What is Smishing?

Smishing is phishing delivered over SMS. Attackers send text messages impersonating a bank, delivery service, toll authority, or government agency to trick the recipient into clicking a malicious link or handing over credentials.

The compressed format of text messages strips away most of the visual cues that let users detect a traditional phishing email. There is no sender domain, no signature, no hover-to-preview on the link. That is a large part of why SMS became one of the most effective fraud delivery channels of the 2020s.

Etymology and the rise of SMS fraud

The word smishing is a portmanteau of SMS and phishing, coined in the mid-2000s but largely dormant until smartphones normalized clicking links inside text messages.

Between 2022 and 2025 smishing grew into the dominant consumer fraud channel in the United States. The FTC's Consumer Sentinel Network has repeatedly ranked text message scams among the top reported fraud categories, and the FCC has flagged billions of suspected scam texts detected by carriers annually. The FCC's 2023 order extending robocall-style blocking obligations to SMS was an explicit acknowledgment that text messaging had become the frontier of mass-market fraud.

Common lures and the toll scam era

Smishing campaigns cluster around a small set of high-trust impersonation targets. The most prolific lures include:

• Package delivery failures impersonating USPS, FedEx, UPS, and DHL, asking the recipient to pay a small reshipment fee.
• Unpaid toll notices impersonating E-ZPass, SunPass, FasTrak, and other regional toll authorities. This variant dominated 2024 and 2025 to the point where the FBI IC3 issued a dedicated public service announcement in April 2024 warning of a nationwide toll smishing campaign.
• Bank and Zelle fraud alerts claiming a suspicious transfer needs immediate confirmation.
• IRS refund or tax debt messages, Apple ID or iCloud suspension notices, and political fundraising lures around election cycles.

Researchers at Resecurity and Silent Push have traced much of this activity to a Chinese-language phishing-as-a-service operation widely known as the Smishing Triad, which sells prebuilt kits targeting postal services and tolling agencies across dozens of countries.

Why SMS is structurally exploitable

SMS has no reputation infrastructure comparable to email.

There is no SPF, DKIM, or DMARC equivalent that lets a receiving device verify that a message claiming to come from "USPS" actually originated from the postal service. Sender IDs can be spoofed, short codes can be rented, and attackers rotate through throwaway domains and URL shorteners faster than blocklists can keep up. MMS and RCS have added image and attachment vectors on top of the original plaintext channel. Click-farm operations in parts of Southeast Asia and West Africa provide the human labor for manual cash-outs once credentials are captured.

Defenses and the role of content moderation

Consumer defenses operate at three layers. On the device, iOS and Android now offer built-in filtering for messages from unknown senders. At the carrier, AT&T ActiveArmor, T-Mobile Scam Shield, and Verizon Call Filter block or flag suspected scam texts before delivery. At the user level, the FCC and CTIA encourage forwarding suspicious messages to 7726 (the keypad letters for SPAM), which feeds a shared industry reporting pipeline, and to the FTC at ReportFraud.ftc.gov.

For platforms that host user-generated text or outbound messaging, automated content moderation is increasingly used to catch smishing patterns, lookalike domains, and scam lure templates before they reach recipients. That closes a gap that carrier-only filtering will always leave open, since the carriers see only the messages routed through their own networks.