Last Updated: April 2026 | Reading time: ~10 minutes
You already know not to click suspicious links in email. Smishing attacks, however, phishing delivered by text message, now account for 35% of all phishing attempts and grew 40% year-over-year in 2025. (SentinelOne 2026; Keepnet 2025)
Email spam filters have gotten sharper, but your text inbox is wide open. Text messages carry a 98% delivery rate, and smishing click-through rates reach as high as 36%, nearly three times the average for email phishing. (Keepnet Labs 2026)
This guide explains exactly how smishing works in 2026, what the newest attack types look like, how to spot one before you click, and what your business should do about it.
Table of Contents
- What Is Smishing?
- Why Smishing Works So Well
- Smishing by the Numbers (2025-2026)
- The Most Common Types of Smishing Attacks
- How AI Is Making Smishing More Dangerous
- Real-World Smishing: The Toll Scam Surge
- How to Recognize a Smishing Text
- How to Protect Yourself and Your Employees
- How to Report a Smishing Attempt
- Frequently Asked Questions
What Is Smishing?
Smishing, short for SMS phishing, is a cyberattack delivered by text message. Rather than targeting your email inbox, criminals send fraudulent texts designed to trick you into clicking a malicious link, revealing personal information, downloading malware, or authorizing a fraudulent payment.
The word combines “SMS” (the protocol that powers text messaging) and “phishing” (the practice of baiting victims into handing over sensitive data). At its core, it uses the same manipulation as email phishing, just on a channel where most people’s guard is lower and spam filters are weaker.
Most smishing messages impersonate someone you trust: your bank, the IRS, a package carrier, your employer, or a government agency. Attackers create urgency, then give you one easy action to take, usually a link to click or a number to call.
Why Smishing Works So Well
Smishing exploits a simple psychological truth: most people trust text messages more than email. When a text arrives from what looks like your bank or your delivery carrier, the instinct is to treat it as legitimate and respond quickly.
Three structural advantages make smishing especially effective:
- No spam filters. Email providers run billions of messages through threat detection algorithms daily. Your SMS inbox has almost none of that protection, so messages land directly and unfiltered.
- Small screens hide red flags. On a mobile screen, URLs get truncated. A link to
bankofamerica-secure-login.xinmay appear as nothing more than a short string, and the visual cues that tip people off on desktops become invisible on phones. According to Zimperium’s 2024 research, 83% of phishing websites are now designed specifically for mobile screens. - The channel feels personal. Email inboxes are crowded with marketing and spam. A text from a recognizable sender name, whether your bank, your employer’s payroll provider, or the IRS, arrives in a space normally reserved for people you actually know. That familiarity compresses the time between reading and acting.
Only 36% of Americans can correctly define what smishing is, according to Proofpoint data. Nearly two out of three people don’t know the threat exists by name, let alone know how to identify it.
Smishing by the Numbers (2025-2026)
| Statistic | Source |
|---|---|
| Smishing accounts for 35% of all phishing attacks | SentinelOne, 2026 |
| SMS-originated scams grew 40% from 2024 to 2025 | Barclays / Keepnet, 2025 |
| 19% of breaches now originate from smishing or vishing combined | Verizon DBIR, 2025 |
| Smishing click-through rates reach up to 36% | Keepnet Labs, 2026 |
| Americans lost $470 million to text scams in 2024, a fivefold increase from 2020 | FTC, 2025 |
| FBI IC3 received 59,271 toll-related smishing complaints in 2024 alone | FBI IC3, 2025 |
| 83% of phishing websites are now designed for mobile screens | Zimperium, 2024 |
| Smishing attacks grew to 39% of mobile threats in 2026 | Keepnet, 2026 |
| Average financial loss per smishing victim: ~$800 | Keepnet / industry average |
The trajectory is clear. Smishing is no longer a niche threat. It’s a primary attack vector growing faster than most organizations’ defenses can keep pace with.
