FBI Warning on Smishing Texts: What You Must Do Now

10,000 Fake Domains and Counting

In early 2024, the FBI issued a stark FBI warning on smishing texts targeting Americans in every state. The attack campaign involved over 10,000 newly registered domains impersonating toll collection agencies, delivery services, and government agencies. Victims received text messages claiming they owed unpaid tolls or had missed packages — and the links led straight to credential theft pages designed to harvest personal and financial data.

This wasn't a theoretical threat. The FBI's Internet Crime Complaint Center (IC3) received thousands of complaints about these smishing campaigns, and the bureau urged Americans to delete the messages immediately and report them. If you or your organization ignored this warning, you may already be compromised.

I've spent years tracking how threat actors evolve their phishing tactics, and smishing — SMS phishing — represents one of the fastest-growing attack vectors I've seen. This post breaks down exactly what the FBI warned about, why smishing is so effective, and the specific steps you need to take to protect yourself and your organization right now.

What the FBI Warning on Smishing Texts Actually Said

In April 2024, the FBI and the Federal Trade Commission both issued public alerts about a massive smishing campaign impersonating state toll agencies. The messages typically read something like: "You have an outstanding toll balance of $12.51. Failure to pay by [date] will result in late fees. Pay here: [malicious link]."

The FBI specifically warned that these texts were being sent to people regardless of whether they even owned a vehicle or used toll roads. That's a hallmark of bulk smishing — threat actors blast millions of numbers and rely on sheer volume to catch victims.

According to the FBI IC3, the malicious domains were designed to look identical to legitimate toll agency websites. Once a victim clicked the link and entered their payment card information or personal details, attackers had everything they needed for financial fraud and identity theft.

Why This Campaign Was Different

Smishing isn't new. But the scale and sophistication of this campaign stood out. Researchers traced the infrastructure to a Chinese-language smishing kit that was being sold and shared among cybercriminal groups. The kit made it trivially easy to spin up convincing fake domains, generate location-specific messages, and harvest data at industrial scale.

The FBI warning on smishing texts also highlighted that attackers were registering new domains faster than they could be taken down. By the time one domain was flagged and blocked, five more had replaced it. This cat-and-mouse dynamic is why technical controls alone won't save you.

Smishing by the Numbers: The Threat Is Exploding

The 2024 Verizon Data Breach Investigations Report found that the human element was involved in 68% of breaches. Phishing and pretexting — which includes smishing — remain dominant initial access vectors. And mobile-based attacks are growing faster than email-based ones for a simple reason: people trust their phones more than their inboxes.

The FTC reported that consumers lost over $10 billion to fraud in 2023, with text message scams being one of the top contact methods. That number is only climbing. The FTC's consumer protection data shows that impersonation scams — exactly the kind the FBI warned about — were the single largest fraud category.

Here's what makes smishing so dangerous compared to email phishing:

Higher open rates. People read 98% of text messages, usually within minutes. Email open rates hover around 20%.
Smaller screens. On a phone, it's harder to inspect URLs, verify sender identities, or notice red flags.
Implied urgency. Text messages feel personal and immediate. A toll notice or delivery alert triggers action before analysis.
Fewer filters. Email spam filters are mature. SMS filtering is still catching up, and many smishing messages reach their targets unblocked.

How Smishing Attacks Actually Work

Step 1: Mass Distribution

Threat actors obtain phone numbers from data breaches, public records, or number-generation algorithms. They use bulk SMS services, often routed through compromised accounts or overseas gateways, to send millions of messages simultaneously. The cost per message is negligible.

The message exploits a known psychological trigger — fear of a fine, excitement about a package, urgency about a bank alert. The social engineering is deliberately simple. A short message with a short deadline and a short link.

Step 3: Credential Harvesting

The link leads to a phishing page that mirrors a legitimate website. Victims enter their name, address, credit card number, Social Security number, or login credentials. Some advanced kits even capture multi-factor authentication codes in real time using adversary-in-the-middle techniques.

Step 4: Monetization

Stolen data gets used immediately or sold on dark web marketplaces. Credit cards are charged. Identities are used to open new accounts. In organizational contexts, stolen credentials become the entry point for ransomware deployment or deeper network compromise.

What Is Smishing and How Does It Differ from Phishing?

Smishing is phishing delivered via SMS or text message instead of email. The goal is identical: trick the recipient into clicking a malicious link, revealing sensitive information, or downloading malware. The difference is the delivery channel — and that channel matters because people interact with text messages differently than they interact with email.

