How to spot a fake bank text in 30 seconds (and what to do next)

A fake bank text is built to make you move before you think. It often hits when you’re busy, tired, or in a checkout line. One moment you’re reading “Fraud alert,” the next you’re one tap away from handing over your login.

Here’s the good news: most scam texts fall apart in under 30 seconds if you follow a simple routine. The goal isn’t to “investigate” the message. The goal is to verify your account without using anything inside the text.

The 30-second test: verify without clicking, calling, or replying

Treat every unexpected bank text like a fire alarm. It might be real, but you don’t run toward the smoke. You check safely.

Step 1 (10 seconds): scan for the “trap”

If the text includes any of these, assume it’s hostile until proven otherwise:

• A link (even if it “looks” like your bank)
• A phone number to call
• A request to reply (even “Y” or “STOP”)
• A one-time code (OTP) and a request to read it back
• Pressure language like “locked,” “final notice,” or “within 10 minutes”

Scammers want you inside their channel because they control it.

Step 2 (10 seconds): open a trusted path you control

Do one of these instead:

• Open your bank’s app from your home screen (not from the text).
• Type your bank’s website address manually (or use a saved bookmark you created earlier).
• Call the number on the back of your card, or on a statement you already have.

If the alert is real, it will usually appear inside your account messages or notifications after you log in the normal way.

Step 3 (10 seconds): ask one simple question

Ask: “Is there a matching problem in my account right now?”

If your app shows no alert and your recent transactions look normal, the text is almost always a scam. If you’re unsure, call the number on your card and ask, “Did you send this message?”

For more official warning signs, compare your message to the red flags listed in the BBB guide to phony text messages.

Red flags scammers can’t hide (even when the sender looks real)

Modern scammers don’t always send sloppy messages. Some are clean, short, and scary. A few even arrive in the same text thread as real bank alerts because criminals can spoof sender IDs.

Here are the tells that still show up:

A problem that requires you to act through the text. Real banks may notify you by text, but they don’t need you to log in through a surprise link to “fix” a crisis.

A request for a one-time code. A text that says “Your verification code is 123456” can be real, but the follow-up call or text asking you to read it out is the scam. That code is often the key to your account.

A push to move money fast. If the message tries to steer you to Zelle, wire, gift cards, crypto, or “safe accounts,” stop. That’s a classic take-your-money-now pattern.

Odd instructions that make no sense for a bank. Examples: “Reply YES to confirm,” “Remove hold now,” “Install this security app,” or “Text back your full name and DOB.”

It turns into a conversation. Many bank impersonation scams start with one text, then shift into back-and-forth chat or a call. Recent reporting shows these scams keep growing, and impersonation texts are a major driver. The FTC has highlighted bank impersonation as a leading text scam category in its own analysis, and you can see context in its post on bank impersonation text scams.

If you want a plain-English overview of how “smishing” works, the National Cybersecurity Alliance explanation of smishing is a solid reference.

What to do next, based on what happened (pick your situation)

Speed matters, but calm beats panic. Start with the scenario that matches you.

If you only received the message (no clicks, no replies)

1. Do not tap links, call numbers, or reply.
2. Open your bank app and check recent activity.
3. Forward the message to 7726 (SPAM) to report it to your mobile carrier.
4. Block the sender, then delete the message.
5. If the text used your bank’s name, call the number on your card and tell them you received a bank impersonation text.

If you clicked the link (but didn’t enter anything)

1. Close the page immediately.
2. Turn on airplane mode for 10 seconds, then turn it off (this breaks some live tracking).
3. Open your bank app (separately) and check activity and alerts.
4. Run a security scan on your phone if you have built-in tools (iPhone and Android both include basic protections).
5. Keep an eye out for follow-up calls. Scammers often call right after a click.

If you entered your username and password

1. Change your bank password now using the bank app or a manually typed website.
2. Change the password anywhere else you reused it (email first, then financial sites).
3. Sign out of other sessions if your bank offers a “log out of all devices” option.
4. Call the number on your card and ask for a fraud review. Request notes be added to your profile.

If you shared a one-time code (OTP) or approved a push prompt

1. Call your bank’s fraud line from a trusted number (card or statement).
2. Tell them you shared a one-time code and ask them to lock account access and review recent sign-ins.
3. Reset your multi-factor method (new codes, new device approvals, new trusted phone).
4. Review transfers and payees. Ask the bank to remove any new recipients.

If you installed an app or “security tool”

1. Put your phone in airplane mode.
2. Delete the app you installed.
3. On Android, check Device Admin apps and Accessibility permissions, then remove anything you don’t recognize.
4. On iPhone, check for unknown profiles or VPNs in settings, and remove them.
5. From a different device if possible, change your bank password and email password.
6. Call the bank and tell them you installed an app after a bank text.

If you’re looking for the FTC’s latest consumer guidance on text scams and what to report, use the FTC article on unexpected text scams and follow its reporting prompts.

Report it, then lock things down (a quick checklist and a template)

Reporting helps carriers and agencies block large campaigns, and it creates a trail if money moves later.

Where to report a fake bank text in the US

• Your mobile carrier: forward the text to 7726 (SPAM).
• FTC: file a report through the FTC’s fraud reporting flow (you can start from FTC consumer alerts, including the one linked above).
• FBI IC3: submit a complaint with the Internet Crime Complaint Center (search “IC3 complaint” to reach the official site).
• Your bank: call the number on the back of your card or inside the official app.

Examples of published fraud contacts (examples only, verify in the bank’s app or official site before calling):

• City National: 800-557-4264, phishing@cnb.com
• Citizens: 800-922-9999
• Wells Fargo: 866-867-5568

Short template you can copy into a report

Subject: Bank impersonation text (possible smishing)
Message: “I received a text claiming to be from my bank. I did not use any link/number in the text. Sender: [number or short code]. Date/time: [ ]. The message said: [paste exact text]. Link shown: [paste]. Actions taken: [none, clicked link, entered login, shared code, installed app]. Please investigate and advise next steps.”

Account security checklist (use what applies)

• Change passwords (bank, then email, then any reused logins).
• Reset multi-factor authentication and remove unknown devices.
• Turn on transaction alerts for withdrawals, transfers, and new payees.
• Review the last 30 days of transactions and dispute anything you didn’t do.
• Consider a credit freeze if personal info was entered, and add a fraud alert if you suspect identity theft.
• Watch for follow-up calls using fake “bank staff” voices. If you get one, hang up and call your bank from your card.

Conclusion

A fake bank text wins when it controls the channel and your emotions. The fix is simple: don’t use anything inside the message. Open your bank app, type the website yourself, or call the number on your card.

If you already interacted, act fast and be blunt with your bank about what happened. The sooner you report and lock things down, the better your odds of stopping damage before it spreads.