The Most Common Types of Smishing Attacks
1. Credential-Stealing Texts
A message arrives claiming your bank account is locked, your PayPal password needs resetting, or your employer’s HR portal requires immediate verification. The link leads to a fake login page that looks nearly identical to the real thing. Once you enter your credentials, attackers capture them instantly, often in real time, with automated tools that relay stolen information to a live operator.
Workplace accounts are frequent targets. A smishing message disguised as an IT security alert or payroll notification can hand an attacker access to company systems before anyone realizes what happened.
2. Delivery and Package Notification Scams
One of the most persistent smishing formats involves a text claiming USPS, FedEx, or UPS has a package requiring your attention. You’re asked to “confirm your address” or “pay a small customs fee,” and the link harvests your payment details and personal information. These scams are especially effective because most people have packages in transit at any given time.
3. Toll and Government Agency Impersonation
Since late 2024, a Chinese cybercriminal network known as the “Smishing Triad” has executed one of the largest organized smishing campaigns ever documented, impersonating E-ZPass, SunPass, FasTrak, and state DMVs across at least eight states. More detail on this is in the section below.
4. MFA Bypass Attacks
Multi-factor authentication was supposed to stop credential theft. Attackers adapted. In a real-time relay attack, a criminal logs in to a target account using stolen credentials and simultaneously triggers an MFA code sent to the victim’s phone. A smishing message then asks the victim to “confirm” the code, and they enter it without realizing they’ve just handed over the final key. According to Proofpoint, at least 55% of suspected smishing messages contain malicious URLs, many designed for exactly this purpose.
5. “Call-Back” Smishing
Rather than a link, some messages contain only a phone number. The person who answers is a trained social engineer who references real details about your bank, a recent transaction, or your employer to build trust before requesting sensitive information. Because no link is involved, many people don’t recognize this format as a smishing attack at all.
6. Fake Job Offer and HR Texts
Texts impersonating HR departments, payroll providers, or recruiters are increasingly common, particularly targeting employees who’ve recently changed jobs or are listed on professional networking sites. Attackers use these messages to request direct deposit information, Social Security numbers, or benefit enrollment data.
How AI Is Making Smishing More Dangerous
For years, smishing was relatively easy to spot: awkward phrasing, generic lures, obvious typos. Generative AI has erased most of those tells.
Attackers now use AI tools to accomplish four things they couldn’t do effectively before:
- Personalize at scale. Public data, including LinkedIn profiles, company websites, and data breach databases, is fed into AI systems that generate customized messages referencing your employer, your role, your name, and even recent company news. A text reading “Hi [Name], this is [Company] payroll. We need you to verify your direct deposit account before Friday’s run” is far harder to dismiss than a generic lure.
- Remove linguistic red flags. AI-generated smishing messages are grammatically clean, contextually accurate, and tonally appropriate. The old advice of “look for bad grammar” no longer applies reliably.
- Automate RCS and iMessage delivery. RCS (Rich Communication Services) is replacing SMS as the standard protocol for Android messaging, and Chinese smishing operations have already integrated RCS into their delivery infrastructure. RCS messages can include sender branding, images, and interactive buttons, making fake bank or employer notifications significantly more convincing.
- Combine smishing with vishing. AI voice cloning tools can replicate a person’s voice from just three seconds of audio. Coordinated campaigns now use a smishing text to prime the victim, then follow up with a spoofed voice call from a “known” person, a manager or bank representative, to deliver the actual ask. Vishing surged 442% between the first and second half of 2024 (CrowdStrike, 2025).
Commercial anti-smishing tools blocked only 25-35% of threats in 2025. AI-powered detection solutions reached 96.2% rates, a gap that shows how far ahead attackers currently sit. (Keepnet, 2026)
Real-World Smishing: The Toll Scam Surge
Starting in late 2024, the FBI, FTC, and state cybersecurity agencies began issuing warnings about an unprecedented wave of smishing attacks impersonating U.S. toll collection agencies. By the end of 2024, the FBI’s Internet Crime Complaint Center had received 59,271 complaints tied specifically to toll-related smishing, and the FTC reported Americans lost $470 million to text scams that year overall, a fivefold increase from 2020.
