Smishing now accounts for 35% of all phishing attacks, according to SentinelOne’s 2026 analysis, and grew 40% year over year according to Barclays’ 2025 scam report. The scale of the problem has outpaced consumer awareness.
Scammers target text messages simply because we expect to get important updates there, like shipping alerts, bills, or bank notifications. While corporate email accounts have strong filters to block scams, standard mobile networks leave your text inbox wide open.
That lack of protection leads to high success rates. Between 19% and 36% of people click links in scam texts, compared to just 2% to 4% for email phishing. Small phone screens and urgent wording make it easy to tap a link before checking the sender.
Data from Proofpoint indicates that 55% of smishing messages contain malicious URLs. The most common lures impersonate package delivery notifications, toll payment systems, banking alerts, and government communications. These categories exploit routine habits, triggering an immediate reflex to resolve a pending issue.
This fraud is rarely the work of independent hackers. Networks like the Smishing Triad run like corporations, using more than 200,000 fake web domains and advanced hacking tools to compromise up to 115 million payment card accounts. They flood mobile networks with millions of automated texts at the same time.
The Anti-Phishing Working Group (APWG) recorded 30% to 40% quarter-over-quarter growth in SMS based fraud detections in late 2025. Verizon’s 2025 Data Breach Investigations Report found that 19% of all data breaches originate from a combination of smishing and vishing (voice phishing). The financial losses are substantial; victims of tax related text scams lost an average of $8,199 in 2024.
The newest tactic combines text messages with AI voice cloning. Scammers send an initial text about a fake emergency, like a frozen account or a missed delivery, to set the trap. Moments later, they call using an AI generated clone of a bank employee’s or family member’s voice.
Research shows that 77% of AI voice clone scam victims lost money during the interaction. Combining a written notification with a matching voice removes two of the primary indicators people use to detect fraud.
Defending against these attacks relies on strict verification steps. Do not click links in unsolicited text messages, regardless of how official they appear. If a message claims an emergency exists with a service or bank account, close the message and contact the organization directly using a phone number from their official website. Legitimate organizations do not request passwords, card details, or one-time passcodes via text.
The FBI and FTC advise reporting suspected smishing attempts and deleting the message without interacting with it. In the US and UK, users can forward suspicious texts to 7726. In France, the number is 33700. Many banks also allow direct reporting through their mobile applications.
If a text message demands immediate action, treat it as a red flag

source