16,000 Complaints and Counting: Why the FBI Is Sounding the Alarm
In February 2021, the FBI's Internet Crime Complaint Center (IC3) began tracking a dramatic spike in smishing — phishing attacks delivered via SMS text messages. The FBI warning on smishing texts wasn't hypothetical. It came because the IC3 received over 240,000 phishing, smishing, and vishing complaints in 2020 alone, with reported losses exceeding $54 million. And 2021 is shaping up to be worse.
If you manage IT security for any organization, or if you simply own a smartphone, this post is for you. I'm going to break down exactly what the FBI is warning about, why smishing is exploding right now, and the specific steps you can take to protect yourself and your employees starting today.
What Exactly Is Smishing — and Why Is It Working?
Smishing is SMS phishing. A threat actor sends a text message designed to trick you into clicking a malicious link, calling a spoofed number, or handing over credentials. That's it. Simple concept, devastating execution.
Here's what actually makes smishing more dangerous than email phishing: people trust their text messages. In my experience, employees who would never click a suspicious email link will tap an SMS link without a second thought. SMS open rates hover around 98%, compared to roughly 20% for email. Attackers know this.
The typical smishing text impersonates a bank, a shipping company, a government agency, or — increasingly — an employer. The message creates urgency. "Your account has been locked." "Your package could not be delivered." "Verify your identity immediately." The link leads to a credential theft page that looks pixel-perfect.
The COVID-19 Accelerant
The pandemic supercharged smishing. With millions of people working remotely in 2020 and 2021, personal devices became work devices. The FBI and CISA both noted that threat actors exploited pandemic-related themes — stimulus checks, vaccine appointments, contact tracing notifications — to craft convincing smishing lures.
The FBI IC3 2020 Internet Crime Report documented this surge explicitly. Phishing in all its forms — email, SMS, and voice — was the single most reported cybercrime category for the fifth consecutive year. Smishing's share of that pie is growing fast.
The FBI Warning on Smishing Texts: What It Actually Says
The FBI has issued multiple public service announcements and alerts through IC3 about smishing. The core message is straightforward: do not click links in unsolicited text messages, do not provide personal or financial information via text, and verify any request by contacting the organization directly through an official channel.
But here's the part most people miss. The FBI isn't just warning consumers. They're warning businesses. The reason? Smishing is now a primary initial access vector for social engineering campaigns that lead to business email compromise, ransomware deployment, and full network intrusion.
I've seen organizations that invested heavily in email security get blindsided by an SMS-based attack on a single employee's phone. The employee clicked a link, entered their corporate credentials on a spoofed Microsoft 365 login page, and within hours the attacker had pivoted into the company's cloud environment. No malware needed. Just stolen credentials and the absence of multi-factor authentication.
Real Attacks, Real Damage: Smishing in the Wild
The USPS Smishing Wave
Throughout late 2020 and into 2021, the U.S. Postal Inspection Service documented a massive wave of smishing texts impersonating USPS. The messages claimed a package was undeliverable and directed recipients to a fake USPS site that harvested personal data. USPS published advisories warning that these texts were not legitimate and that USPS does not send unsolicited texts with tracking links.
The scale was staggering. Security researchers reported thousands of domain registrations mimicking USPS URLs. Each domain had a short lifespan — sometimes just hours — making traditional blocklists nearly useless.
The Okta and Twilio-Style Social Engineering Playbook
By mid-2021, security researchers were documenting a pattern: threat actors sending smishing texts to employees impersonating their own IT departments. The text would say something like, "Your VPN session has expired. Re-authenticate here." The link led to a cloned login portal. Credentials captured. Access gained.
This playbook works because it exploits trust in internal communications and the urgency of maintaining access to work systems. It's social engineering at its most refined — no exploit kits, no zero-days, just human psychology weaponized through a text message.
Why Email Security Alone Won't Save You
Most organizations have spent years building email defenses: spam filters, DMARC, sandboxing, phishing simulation programs. That's necessary work. But smishing bypasses all of it.
SMS messages don't pass through your email gateway. Your secure email gateway can't inspect them. Your DMARC policy is irrelevant. The message arrives on a device you probably don't fully control, especially in BYOD environments.
This is exactly why a zero trust approach matters. You cannot assume that any authentication request is legitimate just because it came from an employee's device. Every access request needs verification, every session needs validation, and every credential needs a second factor.