The scam follows a consistent pattern. A text arrives claiming you have a small unpaid toll, often just $3 to $5, from E-ZPass, SunPass, FasTrak, or your state’s tolling authority. The message warns of escalating fines or license suspension if you don’t pay immediately, and the link leads to a convincing fake payment page that collects your name, address, and payment card information.
The operation behind these texts, tracked by researchers as the “Smishing Triad,” registered over 60,000 fraudulent domain names, many ending in “.xin,” and has been linked to phishing kits marketed under names like “Lighthouse” and “Darcula.” Sold on criminal forums and Telegram channels, these kits enable even low-skill attackers to run large-scale campaigns. Confirmed targets include residents of Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, among others.
This is not a fringe operation. It’s a professional criminal supply chain targeting everyday text messages to millions of Americans at once.
Key takeaway for employees and employers: Government agencies, toll operators, courts, and law enforcement do not collect payments via text message. If you receive one of these texts, do not click. Report it and delete it.
How to Recognize a Smishing Text
Run through these five questions before responding to any unexpected text:
1. Did I initiate this?
Legitimate authentication codes, delivery updates, and account alerts are triggered by something you did first, such as logging in, placing an order, or requesting a password reset. Any text that arrives without a preceding action on your part deserves skepticism.
2. Is there urgency or a threat?
Attackers manufacture pressure: “Your account will be closed,” “Final notice,” “Respond within 24 hours.” Legitimate organizations rarely communicate via text when immediate action is required. Official apps, secure portals, and verified phone calls are the standard channels for urgent account matters.
3. Does the link match the sender?
Before clicking, press and hold the link (don’t tap) to preview the destination URL. A message claiming to be from your bank that links to secure-update-bankofamerica.xin or any unrecognized domain is a smishing attempt. Even plausible-looking URLs can be spoofed, so when in doubt, go directly to the official website by typing it yourself.
4. Is it asking for information the sender should already have?
Your bank already has your account number. Employers already has your direct deposit details. Your delivery carrier already has your address. Any text requesting information the sender should already possess is a red flag worth taking seriously.
5. Does it ask you to reply to make a link clickable?
Some smishing campaigns instruct victims to reply with “YES” or “STOP” to activate a link. This bypasses Apple’s iMessage link-blocking feature. Never reply to unknown senders, not even to opt out.
How to Protect Yourself and Your Employees
For Individuals
- Never click links in unexpected texts. Go directly to the official website or app instead.
- Avoid replying to unknown senders. Even a one-word reply confirms your number is active and increases future targeting.
- Verify independently. If a text claims to be from your bank, call the number on the back of your card, not any number provided in the message.
- Enable spam text filtering. Both iOS and Android offer built-in filters, and most carriers provide free blocking tools as well.
- Use phishing-resistant MFA. Hardware security keys or authenticator apps that don’t rely on SMS codes are significantly harder to bypass than one-time codes sent by text.
- Report suspicious texts. Forward smishing messages to 7726 (SPAM), a free service most carriers support, and file a complaint at reportfraud.ftc.gov or ic3.gov.
For Employers and HR Teams
- Train employees on smishing specifically, not just email phishing. Most security awareness programs overlook SMS as an attack channel, and that gap is increasingly costly.
- Run smishing simulations. Behavioral training using realistic fake texts outperforms lectures. Employees who’ve been tested respond better when a real attempt arrives.
- Establish a verification protocol for financial requests. Any text requesting a wire transfer, direct deposit change, or payroll action should require verbal confirmation through a known phone number, no exceptions.
- Audit which employees have work credentials tied to personal phone numbers. MFA codes sent to personal devices are a bypass risk if that device is compromised through a smishing attack.
