10,000 Malicious Domains and Counting

In early 2025, the FBI issued a stark public warning about a massive smishing campaign — fraudulent SMS text messages — targeting Americans across all 50 states. The FBI warning on smishing texts wasn't routine. It described a coordinated operation leveraging more than 10,000 malicious domains designed to steal personal information, financial credentials, and toll payment data. The campaign impersonated state toll agencies, delivery services, and government bodies, tricking recipients into tapping links and handing over sensitive data.

If you think this doesn't affect your organization, you're wrong. I've watched smishing evolve from a nuisance into a primary attack vector — one that bypasses email filters entirely and lands directly in your employees' pockets. This post breaks down what the FBI actually warned about, why smishing is surging, and the specific steps you need to take right now.

What the FBI Warning on Smishing Texts Actually Said

The FBI, working alongside the Federal Trade Commission and state agencies, alerted the public that threat actors were registering thousands of domains mimicking legitimate organizations. The texts typically claimed the recipient owed a small toll fee or had a package delivery issue. The goal was simple: get you to click a link and enter payment card details or personal information on a convincing fake website.

The Internet Crime Complaint Center (IC3) — the FBI's central hub for cybercrime reporting — has tracked a sharp increase in SMS-based fraud. According to the FBI's IC3 2023 Annual Report, phishing and its variants (including smishing and vishing) were the number one reported cybercrime type, with over 298,000 complaints filed that year alone. The 2024 and ongoing 2025–2026 trends suggest those numbers have only grown.

What made this particular campaign alarming was its scale and sophistication. The fake domains used HTTPS certificates, mimicked real agency branding pixel-for-pixel, and rotated rapidly to avoid takedowns. This wasn't a teenager in a basement. This was organized cybercrime infrastructure.

Why Smishing Is Exploding in 2026

Your Phone Trusts Text Messages More Than You Should

Email security has improved dramatically. Spam filters, DMARC policies, and sandboxing catch a significant percentage of phishing emails before they reach inboxes. But SMS? There's no equivalent filtering layer for most mobile users. Messages arrive directly, with no spam score, no banner warning, and no IT team reviewing them first.

I've seen organizations invest six figures in email security while completely ignoring the SMS channel. Threat actors noticed that gap years ago.

Smishing Kits Are Cheap and Scalable

Underground markets sell smishing kits — prebuilt packages with fake landing pages, domain registration tools, and bulk SMS delivery — for a few hundred dollars. The barrier to entry is almost nonexistent. A single operator can target millions of phone numbers in a weekend.

The Verizon 2024 Data Breach Investigations Report (DBIR) found that the human element was involved in 68% of breaches. Smishing exploits exactly that — the instinct to respond quickly to a short, urgent text message.

The Toll Scam Was Just the Beginning

The FBI warning on smishing texts focused heavily on toll payment fraud, but the same infrastructure is being repurposed constantly. I've tracked campaigns impersonating the IRS, major banks, healthcare providers, and even corporate HR departments sending fake benefits enrollment links. If a threat actor can make you believe a text is legitimate for just five seconds, they win.

Let's walk through the attack chain, because understanding it makes you harder to fool.

Step 1: The Hook. You receive a text that appears to come from a known entity. It creates urgency — an unpaid toll, a suspended account, a missed delivery. The message is short, just like a real notification.

Step 2: The Landing Page. You tap the link and land on a page that looks identical to the real organization's website. The URL might be something like ezpass-payment-secure.com — close enough to seem real on a small phone screen.

Step 3: Credential Theft. You enter your name, address, credit card number, or login credentials. Some advanced campaigns also capture multi-factor authentication codes in real time using adversary-in-the-middle (AiTM) techniques.

Step 4: Monetization. Your stolen data is either used immediately for fraudulent purchases, sold on dark web markets, or leveraged for further social engineering attacks against you or your employer.

The entire process takes under 60 seconds. That's why training matters more than any technical control for this specific threat.

How Smishing Leads to Corporate Data Breaches

Here's where it gets dangerous for organizations. An employee receives a smishing text on their personal phone. They tap the link and enter credentials — maybe the same password they use for your corporate VPN or SaaS applications. Now the threat actor has a foothold.

Credential reuse is rampant. Despite years of awareness campaigns, people still use the same password across multiple accounts. One successful smishing attack on a personal device can become a full-blown corporate data breach within hours.

