What to do after a bank text message scam
A bank text message scam can expose login credentials, card numbers, and one-time passcodes in minutes.
Knowing how to protect your account after a bank text message scam helps you respond quickly, limit financial damage, and prevent repeat attacks.
These scams often use SMS phishing, also called smishing, to impersonate a financial institution, a payment app, or a fraud department.
The sooner you act, the more likely you are to block transfers, reset access, and preserve evidence for your bank and law enforcement.
Understand what the scam may have exposed
Before you start changing settings, identify what information you may have shared.
The response depends on whether you clicked a link, entered a password, approved a login, or gave away personal data such as your Social Security number or debit card PIN.
- Clicked a link only: Your device may still be at risk if the site installed tracking or prompted a download.
- Entered online banking credentials: Treat your username and password as compromised immediately.
- Shared a one-time code: An attacker may have used it to bypass multifactor authentication.
- Provided card or identity details: Watch for card fraud, new account fraud, and identity theft.
Contact your bank immediately
Call the number on the back of your debit or credit card, or use the official banking app or website you already trust.
Do not reply to the scam text or use any phone number included in the message, since it may route to the fraudster.
Ask the bank to do the following:
- Freeze or lock online banking access if needed.
- Review recent transactions for unauthorized activity.
- Block or replace compromised debit and credit cards.
- Reset telephone banking and mobile banking credentials.
- Place a note on the account for fraud monitoring.
If money has already moved, ask whether the bank can initiate a recall, dispute, or fraud claim.
Time matters because wire transfers, peer-to-peer payments, and ACH debits each have different recovery windows.
Change passwords and revoke access
If the scam involved your banking login, change that password right away from a secure device.
Use a unique, long password that you have never used for email, shopping, or other financial accounts.
Focus on the accounts that can unlock banking access:
- Email accounts, especially the one tied to financial alerts
- Banking and credit card logins
- Payment apps such as Venmo, PayPal, or Cash App
- Password manager accounts if they were accessible on the same device
Review your account security settings and sign out of all other sessions.
Many banks and email providers let you log out of every active device, which can stop an attacker who is already inside.
Enable stronger multifactor authentication
Multifactor authentication, or MFA, adds a second layer of protection, but not every method is equally secure.
If possible, switch from SMS codes to an authenticator app, hardware security key, or push-based approval with number matching.
SMS is still better than no second factor, but it can be intercepted through SIM swap fraud, port-out fraud, or social engineering.
If your bank supports it, choose:
- Authenticator apps such as Microsoft Authenticator, Google Authenticator, or Authy
- Passkeys, which use device-based cryptography instead of passwords
- Hardware security keys based on FIDO2 or WebAuthn
Also protect your mobile carrier account with a port freeze or number lock.
That makes it harder for criminals to hijack your phone number and intercept banking codes.
Check all bank and credit activity
Review every account linked to your finances, not just the one mentioned in the text.
Fraudsters often test small charges first, then escalate to larger transfers or online purchases.
Look for these warning signs:
- Unknown card transactions, even small ones
- New payees or beneficiaries in bill pay
- ATM withdrawals you did not make
- Unfamiliar device logins or IP addresses
- Password reset emails you did not request
If you see suspicious activity, report it through the bank’s fraud department and ask for a case number.
Save screenshots, timestamps, transaction IDs, and the scam text itself.
Protect against identity theft
If the text scam asked for personal information, move beyond account security and address identity theft risk.
Criminals may use stolen data to open credit cards, file fraudulent tax returns, or take over existing accounts.
Consider taking these actions promptly:
- Place a fraud alert with one of the major credit bureaus: Equifax, Experian, or TransUnion.
- Freeze your credit if you want to prevent new accounts from being opened.
- Monitor your credit reports for unfamiliar inquiries or accounts.
- Watch for mail about loans, cards, or address changes you did not request.
In the United States, you can review your credit reports at AnnualCreditReport.com.
If the scam included a Social Security number, government ID, or full birth date, stronger monitoring is especially important.
Secure your phone and email
Your phone and email are often the recovery paths for banking accounts, so they deserve immediate attention.
Delete the scam text, but keep a screenshot first if you may need evidence.
Then do the following:
- Remove suspicious apps and browser extensions.
- Update your operating system and security patches.
- Run a reputable mobile security scan if available on your device.
- Check email forwarding rules, recovery addresses, and phone numbers.
- Turn on alerts for new logins, password changes, and recovery attempts.
If you clicked a link and entered information on a website, clear your browser sessions and cookies, then change passwords from a clean device.
This reduces the chance that an attacker can reuse an active session.
Report the scam to the right places
Reporting helps protect both your account and other potential victims.
Banks use fraud reports to strengthen defenses, while government agencies collect patterns that identify large-scale smishing campaigns.
In the United States, common reporting options include:
- The bank or card issuer’s fraud department
- The Federal Trade Commission at ReportFraud.ftc.gov
- The FBI’s Internet Crime Complaint Center, or IC3
- Your mobile carrier, especially for spoofed numbers or SIM-swap concerns
Also forward the scam text to your carrier using the recommended short code, if available.
This can help providers block malicious numbers and message patterns.
Watch for follow-up scams
After one bank text message scam, you may receive calls or emails claiming to be from fraud recovery, tech support, or account verification teams.
These follow-up attacks often use information from the original scam to sound legitimate.
Be cautious if anyone asks you to:
- Move money to a “safe account”
- Read back a verification code
- Install remote access software
- Share a password reset link or recovery code
- Confirm card details over the phone
Legitimate banks rarely ask customers to transfer money to protect it.
When in doubt, hang up and call the institution using a trusted number from your card, statement, or official website.
Build stronger habits for the future
The best defense against smishing is a layered security routine.
Even after you recover, keep your accounts hardened so a new text message is less likely to succeed.
- Use unique passwords for every financial account.
- Turn on account alerts for logins, transfers, and card-not-present activity.
- Prefer app-based or hardware-based MFA over SMS when possible.
- Keep your phone number protected with a carrier port freeze.
- Verify bank messages by opening the official app instead of tapping links.
If a text says your account is locked, a card is declined, or a transfer is pending, verify the claim through the institution’s app or website you navigate to yourself.
That simple habit blocks many phishing attempts before they begin.
When should you take extra action?
Take stronger steps immediately if the scam involved any of the following: shared passwords, one-time codes, debit card numbers, Social Security numbers, or a successful login to your bank or email.
Those situations create a higher risk of account takeover and identity theft.
If you are unsure what was exposed, assume the attacker gained more access than you intended.
Acting early on passwords, MFA, credit monitoring, and bank alerts can limit damage even when the full scope is unclear.