Can Someone Hack Your iPhone Through a Text Message?

Short answer: yes, in rare cases, someone can hack your iPhone through a text message without you tapping anything. These attacks are called zero-click exploits, and they have been documented against journalists, activists, executives, and government officials. For the average iPhone user, the more realistic threat is smishing, a text-based phishing scam that tricks you into clicking a malicious link or handing over credentials.

This guide is written for journalists protecting sources, executives handling sensitive deals, lawyers safeguarding privileged communications, and anyone who has heard the name Pegasus and wondered if their iPhone is actually at risk. The goal is to separate real text-based attack vectors from the hype, walk through what to check on your iPhone, and explain when software updates stop being enough.

For broader context on device-level threats, the Spy-Fy privacy case collection is built around a simple principle: some risks can only be solved with hardware, not software patches.

Can someone hack my iPhone through text messages? The direct answer

There are three distinct text-based attack categories, and conflating them is why this question gets such confusing answers online.

• Smishing (SMS phishing): A scam text with a malicious link. You have to tap the link and usually enter information for the attack to work. This is by far the most common threat to ordinary users.
• Zero-click exploits: Sophisticated malware delivered through iMessage or MMS that compromises your phone with no interaction required. Pegasus by NSO Group and Operation Triangulation are the documented examples. These are rare, expensive, and almost exclusively used against high-value targets.
• Attachment-based exploits: Malicious images, PDFs, or other files that trigger vulnerabilities when iOS processes them. The FORCEDENTRY exploit used a malicious PDF disguised as a GIF.

If you are a regular consumer, your real risk is category one. If you are a journalist covering authoritarian regimes, a dissident, a senior executive at a Fortune 500 company, or a government employee with clearance, categories two and three are credible threats.

Smishing iPhone scams: the everyday text threat

Smishing is the volume threat. The FBI's Internet Crime Complaint Center receives hundreds of thousands of phishing-related complaints annually, with text-based scams accounting for a growing share. Can iPhone be hacked through text alone, without tapping anything in a smishing message? No. The text itself is harmless until you act on it. Common patterns include:

• Fake delivery notifications ("USPS: package undeliverable, confirm address at [link]")
• Fake bank fraud alerts ("Wells Fargo: suspicious charge, verify at [link]")
• Fake Apple ID warnings ("Your Apple ID has been locked, sign in at [link]")
• IRS or tax refund scams
• Toll road payment scams

The danger starts when you tap the link. The fake page either harvests your credentials (Apple ID, banking login) or prompts you to install a configuration profile that gives an attacker partial control of your device. Always check Settings, General, VPN & Device Management. If there is a profile there you did not install yourself, delete it.

If you have already tapped a suspicious link, the walkthrough on 7 indicators someone is hacking your iPhone covers the specific signals to look for next.

iMessage hack methods: Pegasus and Operation Triangulation

Zero-click attacks are the reason this question exists at all. They are real, they have hit iPhones, and they require no user interaction.

Pegasus and FORCEDENTRY

Pegasus is commercial spyware developed by Israeli firm NSO Group. In 2021, Citizen Lab researchers identified an exploit called FORCEDENTRY that used a malicious file sent through iMessage to compromise iPhones running iOS 14.6 and earlier. No tap, no preview, no warning. Apple patched it in iOS 14.8 and later filed suit against NSO Group. Confirmed Pegasus targets have included journalists at major outlets, human rights lawyers, and political dissidents in over a dozen countries.

Operation Triangulation

Disclosed in 2023 by Kaspersky researchers, Operation Triangulation used a chain of four zero-day vulnerabilities to compromise iPhones through invisible iMessage attachments. The malware harvested microphone recordings, photos, geolocation, and keychain data. Apple patched the vulnerabilities across iOS 15.7.8, 16.5.1, and 16.6.

