The $12.5 billion in total reported fraud losses in 2024 covers all fraud types, not just smishing, and no public breakdown shows precisely what share stems from text-based bank impersonation.
Underreporting further clouds the picture. Many victims never file complaints, either because they are embarrassed, believe the loss is too small, or assume their bank’s reimbursement resolves the matter. Others may not realize that a fraudulent charge traces back to a text they tapped days or weeks earlier. As a result, the figures regulators publish are best understood as a floor, not a ceiling.
There are also gaps around demographic and geographic patterns. While regulators have highlighted that younger adults report losing money to fraud at higher rates than older adults in some categories, the publicly available summaries do not isolate bank-impersonation texts by age group or region. Without that detail, it is difficult to target education campaigns to the communities most at risk or to understand whether certain areas are being hit harder by particular smishing crews.
Technical details are similarly sparse. Public advisories explain that spoofed links and cloned websites are common, but they rarely quantify how often multi-factor authentication stops an attack or how frequently criminals bypass those defenses by prompting victims to share one-time codes. That missing information matters for consumers trying to decide which security steps deliver the most protection for the effort involved.
What consumers can do right now
Even with those blind spots, the core protective steps are clear. First, treat any unexpected text about your bank account as suspicious by default, especially if it contains a link or a request for information. Do not reply, tap links, or call numbers listed in the message. Instead, open your bank’s official app, type the institution’s web address directly into a browser, or call the number printed on the back of your card.
Second, enable multi-factor authentication on every financial account that offers it, using app-based codes or hardware keys where possible. While not foolproof, these additional layers make it harder for an attacker with only a password to gain control. Setting up account alerts inside the bank’s own app or website-rather than relying on messages that arrive from unknown numbers-can also provide early warning of unauthorized activity.
Finally, build the habit of reporting. Forwarding scam texts to 7726 and submitting complaints to the FTC takes only a minute, but those small actions help regulators track evolving tactics and warn others before they are hit. Until more detailed data is available, those individual reports remain one of the strongest tools for understanding and combating bank-impersonation smishing at scale.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
