In December 2025, the FBI issued a stark public warning: delete suspicious text messages immediately. The advisory specifically called out a wave of smishing texts — SMS-based phishing attacks — targeting Americans with fake toll road notices, package delivery scams, and fraudulent financial alerts. The bureau's Internet Crime Complaint Center (IC3) had already logged over 800,000 phishing and smishing complaints in its 2024 annual report, with losses exceeding $12.5 billion. That FBI warning on smishing texts wasn't hypothetical. It was a direct response to a massive, coordinated campaign that hit users in every U.S. state.

If you're here searching for details on that warning, here's the short version: threat actors are sending billions of text messages designed to steal your credentials, install malware, or trick you into sending money. And the problem is accelerating in 2026. This post breaks down exactly how these attacks work, why your phone is now the primary attack surface, and what specific steps you and your organization need to take right now.

What the FBI Warning on Smishing Texts Actually Said

The FBI's advisory, coordinated with CISA, warned that a specific threat actor group had registered over 10,000 domains to support smishing campaigns. These weren't sloppy, typo-filled messages. They impersonated toll authorities like E-ZPass, delivery services like USPS and UPS, and major financial institutions.

The messages followed a consistent pattern: create urgency, provide a link, harvest credentials. A typical text read something like, "Your toll balance of $12.51 is overdue. Failure to pay will result in a $50 late fee. Pay now:" followed by a convincing but malicious URL.

The FBI specifically recommended that recipients not click any links, not respond to the messages, and report them to the IC3. They also urged people to delete the texts entirely, since even accidentally tapping a link on a mobile device can initiate a redirect chain that captures device information or triggers a malicious download.

Why Smishing Exploded in 2025 — And Keeps Growing

The SMS Trust Problem

People trust text messages more than email. Research has consistently shown SMS open rates above 90%, compared to roughly 20% for email. Threat actors know this. They've shifted significant resources away from email-based phishing and toward smishing because the return on investment is dramatically higher.

Your employees might be trained to spot a suspicious email. But how many of them scrutinize a text message with the same level of skepticism? In my experience, almost none. The small screen, the lack of visible URL detail, and the implied urgency of SMS all work in the attacker's favor.

Cheap Infrastructure, Massive Scale

Smishing kits are now sold as turnkey services on dark web marketplaces. A threat actor can purchase a phishing kit, register domains in bulk, and send hundreds of thousands of messages through compromised SMS gateways or SIM farms — all for a few hundred dollars. The barrier to entry has essentially disappeared.

The Verizon 2024 Data Breach Investigations Report noted that social engineering attacks, including smishing, remained one of the top three attack patterns across all industries. The human element was involved in 68% of breaches. Smishing exploits that human element on the device people trust most — their phone.

AI-Generated Messages Are Harder to Detect

In 2026, we're seeing smishing texts that are grammatically perfect, contextually relevant, and sometimes even personalized using data from prior breaches. Generative AI tools allow attackers to craft messages at scale that feel authentic. The days of spotting a scam text by its broken English are largely over.

Anatomy of a Smishing Attack: How It Actually Works

Understanding the mechanics helps you defend against them. Here's the typical kill chain:

  • Reconnaissance: Attackers harvest phone numbers from data breaches, public records, social media, or purchased lists. Your number is almost certainly on multiple lists already.
  • Message Delivery: The smishing text arrives via SMS or iMessage/RCS, often spoofing a legitimate sender ID. It contains a short, urgent message and a link.
  • Credential Harvesting Page: The link leads to a convincing replica of a legitimate website — a bank login, a toll payment portal, a delivery tracking page. The victim enters credentials, payment card data, or personal information.
  • Account Takeover or Fraud: Stolen credentials are used immediately. Attackers log into bank accounts, corporate VPNs, email accounts, or sell the credentials on the dark web within minutes.
  • Secondary Attacks: Compromised accounts become launchpads for further phishing, ransomware deployment, or business email compromise schemes.

The entire process — from text received to credential stolen — often takes less than 60 seconds. That speed is what makes smishing so dangerous.

Smishing is a form of social engineering attack where cybercriminals send fraudulent text messages (SMS) to trick recipients into clicking malicious links, revealing sensitive information, or downloading malware. The term combines "SMS" and "phishing." The FBI has specifically warned that smishing texts impersonating government agencies, toll authorities, and financial institutions are a major and growing threat in the United States.

The $4.88M Lesson: Why Organizations Can't Ignore This

According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million. Phishing and social engineering — including smishing — were among the most common initial attack vectors. For small and midsize businesses, a single compromised credential from a smishing attack can cascade into a full-blown data breach.

I've seen organizations where a single employee clicked a smishing link, entered their corporate email credentials, and within four hours the attacker had pivoted through the email account to reset passwords on financial systems. The total loss was north of $200,000 — not including the incident response and legal costs.