- Offer identity theft protection as an employee benefit. When smishing succeeds, and sometimes it does even against trained employees, recovery speed matters. Employees with access to live restoration advocates can contain damage significantly faster than those navigating the process alone.
How to Report a Smishing Attempt
Reporting helps authorities track campaigns, take down fraudulent domains, and warn others. Here’s where to go:
- Forward the text to 7726 (SPAM), supported by most major U.S. carriers and free to use.
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI’s IC3 at ic3.gov, particularly important for toll scams and financial fraud.
- Notify your mobile carrier directly if you’re receiving repeated attacks from the same number or domain.
- If you clicked a link or shared information, visit IdentityTheft.gov for step-by-step recovery guidance.
Frequently Asked Questions About Smishing
What is the difference between smishing and phishing?
Phishing is a broad term for social engineering attacks that trick victims into revealing sensitive information. Smishing is specifically phishing delivered via SMS or text message. Both rely on manipulation and deception, but smishing exploits the higher trust and weaker defenses associated with text messaging. Email phishing has the advantage of volume; smishing has the advantage of immediacy and a personal feel. The two are increasingly combined in coordinated multi-channel attacks.
Can smishing attacks install malware on my phone?
Yes. Some smishing messages contain links leading to sites designed to download malicious apps or exploit browser vulnerabilities. On Android devices in particular, attackers may direct victims to install APK files, which are apps from outside the official app store, that grant full access to contacts, messages, and stored credentials. iOS devices are harder to compromise through malware downloads, but smishing remains effective as a credential-harvesting and social engineering tool regardless of device type.
Why are smishing attacks increasing so fast?
Several factors are converging at once. AI tools lower the cost and effort of creating personalized, convincing messages. Phishing kits sold on criminal forums enable low-skill attackers to run large-scale campaigns. RCS and iMessage deliver richer, more believable messages than traditional SMS. On top of that, most people still don’t recognize smishing as a category of threat. The explosive growth of mobile-first communication combined with the relative weakness of carrier spam filtering has created conditions that are nearly ideal for attackers.
How do attackers get my phone number?
Smishing campaigns draw from multiple sources: data breaches that exposed phone numbers (major breaches in 2024 and 2025 collectively exposed hundreds of millions of records), scraped social media profiles, purchased marketing lists, randomly generated number ranges targeted by automated dialers, and numbers leaked through third-party apps. Your number can end up in an attacker’s database without you having done anything wrong.
What should I do if I already clicked a smishing link?
Act immediately. If you entered credentials, change your passwords on the affected account and any account sharing the same password, enable MFA if it wasn’t already active, and alert your bank or employer depending on what information was involved. If you entered payment card data, contact your card issuer to freeze the card and dispute any fraudulent charges. In both cases, run a security scan on your device, monitor your accounts closely for the next 30 days, and file a report at IdentityTheft.gov. If a workplace account or work-related credentials were involved, notify your IT or security team right away because time matters for containing a potential breach.
Do smishing attacks target businesses specifically?
Yes, and with increasing sophistication. Business-targeted smishing includes payroll redirect fraud, W-2 and HR data theft, wire transfer authorization scams impersonating executives, and credential theft targeting employees with access to company systems. Verizon’s 2025 Data Breach Investigations Report found that 19% of breaches now involve smishing or vishing as an entry vector. Small businesses face particular exposure because they’re less likely to have formal verification protocols for financial and credential requests.
Is there software that protects against smishing?
Yes, though no tool provides complete protection. Mobile threat defense (MTD) solutions can detect malicious links before they load. Carrier-level filtering blocks many known smishing domains, and email and communication security platforms increasingly include SMS monitoring for enterprise deployments. Commercial solutions achieved 25-35% blocking rates in 2025, while AI-powered tools reached 96.2%, but that still means a meaningful percentage of attacks get through. Technology reduces risk; awareness and verification habits are what actually eliminate it.
