Smishing: the SMS-channel phishing economy in 2026

Smishing (SMS phishing) is the text-message variant of phishing. The category has grown at approximately 40 percent year-on-year through 2024-2025, driven by three structural factors. First, the SMS channel has no equivalent of the email-filtering layer that has matured around inbox spam; carrier-edge filtering catches 30 to 50 percent but the rest reaches the handset. Second, the handset display surface is small enough that the typical anti-phishing signals (full sender address, hover-to-preview URL) are not available. Third, the lure-to-conversion timeline is short because the victim is reading the message on a mobile device away from the corporate IT context that would normally flag suspicious behaviour.

The per-event cost figure of $870K is the median across the 2026 smishing cohort. The distribution skews bimodal: consumer-targeted credential-harvest events land in the $50K to $200K band (typically aggregated card-data loss across multiple victims), and corporate-banking-portal MFA-relay events land in the $400K to $2M band. The median reflects the corporate-pivot variant dominating the IC3 dollar-loss totals.[IBM 2025 + APWG 2025 + IC3 2024 SMS category]

The dominant consumer smishing lure across 2023-2025 has been the USPS package-delivery template. The pattern is consistent: a short SMS from an unfamiliar number with a plausible-looking tracking-style identifier, claiming a package cannot be delivered without an address update or a small redelivery fee. The destination URL leads to a credential-harvest or payment-card-collection page styled to match USPS visual identity. The pattern repeats across UK Royal Mail, Canadian Post, German DHL, French La Poste, and most other national postal-carrier brands.

The template works because of three converging psychological factors. The victim has no way to verify whether they are expecting a package because most consumers buy from multiple e-commerce sources and lose track of delivery state. The lure includes a plausible tracking-style identifier that mimics the visual format of real carrier tracking numbers. The financial ask is small enough (typically $1.99 to $3.99) that the victim does not exert the friction that a larger payment would attract; the actual loss is the card data harvested, not the small payment itself, and that loss surfaces weeks later when the card is sold on the underground market and used elsewhere.

USPS has run a public-awareness campaign through 2024 noting that the real USPS never sends SMS requesting payment for redelivery. The campaign has limited measurable impact because the victims most exposed (older consumers, infrequent package recipients) are also the least likely to encounter the awareness messaging. The defender-side picture is that the consumer-trust restoration cost falls heavily on USPS itself, not on the actual victims, with knock-on customer-support cost for the impersonated brand.[USPS public statements 2024 + APWG 2025 lure-pattern analysis]

The enterprise loss profile in smishing is dominated by the corporate-banking-portal MFA-relay attack. The pattern works as follows. The attacker sends an SMS to a finance-team employee impersonating the corporate bank with a security-alert message claiming suspicious activity and requiring the recipient to verify identity. The destination URL is a real-time relay (AitM-style) that proxies the victim's input directly into the real banking portal, harvesting the username, password, and one-time MFA code in sequence. Within seconds the attacker is inside the corporate account and initiating outbound wires before the victim's session has timed out.

The variant landed sustained losses through 2024 because corporate banking portals were slow to deploy phishing-resistant MFA. The remediation surface is closing: most major US banks now support hardware-key authentication for high-value corporate accounts, and the FFIEC supervisory guidance updated in late 2024 effectively requires phishing-resistant authentication for accounts above certain transaction thresholds. The loss curve is expected to bend through 2025-2026 as the bank-side controls deploy.[FFIEC 2024 supervisory guidance + IC3 2024 corporate-banking category]

Cost composition reflects the bimodal distribution: consumer lures dominate volume but enterprise corporate-banking events drive the median upward. The customer-support-burden line is unusual versus other phishing vectors because the consumer-lure pattern shifts cost to the impersonated brand even when no direct customer of that brand was actually harmed.[IBM 2025 SMS cohort + APWG 2025 attribution analysis]

The smishing control surface is unusual because the most-leveraged controls operate outside the victim organisation. US carriers block 30 to 50 percent of suspected smishing at the network edge through SPAM Activity Reporting Service (SARS), shortcode-reputation lookups, and machine-learning content classification on the SMSC. The remaining volume reaches the handset. Apple iOS and Google Android both ship spam-detection and unknown-sender filtering at the OS layer, which catches another 20 to 30 percent of the volume that reaches the device. The residual that lands in the primary message stream is the volume that drives the loss exposure tracked in IC3 data.

The enterprise control surface is correspondingly narrow. Most enterprise SMS-defence spending goes on user-awareness training and on phishing-resistant MFA enforcement at the destinations the smish lure typically targets (corporate banking, single-sign-on portals, payroll systems). The most-leveraged enterprise control is phishing-resistant MFA on the corporate-banking portal, which breaks the MFA-relay attack chain entirely. Cost: $50 per finance-team key plus banking-portal integration. Reduction in modelled loss: approximately 90 percent of the corporate-banking variant.

Branded-SMS programs (where the sender ID is verified by the carrier and the lure cannot impersonate the brand) are deploying through 2025-2026 in the US under industry-led initiatives. The deployment is uneven: some major brands (Amazon, USPS, several large banks) are participating; many regional brands and government agencies are not. The defender expectation is that branded SMS will close the consumer-lure attack surface materially over 2026-2028 but will not fully eliminate it before 2030.[CTIA carrier-spam-reporting + industry branded-SMS deployment status 2025]

Smishing volume follows a strong seasonal cycle that defenders should plan against. Q4 holiday-delivery lures spike from early November through mid-January, with peak volume in the second week of December. Q1 tax-season lures spike from late January through mid-April, with peak volume in the first week of April. Q2-Q3 baseline volume runs roughly 40 percent below peak. The seasonal pattern is a useful planning anchor for finance-team awareness training, helpdesk staffing, and customer-support capacity in impersonated-brand sectors.

• All phishing attack vectors
• Vishing cost
• Quishing (QR phishing) cost
• AitM / MFA-relay cost
• Phishing cost in financial services
• Phishing cost (retail context, on /by-industry)
• KnowBe4 cost (smish-training modules)
• databreachcost.com
• pingfatigue.com (alert noise)
• incidentcost.com