This isn't a consumer-only problem. Your employees carry company email, Slack, and VPN access on the same phone that receives these smishing texts. The boundary between personal and corporate mobile use barely exists anymore.

Seven Specific Steps to Defend Against Smishing Texts

1. Implement Security Awareness Training — Immediately

Your employees need to know what smishing looks like in 2026, not what it looked like three years ago. Training must include real-world smishing examples, not just email phishing scenarios. A comprehensive cybersecurity awareness training program should cover SMS-based threats alongside email, voice, and QR code phishing.

2. Run Phishing Simulations That Include SMS

Most organizations only simulate email phishing. That's a blind spot. Incorporate smishing scenarios into your testing. Platforms that offer phishing awareness training for organizations can help you measure how your team responds to SMS-based social engineering and identify who needs additional coaching.

3. Deploy Multi-Factor Authentication Everywhere

Even if an attacker harvests a password via a smishing link, multi-factor authentication (MFA) can stop the account takeover. Use phishing-resistant MFA methods — hardware security keys or app-based authenticators — not SMS-based codes. Ironic as it sounds, SMS-based MFA is itself vulnerable to SIM-swapping attacks.

4. Adopt a Zero Trust Architecture

Zero trust assumes every access request is potentially malicious, regardless of whether it originates from inside or outside your network. This matters for smishing because a compromised mobile credential shouldn't automatically grant access to your entire environment. Segment access. Verify continuously. CISA's Zero Trust Maturity Model provides a practical framework to get started.

5. Enable Built-In Message Filtering

Both iOS and Android now offer built-in spam and smishing detection. Make sure it's enabled on corporate-managed devices. It won't catch everything, but it adds a useful first layer. On Android, Google Messages flags suspected spam. On iOS, the "Filter Unknown Senders" option separates messages from people not in your contacts.

6. Establish a Clear Reporting Process

Your employees need a fast, frictionless way to report suspicious texts. If reporting takes more than 30 seconds or requires filling out a form, people won't do it. A dedicated Slack channel, a forwarding number, or a simple email alias works. The FBI also recommends forwarding suspicious texts to 7726 (SPAM) and filing reports with the IC3.

7. Never Click, Always Verify Independently

This is the single most effective behavioral change you can drive. If someone receives a text claiming to be from their bank, their toll authority, or their employer — they should never tap the link. Instead, open a browser, type the organization's known URL directly, and check the account from there. This one habit neutralizes the vast majority of smishing attacks.

The Toll Road Scam: A Case Study in Scale

The FBI warning on smishing texts in late 2025 focused heavily on fake toll road notifications. This campaign was traced back to a Chinese-language smishing kit called "Lighthouse" (also known in some reporting as part of the broader "Smishing Triad" operation). The kit was designed to impersonate toll authorities in multiple states simultaneously.

Victims received texts claiming they owed small toll amounts — typically between $3 and $15. The low dollar amount was deliberate. People are more likely to quickly pay a small charge than to investigate it. Once victims entered their payment card information on the fake portal, the attackers used the data for larger fraudulent transactions or sold the card details in bulk.

The FBI reported that thousands of Americans fell victim. Several state transportation agencies — including those in Texas, Florida, and Pennsylvania — issued their own warnings. The campaign demonstrated that smishing is no longer a niche threat. It's industrialized social engineering operating at national scale.

Here's what I'm watching this year:

  • RCS-based phishing: As Rich Communication Services replace traditional SMS on Android, attackers will exploit the richer formatting and read receipts to build more convincing scams.
  • Deepfake voicemail + smishing combos: Expect paired attacks — a smishing text followed by an AI-generated voicemail that reinforces the urgency. Multi-channel social engineering is the next frontier.
  • Targeting corporate mobile devices: With BYOD policies widespread, threat actors are specifically targeting corporate users through personal phone numbers to bypass enterprise email security.
  • Credential theft for ransomware staging: Smishing is increasingly used as the initial access vector for ransomware attacks. A stolen VPN credential from a smishing link can give attackers the foothold they need to deploy ransomware across an entire network.

Your Phone Is the New Perimeter

The FBI warning on smishing texts was significant not because it was new information to security professionals — but because it signaled that the threat has reached a scale that demands public awareness. Your organization's attack surface now includes every personal and corporate mobile device your employees carry.

Training is the most cost-effective defense. Technical controls like MFA and zero trust are essential, but the human layer is where smishing succeeds or fails. Invest in ongoing cybersecurity awareness training that evolves with the threat landscape. Run realistic phishing simulations that include SMS scenarios. Build a culture where reporting a suspicious text is second nature, not an afterthought.

Every smishing text your employee ignores or reports is a data breach that didn't happen. That's the math that matters.