Texts From Your Own Number and Other Smishing Scams Worth Knowing About

Your phone buzzes mid-morning. It's a text from what looks like your own number, with a link and no explanation. Odd enough that you almost tap it just to find out what it is. That moment of confusion is exactly what the scammer is banking on.

Text message scams - known as smishing, which is phishing carried out by SMS - have grown sharply over the past few years. The timing is not accidental. As more businesses started using texts for appointment reminders, delivery updates, and payment notices, people got used to acting on them quickly. Scammers noticed. They moved in behind legitimate business texts, imitating the same format and the same sense of urgency.

The reason SMS scams are effective is that the usual checks do not apply. You cannot hover over a link on a phone screen the way you can on a desktop. You cannot inspect a sender's email address. Shortened URLs hide the real destination. And most people have no idea what a legitimate text from NZ Post, their pharmacy, or their bank actually looks like. That uncertainty is the gap scammers exploit. Understanding ways hackers get into business accounts can help your team recognise these tactics before they cause damage.

The text-from-yourself scam works because scammers can spoof the sender ID using internet-based calling tools, making it appear the message came from your own number. If you see this, delete it without tapping anything. Some carriers allow you to report it at the same time, which is worth doing.

Other common formats include fake delivery holds - a text claiming a parcel cannot be delivered until you confirm details or pay a small fee - and vague "thank you for your payment, here is your gift" messages that rely on the fact that most people have paid some kind of bill recently and might assume the text is from someone they know. There are also scams that impersonate a local service provider following a neighbourhood installation or promotion, asking residents to reply with personal information to book an appointment. Most breaches like these are entirely preventable with the right precautions in place.

What good looks like for a practice handling sensitive client or patient information is having a layer of protection that does not rely solely on staff spotting the scam in time. Mobile device management, DNS filtering on business phones, and clear staff guidance on what to do when something looks wrong all reduce the risk. The goal is to make it harder for a single lapse in judgement to turn into a breach. For healthcare and legal practices in particular, where a compromised device can expose confidential records, this is not a minor consideration. CERT NZ at cert.govt.nz is the right place to report suspicious messages or incidents if something does get through.

The practical step is to make sure the mobile devices your team uses for work - whether business-owned or personal - have appropriate security settings in place and that your staff know smishing exists. Most people still do not. A short conversation at the next team meeting, paired with a review of your current device security settings, goes a long way. Security awareness training is the cyber defence most NZ businesses overlook, and it is often the most cost-effective place to start. If you are not sure what is currently in place, that is worth finding out. You can read more about how ITstuffed approaches cybersecurity for Canterbury businesses if you want a sense of what a sensible baseline looks like.

ITstuffed works with professional services businesses across Canterbury to make sure the basics are covered. If you want a quick read on where your setup currently stands, book a 15-minute IT Fit Check at /booking.