The 2022 Uber breach is a textbook example. A threat actor used social engineering via SMS to convince an Uber contractor to approve a multi-factor authentication push notification. That single action gave the attacker access to internal systems, including the company's vulnerability reports. The attack didn't start with a sophisticated zero-day exploit. It started with a text message.

What Is Smishing and How Does It Differ From Phishing?

Smishing is phishing delivered via SMS or text message instead of email. The term combines "SMS" and "phishing." While the delivery channel differs, the goal is identical: trick the recipient into revealing sensitive information, clicking a malicious link, or installing malware.

Key differences from email phishing include:

  • No spam filter: Most SMS messages bypass any security screening.
  • Higher open rates: Text messages have a 98% open rate compared to roughly 20% for email.
  • Smaller screen: Mobile devices make it harder to inspect URLs or sender details.
  • Perceived trust: People inherently trust text messages more than email.

These factors make smishing particularly effective as a social engineering technique, which is exactly why threat actors have shifted resources toward it.

7 Concrete Steps to Protect Yourself and Your Organization

If you receive a text about a toll, package, or account issue, go directly to the organization's official website by typing the URL into your browser. Don't use the link in the message. Ever.

2. Report Smishing Texts to the FBI

Forward suspicious texts to 7726 (SPAM) and report them to the FBI's Internet Crime Complaint Center. Every report helps law enforcement track and disrupt campaigns.

3. Enable Multi-Factor Authentication Everywhere

MFA won't stop every smishing attack — especially AiTM techniques — but it dramatically raises the bar for attackers. Use app-based authenticators or hardware security keys instead of SMS-based MFA when possible. If the attacker steals your password but can't bypass MFA, your account stays protected.

4. Adopt a Zero Trust Mindset

Zero trust isn't just a network architecture philosophy. It's a personal security mindset. Don't trust any message — email, text, or voice call — just because it appears to come from a known source. Verify independently before acting.

5. Train Your Employees With Realistic Scenarios

Generic security awareness slides don't change behavior. Your employees need exposure to realistic smishing and phishing simulation exercises that mimic actual attacks. Our phishing awareness training for organizations includes SMS-based scenarios modeled after the exact campaigns the FBI warned about.

6. Implement Mobile Device Management (MDM)

If employees access corporate resources from personal devices, your organization needs MDM policies. At minimum, enforce screen locks, remote wipe capability, and separation between personal and work data.

7. Build a Reporting Culture

Employees who receive suspicious texts should feel safe reporting them without fear of punishment — even if they already tapped the link. Speed of detection matters more than blame. The faster your security team knows about a compromised credential, the faster they can contain the damage.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Social engineering attacks — including smishing — were among the most common initial attack vectors. The report also found that organizations with comprehensive security awareness training programs experienced significantly lower breach costs and faster containment times.

You can spend that money reacting to a breach, or you can invest a fraction of it in prevention. I've built incident response plans for organizations that wished they'd prioritized training six months earlier. Don't be one of them.

If you're looking for a starting point, our cybersecurity awareness training program covers smishing, phishing, ransomware, credential theft, and the social engineering techniques threat actors actually use today. It's built for real people, not security professionals.

What CISA Recommends Right Now

The Cybersecurity and Infrastructure Security Agency (CISA) has echoed the FBI's warnings and published specific guidance on mobile phishing threats. Their Secure Our World initiative emphasizes four core actions: enabling MFA, using strong unique passwords, recognizing and reporting phishing, and keeping software updated.

CISA's guidance aligns with what I've been telling organizations for years: technical controls alone can't stop smishing. You need informed, skeptical humans as your first line of defense.

The Threat Isn't Slowing Down

The FBI warning on smishing texts wasn't a one-time alert. It was a signal that SMS-based attacks have reached a scale that demands immediate action. The domains get registered faster than they get taken down. The campaigns get more convincing with every iteration. And your employees' phone numbers are already in multiple data broker databases, ready for targeting.

I've spent years watching organizations treat mobile security as an afterthought. In 2026, that's a risk you cannot afford. Start with awareness. Train your people with realistic phishing simulations. Implement zero trust principles. And the next time a text message asks you to pay a $4.35 toll fee through a link you didn't expect — delete it.

Your security posture is only as strong as the least-trained person on your team. Make sure that person knows what a smishing text looks like before a threat actor teaches them the hard way.