The Federal Bureau of Investigation (FBI) has sounded the alarm on a sharp rise in smishing scams, warning that millions of Americans are being targeted through deceptive text messages. These fraudulent messages, designed to trick recipients into disclosing personal and financial details, are leading to widespread financial losses and identity theft.
📌 What is Smishing and How Does It Differ from Phishing?
Smishing is a blend of “SMS” (text messaging) and “phishing” (fraudulent communication)—a scam technique that specifically exploits text messages to deceive users.
While phishing is a broader term that includes fraudulent emails, fake websites, and phone-based scams (vishing), smishing relies on the immediacy and trust people place in text messages. As a result, victims are often more likely to engage with malicious texts than suspicious emails.
🔍 How Smishing Attacks Work
Cybersecurity analysts at Palo Alto Networks' Unit 42 have discovered that cybercriminals have created over 10,000 fake domains to target smartphone users across both Android and iOS platforms. These scams commonly take the form of:
- Fake Toll Payment Notices – Messages claiming unpaid toll fees, directing victims to fraudulent payment websites.
- Phony Delivery Alerts – Scammers impersonating shipping services like FedEx or DHL, urging users to click on malicious links.
- Bogus Bank Security Warnings – Fraudsters posing as banks, requesting users to verify their account information due to alleged suspicious activity.
- Lottery or Giveaway Scams – Messages promising cash prizes or rewards, requiring victims to submit personal details.
One notable tactic scammers are using to bypass security filters—such as Apple’s iMessage spam detection—is instructing users to manually copy and paste links instead of clicking them directly.
🌐 Common Malicious Domains Used in Smishing Scams
Many smishing scams originate from Chinese-registered domains (.xin), which are often disguised as legitimate services. Some examples include:
🚚 dhl.com-new[.]xin (Fake DHL)
📦 fedex.com-fedexl[.]xin (Fake FedEx)
🚗 e-zpassny.com-ticketd[.]xin (Fake E-ZPass)
🛣 sunpass.com-ticketap[.]xin (Fake SunPass)
The Federal Trade Commission (FTC) warns that legitimate U.S. services never use foreign domains to redirect customers.
📍 U.S. Cities Most Targeted by Smishing
According to a McAfee cybersecurity report, smishing attacks are especially rampant in the following cities:
- Dallas, TX
- Atlanta, GA
- Los Angeles, CA
- Chicago, IL
- Orlando, FL
Other heavily impacted areas include Miami, Houston, Denver, Phoenix, and Seattle, where authorities report a fourfold increase in smishing cases since early this year.
🚨 Real-World Victims: No One Is Safe
Even high-profile individuals have been targeted. Louisiana Attorney General Liz Murrill recently shared that she received a smishing attempt, emphasizing that anyone can fall victim. She strongly advises never to click on suspicious links or respond to unknown texts.
In Detroit, a local news investigation uncovered a case where victims were repeatedly asked to enter credit card details on fraudulent toll payment websites. Many were tricked into multiple payments after receiving fake “declined” messages—exposing their financial accounts to severe fraud.
🚨 Phishing Attack Simulation: No One Is Safe
This video will show a simulated Phishing attack on M365 tenent. It all starts with one deceptive email or text and quickly escalates into encryption. In this simulation, we will find mailbox encryption, SharePoint tampering, and OneDrive file manipulation and its recovery.
This simulation is a stark reminder of how easy it is to fall victim to phishing—and why robust security measures are non-negotiable.
🛡️ How to Protect Yourself from Smishing Scams
The FBI and FTC urge the public to follow these steps to safeguard against SMS-based cyber threats:
✅ Delete suspicious messages immediately—don’t engage with them.
🚫 Never click on links or respond to unsolicited texts requesting sensitive information.
🔎 Verify messages by contacting the company directly through official channels.
📲 Report scam texts by forwarding them to 7726 (SPAM).
📝 File a complaint via the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.
🔐 Secure compromised accounts by changing passwords and monitoring financial activity closely.
📊 The Future of Mobile Cyber Attacks
Cybersecurity firm Zimperium warns that cybercriminals are shifting to a mobile-first attack strategy, exploiting the trust people place in SMS-based communications. Unlike phishing emails, which users often approach with skepticism, text messages create a false sense of urgency, making them more effective at deceiving victims.
By staying informed, cautious, and proactive, you can protect yourself from falling prey to smishing scams, ensuring the safety of your personal and financial information.
Omar S. Rao
Omar has over 25 years of expertise in the technology field, specifically in Cybersecurity and Data Resilence. He currently serves as a Senior Systems Engineer at Veeam, where he is tasked with delivering datacenter availability solutions to organizations to ensure the uninterrupted operation and quick recovery of their critical IT workloads and applications.
