In early 2022, the FBI issued a stark warning: cybercriminals were registering over 10,000 malicious domains specifically designed to support SMS phishing — or "smishing" — campaigns targeting American consumers. These weren't sloppy, typo-filled messages from a decade ago. They were polished, urgent, and devastatingly effective. The FBI warning on smishing texts wasn't just a routine advisory. It signaled that threat actors had fundamentally shifted their primary attack channel from email to the device sitting in your pocket right now.

I've spent years watching phishing evolve, and 2022 has been the year smishing went from nuisance to national security concern. If you're responsible for your organization's security — or even just your own — this is the guide that breaks down what the FBI is actually telling us, what these attacks look like in the wild, and exactly what to do about them.

What the FBI Warning on Smishing Texts Actually Says

In March 2022, the FBI's Internet Crime Complaint Center (IC3) warned that criminals were sending SMS messages impersonating toll collection services, delivery companies, and financial institutions. The messages directed victims to fake websites that harvested personal information, login credentials, and financial data. The FBI specifically noted that the domains involved were designed to mimic legitimate organizations with alarming accuracy.

This wasn't a theoretical threat. The IC3 received over 800,000 complaints in 2021 with losses exceeding $6.9 billion — and phishing, including smishing and vishing, was the number one reported crime type by volume. You can review the full 2021 FBI IC3 Internet Crime Report for the breakdown.

What made this warning different from past advisories was the scale. Researchers identified over 10,000 domains registered for a single smishing campaign targeting toll road users across multiple states. That level of infrastructure investment tells you everything about how profitable these attacks have become for threat actors.

Why Smishing Is Exploding in 2022

We Trust Our Phones More Than Our Inboxes

Here's what I've seen in every organization I've worked with: people who would never click a suspicious email link will tap an SMS link without hesitation. SMS messages have a 98% open rate compared to roughly 20% for email. Threat actors know this. They've followed the attention.

Most corporate email goes through spam filters, DMARC checks, and URL sandboxing. Your text messages? Almost none of that. Carrier-level filtering is improving, but it's nowhere close to enterprise email security. The gap between SMS and email security is where smishing thrives.

The Pandemic Accelerated Everything

COVID-19 created a perfect environment for smishing. Package delivery notifications became constant. Government agencies communicated via text about stimulus payments, vaccination appointments, and health alerts. People were conditioned to expect — and act on — important text messages from unfamiliar numbers. Threat actors exploited that conditioning ruthlessly.

Credential Theft Fuels the Entire Ecosystem

Most smishing attacks aren't trying to install malware directly. They're after credentials. A fake bank login page, a spoofed Microsoft 365 portal, a counterfeit delivery tracking site — they all serve the same purpose: harvest usernames and passwords. Those stolen credentials then get sold on dark web marketplaces or used immediately for account takeover, business email compromise, and ransomware deployment.

According to the 2022 Verizon Data Breach Investigations Report, stolen credentials were involved in nearly 50% of all breaches analyzed. Smishing is now one of the fastest-growing pipelines feeding that credential theft economy.

What These Smishing Attacks Look Like Right Now

Forget the obvious scam texts with broken English and Nigerian prince promises. Modern smishing is sophisticated social engineering. Here are the most common formats I'm seeing in 2022:

  • Toll road payment notices: "Your toll balance is past due. Pay now to avoid a $50 late fee." Includes a link to a convincing replica of a state toll authority website.
  • Bank fraud alerts: "Unusual activity detected on your account. Verify your identity immediately." Links to a pixel-perfect clone of your bank's login page.
  • Delivery notifications: "Your USPS package cannot be delivered. Update your address here." Exploits the fact that most people are expecting a delivery at any given time.
  • IRS and government impersonation: "Your tax refund of $1,248.00 is pending. Confirm your information to receive payment."
  • Multi-factor authentication bypass: "Your verification code is 482951. If you didn't request this, click here to secure your account." This one is particularly dangerous because it preys on people who understand MFA — and weaponizes that understanding against them.

Each of these messages creates urgency. Each targets a moment when you're likely to act before thinking. That's the entire playbook of social engineering compressed into 160 characters.

How to Identify a Smishing Text in Under 10 Seconds

This is the question I get asked most, and the answer is simpler than people expect.