The $4.88M Lesson: What a Data Breach Actually Costs
According to IBM's 2021 Cost of a Data Breach Report, the average cost of a data breach hit $4.24 million — the highest in 17 years of the report. Phishing was the second most common initial attack vector, and breaches caused by phishing (including smishing) cost an average of $4.65 million.
For small and mid-sized businesses, the math is existential. A single smishing text that captures one employee's credentials can cascade into a ransomware event, regulatory penalties, customer notification costs, and reputational damage that takes years to recover from.
How to Protect Your Organization from Smishing Attacks
Here's the practical playbook I recommend to every organization I work with. No single control will stop smishing. You need layers.
1. Train Your People — Including on SMS Threats
Most security awareness training programs focus almost exclusively on email. That's a gap. Your employees need to understand that phishing doesn't just arrive in their inbox. It arrives in their text messages, their voice calls, and their messaging apps.
If you don't have a structured cybersecurity awareness training program in place, start with the cybersecurity awareness training at computersecurity.us. It covers the full spectrum of social engineering threats, not just email.
For organizations that want to go deeper on phishing-specific education, including smishing scenarios, the phishing awareness training for organizations at phishing.computersecurity.us is built specifically for that purpose.
2. Deploy Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) is your most critical safety net. If an employee's credentials are stolen through a smishing attack, MFA can prevent the attacker from using them. Hardware security keys (FIDO2/WebAuthn) are the gold standard. App-based authenticators are a strong second choice. SMS-based OTP codes are the weakest form — and ironic in this context, since the smishing message itself may try to intercept them.
Prioritize MFA on email, VPN, cloud applications, and any system with access to sensitive data. No exceptions for executives. No exceptions for "convenience."
3. Implement Mobile Device Management
If employees access corporate resources on their phones, you need Mobile Device Management (MDM) or at minimum a Mobile Application Management (MAM) solution. MDM gives you visibility into device posture, the ability to enforce security policies, and the option to remotely wipe corporate data if a device is compromised.
4. Establish a Reporting Channel
Make it effortless for employees to report suspicious texts. A dedicated Slack channel, an email alias like [email protected], or a button in your MDM app. The faster your security team hears about a smishing campaign targeting your organization, the faster you can warn everyone else.
The FBI also encourages individuals to report smishing directly to IC3.gov and to forward suspicious texts to 7726 (SPAM), which alerts wireless carriers.
5. Adopt Zero Trust Principles
A zero trust architecture assumes that no device, user, or network is inherently trusted. Every access request is verified based on identity, device health, location, and behavior. This dramatically limits what an attacker can do even if they steal a single set of credentials through smishing.
NIST Special Publication 800-207 provides the foundational framework for zero trust architecture. If you haven't reviewed it, put it on your reading list this week.
How Do I Know If a Text Message Is a Smishing Attempt?
Look for these red flags in any text message:
- Unsolicited messages from banks, government agencies, or shipping companies — especially ones you don't have accounts with.
- Urgency language: "Act now," "Your account will be closed," "Immediate action required."
- Shortened or suspicious URLs that don't match the official domain of the organization claiming to contact you.
- Requests for personal information like Social Security numbers, passwords, PINs, or credit card numbers. Legitimate organizations do not request this via text.
- Misspellings and odd formatting, though increasingly sophisticated campaigns avoid these tells.
When in doubt, do not tap the link. Open your browser, navigate to the organization's official website directly, and log in from there. Call the organization using a number from their official site — not a number provided in the text.
The FBI Warning on Smishing Texts Is a Wake-Up Call
The FBI warning on smishing texts isn't just another advisory to file away. It reflects a measurable, accelerating shift in how threat actors operate. SMS is the new frontier for social engineering, and most organizations are not prepared.
I've watched companies recover from email phishing incidents because they had the training and controls in place. I've watched other companies suffer catastrophic losses from smishing because they assumed their employees would "just know" not to click. They didn't.
Your employees are targeted every day. Their phones are in their hands more than they're at their desks. The attack surface has moved, and your defenses need to move with it.
Start by training your people with programs that address the full threat landscape — not just email. Build layers of defense with MFA, MDM, zero trust, and a culture where reporting suspicious messages is rewarded, not stigmatized.
The FBI has told you what's coming. Now it's on you to act.