Smishing Statistics 2024: The Latest Trends and Numbers in SMS Phishing

In 2024, SMS phishing threats continue to evolve. Smishing leverages the widespread use of smartphones and people's trust in text messaging as a communication tool. The latest smishing statistics for 2024 reveal alarming trends and numbers, indicating a significant increase in SMS phishing attacks. This article explores the current state of smishing and reveals the latest smishing statistics, trends, and the evolving tactics cybercriminals use.

Smishing is not just a technological threat but a sophisticated psychological attack that leverages the trust and immediacy associated with text messaging. As mobile users continue to rely heavily on SMS for communication, it's important to be aware of smishing and its potential dangers. Recognizing the signs and being cautious can make all the difference in safeguarding one's personal and financial well-being.

Key Smishing Statistics 2024

• Awareness Level: Only 23% of users over 55 can correctly define smishing, while 34% of millennials know the term.
• Financial Impact: In 2020, the IC3 reported over 240,000 victims of phishing, smishing, vishing, and pharming, costing over $54 million in losses. The average financial damage from smishing is $800 per individual globally.
• Rising Trend: Smishing attacks surged 328% in 2020. In just one year, 76% of businesses were targeted by smishing attacks.
• COVID-19 Exploitation: 44% of US Americans noticed an uptick in scam phone calls and text messages during the initial two weeks of the nationwide quarantine.
• 2FA Vulnerability: The National Institute for Standards and Technology (NIST) advises against using SMS-based 2FA due to vulnerabilities.
• Local Deception: Hackers often use local numbers, making their messages appear more authentic.
• Mobile Threat: 17% of enterprise users encountered phishing links on their mobile devices.
• Tax Scams: In the UK, 846,000 people reported tax scams involving fake notifications from HMRC in 2020.
• Fake Delivery Notifications: With the rise of e-commerce, fake delivery notifications have become a prevalent smishing method..
• Messaging App Vulnerabilities: An international hacking agency, "Dark Caracal", exploited apps like WhatsApp and Signal to send phishing links.
• Reporting Mechanism: Major US mobile carriers support a fraud text reporting service, where suspicious messages can be forwarded to the number 7726 (SPAM).
• Smishing in the UK: Smishing incidents in the UK increased by 700% in the first six months of 2021.
• Lloyds TSB Study: Only 18% of participants could correctly identify fake emails and texts.
• US Consumers: In 2019, US consumers lost over $86 million due to SMS phishing.
• Awareness by Country: France had the highest awareness of smishing, while only 36% of surveyed participants in the US knew what smishing was.
• Smishing Trend: The prevalence of smishing attacks increased from 75% in 2021 to 76% in 2022.
• Organizational Training: Only 32% of organizations offer smishing simulations, but 79% offer formal training for phishing attacks.
• Generational Awareness: Millennials and Gen X were more aware of smishing in 2019 than other generations.
• Smishing by Country: Spain faced the highest risk of smishing attacks in 2019 at 100%.
• FBI Reports: The FBI's 2020 Internet Crime Report revealed that losses due to smishing amounted to over $54.2 million in 2019.
• Malware: Malware and malicious websites are often used in smishing attacks.
• COVID-19 Smishing: Cybercriminals exploited the COVID-19 pandemic, sending scam texts related to the virus and vaccines.
• Smishing Frequency: In 2021, 58% of Americans reported receiving more spam texts and calls than in 2020.
• Demographics: In 2022, the Hispanic demographic received fewer spam texts than the White or Black communities.
• Cybersecurity Awareness against Smishing: With targeted training, organizations can increase in employees' ability to recognize and report SMS phishing incidents by 87% within three months.
• Tax Scams as a Primary Tactic: Among the diverse strategies employed in smishing campaigns, tax scams stand out for their frequency and effectiveness. These scams exploit the general public's concerns and obligations related to tax filings, making them particularly convincing and dangerous.
• The Surge of Spam Texts in America: It has been revealed that, on average, Americans are inundated with nearly 41 spam texts per person each month. This smishing statistic underscores the widespread nature of unsolicited communications, highlighting the scale at which individuals are targeted by potentially malicious actors.

SMS phishing statistics emphasize the growing threat of smishing and the importance of security awareness training and protective measures against cybercrime.

SMS Phishing (Smishing) Real-Life Examples

The following detailed real life smishing examples from recent years illustrate tactics used by Smishers. It also shows the wide range of smishing scenarios in which individuals and institutions have been targeted. By revealing these real-life smishing incidents, you can increase security awareness to strengthen defenses against smishing.