What a zero click attack on iPhone means for you

If you are not a high-value intelligence target, the probability of being hit by a Pegasus-grade exploit is extremely low. These tools cost six to seven figures per deployment and are deliberately rationed by the operators who buy them. That said, the existence of these attacks proves an uncomfortable truth: software-only privacy is not absolute. Apple's own response to this category of threat is Lockdown Mode, an opt-in setting that aggressively restricts iMessage attachments, web technologies, and connections from unknown contacts. For at-risk users, enable it under Settings, Privacy & Security, Lockdown Mode.

Warning signs your iPhone has been compromised

Hack indicators on iPhone are subtle. Look for several signs together rather than any single symptom.

• Unusual battery drain: Spyware running in the background consumes power. Check Settings, Battery for apps using disproportionate energy.
• Device runs hot when idle: Background processes should not heat up an idle phone.
• Spikes in cellular data usage: Surveillance software exfiltrates data. Check Settings, Cellular for unexpected consumption.
• Unknown configuration profiles: Settings, General, VPN & Device Management. Anything you did not install yourself is suspicious.
• iMessages you did not send, or messages disappearing from your sent folder.
• Camera or microphone indicator dots lighting up unexpectedly: iOS shows a green dot for camera and orange for microphone in the status bar.
• Apps you do not remember installing.

For a deeper diagnostic walkthrough, the guide on how to know if someone is hacking your iPhone camera covers the camera-specific signals in detail.

What to do if you suspect a text-based hack

If you have tapped a smishing link or believe you have been targeted, take these steps in order:

1. Disconnect from Wi-Fi and cellular data to prevent further exfiltration. Enable Airplane Mode.
2. Change your Apple ID password from a different trusted device. Enable two-factor authentication if you have not already.
3. Check for unknown profiles under Settings, General, VPN & Device Management and delete anything unfamiliar.
4. Update to the latest iOS version. Apple security patches close exploited vulnerabilities, often within days of disclosure.
5. Review installed apps and remove anything you do not recognize.
6. For high-risk users, enable Lockdown Mode and consider a factory reset followed by setting up the device as new rather than restoring from backup.
7. Report the smishing text by forwarding to 7726 (SPAM) in the US, then delete it.

Why software hygiene is not the whole answer

iOS updates patch known exploits. They cannot patch unknown ones. Every zero-click attack documented to date was a zero-day at the moment of use, meaning Apple did not know about it until researchers or victims surfaced the evidence. Between exploit deployment and patch release, vulnerable iPhones stay vulnerable.

This is the gap that hardware-level privacy fills. A malicious app that gains microphone access cannot record audio that does not reach the microphone. A compromised iPhone with a physical camera cover cannot capture images of your surroundings, your documents, or the people you meet with. Software permissions can be tricked. A physical shutter cannot.

This is why the iPhone 17 privacy cases include sliding covers over both front and rear cameras. Face ID still works when the front cover is open, and the rear flashlight remains usable when the rear cover is closed.

Stalkerware: the threat people overlook

One category gets lost in the Pegasus conversation: spyware installed by someone you know. Ex-partners, controlling family members, and business rivals do not need zero-day exploits. They need five minutes alone with your unlocked phone. Commercial stalkerware apps can be installed quickly and then hidden, sending your location, messages, and calls to whoever set them up.

Signs of stalkerware overlap with the indicators above, but with one addition: ask yourself whether anyone else has had physical access to your iPhone and knows your passcode. If yes, the threat model shifts. A factory reset is the most reliable removal step, combined with changing your passcode and Apple ID password. For owners of older devices, the iPhone 16 privacy case adds the same physical camera protection while you tighten up your software hygiene.

The takeaway

Can someone hack your iPhone through a text message? In rare, targeted cases involving state-grade spyware, yes, with no clicks required. In everyday life, the threat is smishing, and the defense is not tapping suspicious links. Keep iOS updated, audit your installed profiles, enable Lockdown Mode if you are a high-risk user, and treat every unexpected text from an unknown sender as guilty until proven otherwise.

For the threats that no software patch can fully solve, hardware is the answer. Explore the full Spy-Fy privacy case collection to add a physical layer of camera privacy that works whether your iPhone is patched, compromised, or somewhere in between.