Does the text ask you to tap a link or call a number you didn't initiate? If yes, treat it as suspicious — full stop. Legitimate organizations rarely send unsolicited texts demanding immediate action via an embedded link. Your bank already has your information. The IRS doesn't text you. USPS doesn't need you to click a link to deliver your package.

Here's a quick checklist:

  • Check the sender: Is it a 10-digit number or a short code you don't recognize? Many smishing texts come from spoofed or disposable numbers.
  • Inspect the URL without clicking: On most phones, you can press and hold a link to preview it. Look for misspellings, extra subdomains, or domains that don't match the supposed sender (e.g., "usps-delivery-update.com" instead of "usps.com").
  • Question the urgency: Real emergencies from your bank trigger account locks automatically. They don't send you a text and hope you click a link.
  • Verify independently: If a text claims to be from your bank, open your banking app directly or call the number on the back of your card. Never use contact information provided in the suspicious message.

The $4.88M Lesson Most Organizations Learn Too Late

The average cost of a data breach in 2022 reached $4.35 million according to IBM's Cost of a Data Breach Report. But here's what that number hides: breaches that started with phishing or social engineering — including smishing — cost even more because they typically grant threat actors legitimate credentials, making detection slower and dwell time longer.

I've seen organizations with robust email security get blindsided by smishing because they never trained employees on mobile threats. Your security awareness program probably covers email phishing. Does it cover the text message your CFO received at 7 PM on a Friday asking them to "verify" a wire transfer?

If your organization hasn't addressed smishing specifically, the phishing awareness training for organizations at phishing.computersecurity.us covers SMS-based attacks alongside email phishing, vishing, and other social engineering tactics. It's built around real-world scenarios — including the exact smishing patterns the FBI flagged this year.

Five Steps to Protect Yourself and Your Organization

1. Report Smishing Texts Immediately

Forward suspicious texts to 7726 (SPAM) — this alerts your carrier. File a report with the FBI's IC3 at ic3.gov. Reporting matters because it helps federal investigators identify and dismantle the infrastructure behind these campaigns. The FBI warning on smishing texts specifically asked Americans to report these messages.

2. Enable Multi-Factor Authentication Everywhere

Even if a smishing attack captures your password, multi-factor authentication adds a critical second barrier. Use app-based authenticators (like Microsoft Authenticator or Google Authenticator) rather than SMS-based codes when possible — since SMS codes themselves can be intercepted through SIM swapping attacks.

3. Adopt a Zero Trust Mindset

Zero trust isn't just a network architecture concept. It's a personal security philosophy. Don't trust any unsolicited communication — text, email, phone call, or otherwise — until you've verified it through an independent channel. This single habit would eliminate the vast majority of smishing successes.

4. Train Your People on Mobile-Specific Threats

Phishing simulation programs that only test email miss half the picture. Your employees carry their phones everywhere and frequently use them for work, especially in BYOD environments. The cybersecurity awareness training at computersecurity.us includes modules on smishing, vishing, and mobile security that go beyond basic email phishing scenarios.

5. Keep Devices Updated

Mobile operating system updates frequently patch vulnerabilities that smishing campaigns exploit. Both Apple and Google pushed critical security updates throughout 2022 that addressed SMS handling vulnerabilities. Delayed updates are open doors.

What CISA Recommends for Mobile Users

The Cybersecurity and Infrastructure Security Agency (CISA) echoes the FBI's guidance and adds several practical steps. Their guidance on avoiding social engineering and phishing attacks recommends that individuals and organizations treat unexpected text messages with the same suspicion they'd give an unexpected email attachment.

CISA specifically advises against responding to suspicious texts — even with "STOP" — because a response confirms to the threat actor that your number is active and monitored. Delete the message after reporting it. Don't engage.

The Bigger Picture: Smishing Is Just One Front

The FBI warning on smishing texts is a snapshot of a broader trend. Threat actors are diversifying their attack channels because defenders have gotten better at blocking email-based phishing. Smishing, vishing (voice phishing), QR code phishing ("quishing"), and even phishing through collaboration platforms like Slack and Teams are all growing rapidly.

In my experience, the organizations that survive this landscape are the ones that build security awareness as a continuous culture — not a once-a-year compliance checkbox. They run regular phishing simulations across multiple channels. They make reporting easy and blame-proof. They treat every employee as a sensor, not a liability.

The FBI gave us the warning. The data backs it up. The attacks are already hitting your employees' phones. The only question left is whether you've prepared them for it — or whether you're waiting for the breach notification to force the conversation.