Here are some real smishing attack incidents in recent years:

2018: Fifth Third Bank Smishing and ATM Fraud

• Incident Description: Customers of Fifth Third Bank received deceptive SMS messages claiming their accounts were locked.
• Scammers' Tactics: The messages included a fraudulent link, redirecting victims to a website mimicking the official bank site to "unlock" their accounts.
• Victim Impact: Approximately 125 customers disclosed their banking credentials.
• Financial Damage: Scammers withdrew $68,000 from 17 ATMs around Cincinnati using the stolen information.

2020: Operation Genmaicha: Large-Scale Smishing

• Law Enforcement Action: Australian Federal Police discovered SIM boxes used in widespread smishing attacks, impersonating banks and telecom companies.
• Operational Scale: Over 10,000 smishing messages were sent in a two-week period, illustrating the extensive reach of these operations.
• Customer Impact: One bank reported 45 phished customers, with losses including more than $30,000 stolen from a single individual.

2021: Amazon Impersonation Scam

• Incident Description: U.S. consumers received fake texts posing as Amazon, alerting them of suspicious account activity or delayed packages.
• Scammers' Tactics: These texts often prompted recipients to click on malicious links under the guise of resolving the issue.
• Financial Impact: Contributed to U.S. consumers losing approximately $5.8 billion to fraud in 2021, with a notable portion from imposter scams.

2021: Singapore Bank's Multi-Million Dollar Smishing Loss

• Incident Overview: A smishing attack targeted a bank in Singapore, leading to S$13.7 million lost across 790 victims.
• Average Loss Per Victim: Approximately S$17,300 (around $12,800 USD), highlighting the significant per-victim financial impact.
• Broader Context: The scam underscores the costly nature of smishing, not just in immediate losses but also in reputational damage and potential customer attrition.

2021: The Royal Mail Scam

• Incident Description: Fraudulent messages, claiming to be from Royal Mail, demanded additional payment to release parcels supposedly held up.
• Scammers' Tactics: The scam directed victims to enter payment details on a fake website, leading to unauthorized bank withdrawals or purchases.
• Incident Scale: There was a reported 1,077% increase in Royal Mail-related scam incidents in 2020.

2022: OCBC Bank SMS Phishing

• Incident Description: Nearly 470 OCBC Bank customers lost at least $8.5 million to SMS phishing, where scammers impersonated the bank in text messages.
• Scammers' Tactics: The messages contained links to phishing sites designed to steal banking credentials.
• Financial Impact: Significant losses indicating the high level of sophistication in the scam operations.
• Bank's Response: OCBC may have issued warnings and potentially reimbursed affected customers, emphasizing the importance of skepticism toward unsolicited banking texts.

2022: BNZ Text Scam Victimizing a Queenstown Woman

• Incident Description: Savannah Jackson believed she received an SMS from BNZ, prompting her to log in and verify a new device added to her account.
• Immediate Consequence: Upon entering her bank login details through the link provided, she witnessed unauthorized money transfers, totaling a loss of $42,000.
• Scammers' Tactics: Utilizing a sense of urgency and legitimacy by mimicking bank alerts.

2022: FTC Scam Report Highlights

• Report Findings: A sharp increase in victims of text-messaging scams, with losses reaching $330 million, significantly up from $131 million in 2021.
• Average Loss: The median loss reported by victims was $1,000, doubling the amount from the previous year.

2022: Scammers' Urgency Tactic at JFK Airport

• Victim's Experience: Alex Nemirovsky lost $49,000 after responding to an urgent scam text about his bank card needing attention before his flight.
• Scammers' Approach: They crafted a convincing fake banking site complete with the Citibank logo to collect his credentials.
• Aftermath: Nemirovsky discovered the fraud upon returning, highlighting the dangers of acting on unsolicited texts without verification.

2022: The UPS Text Scam

• Scam Operation: Fraudulent SMS messages claimed to be from UPS, notifying recipients of package deliveries and requesting action through a provided link.
• Wider Impact: This scam was part of a larger trend contributing to the $330 million lost to fraudulent texts in 2022, as reported by the FTC.

2023: HMRC Tax Fraud Warning

• Government Alert: HMRC issued a warning about scam texts and emails targeting Self Assessment customers with fraudulent tax refund offers.
• Reported Incidents: Over 130,000 reports of tax fraud in the year leading up to September 2023, with a significant focus on fake refunds.

