76,000 Victims and Counting — The FBI's Smishing Alert Is Serious

In early 2024, the FBI and FTC issued urgent warnings about a massive smishing campaign impersonating toll collection agencies and delivery services across all 50 states. By late 2025, the IC3 had cataloged tens of thousands of complaints tied to fraudulent SMS messages — and the wave hasn't slowed heading into 2026. The FBI warning on smishing texts isn't theoretical. It's backed by real losses, real victims, and a threat actor infrastructure that's scaling fast.

If you've received a text about an unpaid toll, a package delivery failure, or a suspicious bank alert you didn't expect — congratulations, you've been targeted. This post breaks down exactly what the FBI is flagging, how these smishing attacks work under the hood, and the specific steps you and your organization need to take right now.

What Exactly Is Smishing — And Why the FBI Cares

Smishing Defined in 30 Seconds

Smishing is phishing delivered via SMS or iMessage instead of email. A threat actor sends a text message designed to trick you into clicking a malicious link, surrendering credentials, or installing malware. That's it. Simple concept, devastating execution.

The FBI cares because smishing bypasses most of the security controls organizations have spent years building around email. Your spam filter doesn't touch it. Your email gateway never sees it. Your employees' personal phones sit completely outside your corporate security perimeter.

The Toll Road Scam That Went Nationwide

The specific campaign the FBI flagged involved texts claiming recipients owed small toll amounts — usually under $10. The messages included links to convincing fake payment portals that harvested credit card numbers, personal information, and login credentials. The FBI's Internet Crime Complaint Center (IC3) reported receiving over 2,000 complaints from just three states in the initial wave, with the campaign quickly spreading to all 50 states.

The brilliance of this social engineering attack is its simplicity. A $6.99 toll feels too small to question and too annoying to ignore. Victims entered payment details without a second thought. By the time they realized the charge was fraudulent, their card data was already being sold on dark web marketplaces or used for larger purchases.

Inside the FBI Warning on Smishing Texts: Key Details

The FBI's public service announcement was unusually specific. Here's what they highlighted:

  • Over 10,000 domains registered specifically for this smishing campaign, rotating constantly to evade blocklists
  • Threat actors used a commercial phishing kit widely available on underground forums, making the attack trivially reproducible
  • Messages impersonated legitimate services including USPS, state toll agencies, and major banks
  • The campaign targeted both Android and iOS users — no platform was safe

The FBI recommended that anyone who received these texts delete them immediately, avoid clicking any links, and report the messages to the IC3 at ic3.gov. If you already clicked and entered information, the FBI advised contacting your bank, monitoring your credit reports, and changing compromised passwords immediately.

Why Smishing Is Exploding in 2026

I've spent years training organizations on email phishing, and here's the uncomfortable truth: most of that training doesn't translate to mobile. People process text messages differently. They read them faster, trust them more, and act on them with less scrutiny.

According to the 2024 Verizon Data Breach Investigations Report, the median time for a user to click a phishing link is under 60 seconds. On mobile, I'd argue it's even faster. There's no hovering over links to inspect URLs. There's no visible sender domain to evaluate. Just a short message and a shortened link.

AI-Generated Messages Are Getting Better

Threat actors in 2026 are using generative AI to craft smishing messages that are grammatically perfect, contextually relevant, and localized. Gone are the days of obvious typos being your red flag. These messages read exactly like legitimate notifications from services you actually use.

The Zero Trust Gap on Personal Devices

Most organizations have made progress implementing zero trust architectures on corporate networks. But personal mobile devices — the ones receiving these smishing texts — often fall outside that framework entirely. Your employees use the same phone to check corporate email and click on fraudulent toll texts. That's a data breach waiting to happen.

How Smishing Leads to Ransomware and Data Breaches

Smishing isn't just about stealing a credit card number. Sophisticated threat actors use smishing as the initial entry point for much larger attacks. Here's the kill chain I've seen repeatedly:

  • Step 1: Employee receives smishing text impersonating IT helpdesk or corporate SSO portal
  • Step 2: Employee enters corporate credentials on fake login page
  • Step 3: Attacker uses harvested credentials to access corporate VPN or cloud services
  • Step 4: Attacker escalates privileges, deploys ransomware, or exfiltrates data

The MGM Resorts breach in 2023 started with social engineering — a phone call, not an email. Smishing operates on the same principle: exploit human trust on a channel where defenses are weakest. Credential theft via smishing feeds directly into the broader ransomware ecosystem.

What the FBI Actually Recommends You Do

The FBI's guidance is straightforward, but most people and organizations only follow half of it. Here's the full list:

  • Delete suspicious texts immediately. Don't reply, don't click, don't forward.
  • Never enter personal information through a link received via text message. Navigate to the official website directly.
  • Enable multi-factor authentication on every account that supports it. Even if credentials are stolen, MFA stops the attacker from logging in.
  • Report smishing attempts to the FBI's IC3 at ic3.gov and forward suspicious texts to 7726 (SPAM).
  • Keep your phone's operating system updated. Patches close vulnerabilities that malicious links exploit.

I'd add one more that the FBI doesn't emphasize enough: train your people. Technical controls matter, but the human is the target. If your employees can't recognize a smishing text, no firewall in the world will save you.

The $4.88M Lesson: Why Security Awareness Training Matters

IBM's 2024 Cost of a Data Breach Report pegged the global average cost at $4.88 million per incident. Phishing and social engineering remain the top initial attack vectors year after year. Yet most organizations still treat security awareness as an annual checkbox exercise — a 30-minute video in January and nothing else until next year.

That approach doesn't work against smishing because the threat evolves weekly. Your training needs to be continuous, practical, and specific to the attacks your employees actually face. That means covering SMS-based phishing explicitly, not just email.

If you're looking to build a real security culture, start with a solid foundation of cybersecurity awareness training that covers today's threat landscape. Then layer in hands-on phishing awareness training with realistic simulations that include smishing scenarios your employees will encounter in the real world.

Practical Smishing Defense Checklist for Organizations

Here's what I recommend to every CISO and IT leader I work with:

  • Add smishing to your phishing simulation program. If you're only simulating email attacks, you're training for yesterday's threat.
  • Implement mobile device management (MDM) to enforce security policies on devices that access corporate resources.
  • Deploy DNS-level filtering that blocks known malicious domains — including the thousands rotating through smishing campaigns.
  • Create a simple reporting mechanism. If employees can't report a suspicious text in under 10 seconds, they won't bother.
  • Brief leadership quarterly on smishing trends. The CISA threat advisories page is a reliable source for current campaigns.

This Isn't Slowing Down

The FBI warning on smishing texts reflected a threat that was already massive and growing. The phishing kits behind these campaigns are cheap, effective, and constantly updated. Threat actors are registering new domains faster than they can be taken down. AI is making the messages more convincing every month.

Your email security stack won't catch these. Your employees' gut instincts, trained through repetition and realistic scenarios, are your actual defense. Invest in that defense now — before a $6.99 fake toll charge becomes a multi-million dollar data breach on your watch.