While email phishing often involves attachments, longer pretexts, and corporate impersonation, smishing relies on brevity and urgency. A smishing message is typically one or two sentences. That simplicity is a feature, not a limitation — it leaves less room for grammatical errors or obvious red flags that might tip off a cautious reader.

What You Should Do Right Now

If You Received a Suspicious Text

Do not click any links. Period. If you think the message might be legitimate, go directly to the organization's official website by typing the URL into your browser.
Do not reply. Even replying "STOP" confirms your number is active and monitored.
Report it. Forward the message to 7726 (SPAM), which routes it to your carrier. File a complaint with the FBI IC3 if the message impersonates a government entity.
Delete the message. Don't leave it sitting in your inbox where you might accidentally tap the link later.

If You Already Clicked

Change your passwords immediately — especially if you entered login credentials on the phishing site.
Enable multi-factor authentication on every account that supports it. Use an authenticator app, not SMS-based codes.
Monitor your financial accounts for unauthorized charges. Place a fraud alert or credit freeze with the major credit bureaus.
Run a security scan on your device. Some smishing links install malware or spyware.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing — including smishing — was among the most common initial attack vectors. And the breaches that started with stolen credentials took the longest to identify and contain.

If you're running an organization of any size, the FBI warning on smishing texts isn't just a consumer issue. Your employees carry their phones everywhere. They use personal devices for work. They receive smishing messages on the same phones that have access to corporate email, Slack, VPNs, and cloud platforms.

One tap on one malicious link by one employee can give a threat actor a foothold in your network. From there, it's lateral movement, privilege escalation, and — increasingly — ransomware.

Training Is Your First and Best Defense

Technical controls matter. Mobile device management, zero trust architecture, DNS filtering — all essential. But none of them work if your people don't recognize the threat in the first place.

I've seen organizations invest millions in security tools while spending nothing on training. That's like buying the best lock on the market and leaving the key under the doormat. Your employees need to know what smishing looks like, why it works, and what to do when they receive a suspicious message.

Start with structured cybersecurity awareness training that covers smishing, email phishing, voice phishing, and social engineering tactics. Make it ongoing, not annual. The threat landscape changes monthly — your training cadence should reflect that.

Then layer in practical testing. Phishing awareness training for organizations that includes phishing simulations gives your team real-world practice identifying and reporting suspicious messages before a real attack hits. Simulations build muscle memory. They turn security awareness from a concept into a reflex.

Why Zero Trust Matters for Mobile Threats

The zero trust security model assumes that no device, user, or connection should be automatically trusted — even inside the network perimeter. This is especially relevant for smishing because the attack originates on a device your organization may not fully control.

Implementing zero trust means:

Verifying identity continuously, not just at login. Session-based authentication with short token lifetimes limits the damage from stolen credentials.
Segmenting access. Even if an attacker compromises one account, they shouldn't be able to reach sensitive systems without additional verification.
Monitoring behavior. Anomalous login locations, unusual data access patterns, and impossible travel alerts can catch compromised accounts before the damage spreads.

NIST's Zero Trust Architecture publication (SP 800-207) provides a comprehensive framework for organizations looking to implement these principles.

Five Signs a Text Message Is a Smishing Attempt

Share this list with your team, your family, and anyone who uses a phone — which is everyone.

Unsolicited urgency. "Pay now or face penalties." "Your account will be suspended in 24 hours." Legitimate organizations rarely threaten you via text with immediate deadlines.
Unfamiliar or suspicious links. Look for misspelled domains, unusual top-level domains (.xyz, .top, .buzz), or shortened URLs that obscure the real destination.
Requests for personal information. No legitimate company will ask you to text back your Social Security number, credit card details, or passwords.
Generic greetings. "Dear Customer" instead of your actual name. Bulk smishing doesn't personalize — it sprays and prays.
Too-good-to-be-true offers. You didn't win a gift card. You didn't get selected for a special refund. If it sounds like bait, it is bait.

The FBI Warning Is a Wake-Up Call, Not a Headline

Every time the FBI issues a public warning about a specific attack technique, it means the problem has already reached a critical threshold. By the time a government agency tells the public to watch out, the threat actors have been operating for months — sometimes years.

The FBI warning on smishing texts isn't something to read and forget. It's a signal that this attack vector has matured to the point where it's affecting millions of people and costing billions of dollars. The infrastructure behind these campaigns is getting cheaper, more accessible, and more automated.

Your best defense is a combination of skepticism, technical controls, and ongoing training. Don't trust unexpected texts. Verify everything through official channels. Make sure your organization's security awareness program covers mobile threats — not just email.

And if you haven't started training your team yet, start today. The threat actors already have a head start.