2023: Apple ID Recovery Scam

• Scam Mechanism: Fraudulent texts alerted recipients to unauthorized access of their iCloud accounts, urging password changes through a fake link.
• Targeted Information: Aimed to harvest personal and financial information by exploiting fears of account compromise.

How to Protect Yourself from Smishing Attacks

Protecting oneself from smishing attacks is not just about being cautious; it's about being informed and proactive.

Here are some important tips to consider:

1. Stay Informed: Knowledge is your first line of defense. Regularly educate yourself about the latest smishing tactics and trends. Many organizations and cybersecurity firms publish updates and warnings about new smishing schemes. Also, conduct smishing simulations to help employees understand different smishing attack vectors, monitor their behaviors, and provide the best training for their specific behavior.
2. Verify the Source: Always be skeptical of unsolicited messages, especially those that ask for personal or financial information. If you receive a message from a bank or any other institution, call the official number on their website (not the one provided in the text) to verify its authenticity.
3. Avoid Clicking on Suspicious Links: Cybercriminals often use shortened URLs to hide the actual web address in smishing texts. Before clicking on any link, hover over it to see the full URL. If it looks suspicious, do not click.
4. Use Two-Factor Authentication (2FA): While SMS-based 2FA has vulnerabilities, using app-based 2FA or hardware security keys can add an extra layer of security to your accounts.
5. Install Antivirus Apps: Just as computers need antivirus software, so do mobile devices. Several reputable antivirus apps are designed for mobile devices, offering protection against malware, phishing sites, and other threats.
6. Regularly Update Your Device: Ensure your mobile device's operating system and apps are always updated. Manufacturers and app developers frequently release security patches to fix vulnerabilities.
7. Be Wary of Caller ID Spoofing: Scammers can make it appear like they're calling or texting from a trusted organization. Remember that caller ID can be spoofed, so always verify the sender's identity.
8. Report Suspicious Messages: If you receive a smishing text, report it to your telecom provider. In the US, for instance, you can forward the text to 7726 (SPAM). Reporting helps telecom companies track and block these malicious numbers.

Keepnet Labs' Pioneering Role in Tackling Smishing Threats

In the fight against smishing, proactive measures are as significant as reactive ones. This is where Keepnet Labs' Smishing Simulator comes into play, offering a comprehensive solution to tackle smishing threats effectively. The platform is designed to address several key areas:

• Amplified Threat Awareness: Keepnet's Smishing Simulator uses real-world scenarios to train employees across various locations in detecting smishing threats. This hands-on approach ensures that staff are not just theoretically informed but practically prepared to identify and respond to smishing attempts.
• Streamlined Reporting: One of the most significant challenges in combating smishing is the lack of a streamlined reporting mechanism. Keepnet's security awareness training educates staff about the nuances of smishing threats and provides a unified platform for reporting suspicious activities. This is particularly beneficial for large organizations like hotel chains, where a centralized reporting system is important.
• Minimized Human Error: Human error is often the weakest link in cybersecurity. By exposing employees to simulated smishing attacks, Keepnet helps reduce the error margin. The simulations are designed to mimic real-world scenarios, making the training as realistic as possible.
• Fostering Security Culture: Cybersecurity is not just an IT issue; it's an organizational one. Keepnet's regular training sessions aim to create a proactive security culture. Employees become active participants in the cybersecurity strategy, making the system more robust.
• Regulatory Compliance: With the increasing number of cybersecurity regulations, compliance has become a significant concern for organizations. Keepnet's frequent simulations ensure the organization adheres to various cybersecurity regulations, thereby minimizing legal risks.
• Efficient Risk Management: Managing human risk is complex, especially for organizations across multiple locations. Keepnet's platform provides a centralized system for managing this risk, offering real-time monitoring and feedback. This ensures continuous improvement and helps in identifying potential areas of concern.
• Real-time Monitoring: The Smishing Simulator doesn't just stop at training; it goes further by tracking employee behavior during simulations. This real-time monitoring helps identify weaknesses and determine training needs across all locations. The collected data is invaluable for refining future training programs and enhancing the organization's cybersecurity posture.

Next Steps

Don't leave your organization's security to chance. Equip your team with the tools and knowledge they need to combat smishing and other cyber threats effectively.

👉 Start Your Free Trial Today!

Also, watch our YouTube video to discover how our smishing simulator offers robust protection against SMS phishing threats. This tool not only educates but also empowers you to recognize and respond to smishing attempts proactively. Learn the functionalities and benefits of our simulator, designed to enhance your cybersecurity defenses in a practical, engaging way.

Editor's note: This blog was originally published in 2023 but was updated in March 2024.