Why do we fall for text scams 40% more often than email phishing?
Think back to when text messaging first became a part of daily life. It was a simple, text-only medium. You exchanged quick messages with family, coordinated plans with friends, or sent a fast update to a coworker. Because there were no formatting options, no attachments, and no embedded web links, texting was inherently safe. The worst-case scenario was sending a message to the wrong phone number.
Fast forward to today, and that safe haven is completely gone. Texting has transformed into one of the highest-risk communication channels we use—even outpacing email when it comes to the success rate of modern scams.
Phones make it harder to “Hover” over a link, but it is still possible (see the Quick Guide below), but what are we looking for when we do “Hover”?
Note, that when we refer to “hovering” on a phone in this article, we are referring to the phone equivalent to show the *real* link instead of the displayed link. It’s not actually “hovering”, but since that’s the process and name we are used to on computers, we are using the same term here.
When “hovering” on a phone, look at the domain name—specifically the words right before the .com, .org, or .net.
LEGITIMATE:
What the link shows: https://www.amazon.com/order-status
What “Hovering” shows the *real* link to be: https://www.amazon.com/order-status
NOTE: The word right before .com is “Amazon”
SCAM:
What the link in the text shows: https://amazon.security-login-update.com
What “Hovering” shows the *real* link to be: https://amazon.security-login-update.com
NOTE: The word right before .com is actually “security-login-update”. This is a fake site designed to look like Amazon.
More information about the difference between the displayed link and the *real* link is available in this previous article.
Why the Danger Shifted to Your Phone
If we look strictly at the sheer volume of attacks, email is still the favorite tool of hackers worldwide. Cybercriminals send billions of phishing emails every day. However, security filters on corporate and personal email inboxes have become incredibly smart, blocking the vast majority of scams before you ever see them.
Because email defense got tougher, scammers changed tactics. They shifted to text messaging (a tactic called “smishing”) because they know our psychological guard is down when we look at our phones.
But the danger isn’t just that scammers are texting us; it’s that a phone makes it significantly harder to defend yourself.
The Mobile Blindspot: Why Texts are Harder to Verify
When you are sitting at a computer looking at an email, you have a wealth of security tools at your disposal. If an email looks suspicious, you can easily hover your mouse pointer over the link to see the actual website address hidden underneath. You can inspect the full email header to see if the sender is legitimate.
On a smartphone, those safety nets vanish:
- Less Intuitive “Hover” Feature: On a mobile screen, you can’t hover to verify a link before clicking it. Mobile layouts naturally compress and truncate text, making a malicious URL like login-microsoft-security-verify.com look completely legitimate to a passing glance.
- The Trap of the Phone Number: Modern text scams don’t just use links; they frequently instruct you to call a number immediately (e.g., “Fraud alert: Call our security desk at 1-800-XXX-XXXX immediately to stop this charge”). On a phone, it takes one accidental tap to dial a number that connects you directly to a professional scammer masquerading as your bank, Amazon, or a vendor.
- The “On-the-Go” Distraction: We look at our phones while walking, cooking, or waiting in line. When you are distracted, a sudden text claiming your package is delayed or your account is locked triggers a knee-jerk reaction to tap first and ask questions later.
Because of these mobile limitations, cybersecurity data shows that people click on malicious links in text messages about 40% more often than they do in standard emails.
How to Navigate the New Reality
Since texting is no longer inherently safe, we have to change how we interact with our phones. Whether you are using a corporate device for business or your personal phone at home, adopt these three rules:
✅ 1. Never Click the Link to “Fix” a Problem
If a text warns you about a problem with UPS, your bank, or a streaming service, do not tap the link. Open your mobile browser, go to the official website yourself, log in securely, and check for alerts there.
✅ 2. Don’t Call the Number in the Text
If a message instructs you to call a number to stop a fraudulent transaction, ignore it. Flip your credit card over or look up the organization’s official customer service line and dial that instead.
✅ 3. Verify Work Requests via a Second Channel
If a coworker or boss texts you out of the blue asking for an urgent favor—like buying gift cards, changing an invoice, or texting back a login code—stop. Call them directly or message them on your internal chat app to verify it is actually them.
🛡️ Quick Guide: How to “Hover” Over a Link on Your Phone
Since you don’t have a mouse pointer on your smartphone, you can’t hover to check a web link before clicking it. Instead, you have to use the mobile equivalent: the long-press.
Here is how to safely inspect a link on your device before you tap it:
Apple’s Messages app allows you to safely inspect a link using a feature called Contextual Menus.
- Press and Hold: Tap and hold your finger down on the web link inside the text message for 1 to 2 seconds. Do not just tap it quickly, or it will open the page.
- Look at the Preview Box: A pop-up window will appear showing a small visual preview of the website, with the full web address (URL) listed at the top of the box.
- Inspect the Domain: Look closely at the text. If a text claims to be from “UPS” but the URL at the top of the preview box says ups.shipping-update-412.com or a random string of characters, it is a scam.
- Close Safely: Tap anywhere outside the pop-up box to close the preview without opening the link.
Important iPhone Tip: If users want to be extra safe and completely disable visual previews (which can sometimes inadvertently trigger tracking pixels), they can go to Settings > Messages and turn off Show Previews. This will force the phone to display just the raw text of the link.
Because Android is used by many manufacturers (Samsung, Google Pixel, Motorola, etc.), the exact behavior depends on whether your phone uses the default Google Messages app or a brand-specific app like Samsung Messages. Follow these steps for Google Messages & Most Android Apps:
- Press and Hold: Press and hold your finger on the link for 1 to 2 seconds.
- Look for the Action Menu: Instead of a visual web preview, Android will typically pop up a small text menu with options like Copy, Share link, or Open.
- Check the Top of the Menu: The menu will list the full, exact destination URL right at the top.
- Inspect the Domain: Carefully read the domain name before deciding to copy or open it.
Close Safely: Tap a blank area of the screen to dismiss the menu.
Some older text applications or specific manufacturer skins will automatically open the link if you press and hold it. To prevent this, users should use the Copy/Paste method:
- Press and hold the entire text message (not just the link) to bring up the message options.
- Select Copy Text.
- Open a safe, neutral app like Notes or the search bar of a browser, and paste it. This allows them to safely look at the exact spelling of the web address without any risk of opening it.
Important Tip: If you are still using one of these older phones, you may consider getting a new one. The steps required to view the web address is more cumbersome than on newer phones, which may lead you to “just click the link” and expose yourself to the dangers lurking inside it.
Final Thought
Your phone’s text inbox is no longer just for trusted conversations. Treat every unexpected text containing a link or a phone number with the same high level of caution you reserve for a sketchy email. Stay safe, pause before you tap, and protect your digital space!
If you have questions about this, please let us know and we will be happy to assist you.
Take care,
