Smishing Statistics 2024: The Latest Trends and Numbers in SMS Phishing
The 2024 Smishing Statistics highlight a troubling rise in SMS phishing targeting both individuals and organizations. Discover insights into attack trends, tactics, and global impact. This essential data equips organizations with strategies to strengthen defenses against SMS phishing threats.
2024-01-26
In 2024, SMS phishing threats continue to evolve. Smishing leverages the widespread use of smartphones and people's trust in text messaging as a communication tool. The latest smishing statistics for 2024 reveal alarming trends and numbers, indicating a significant increase in SMS phishing attacks. This article explores the current state of smishing and reveals the latest smishing statistics, trends, and the evolving tactics cybercriminals use.
Smishing is not just a technological threat but a sophisticated psychological attack that leverages the trust and immediacy associated with text messaging. As mobile users continue to rely heavily on SMS for communication, it's important to be aware of smishing and its potential dangers. Recognizing the signs and being cautious can make all the difference in safeguarding one's personal and financial well-being.
Key Smishing Statistics 2024
- Rising Trend: Smishing attacks surged 328% in 2020. In just one year, 76% of businesses were targeted by smishing attacks.
- COVID-19 Exploitation: 44% of US Americans noticed an uptick in scam phone calls and text messages during the initial two weeks of the nationwide quarantine.
- 2FA Vulnerability: The National Institute for Standards and Technology (NIST) advises against using SMS-based 2FA due to vulnerabilities.
- Local Deception: Hackers often use local numbers, making their messages appear more authentic.
- Mobile Threat: 17% of enterprise users encountered phishing links on their mobile devices.
- Tax Scams: In the UK, 846,000 people reported tax scams involving fake notifications from HMRC in 2020.
- Fake Delivery Notifications: With the rise of e-commerce, fake delivery notifications have become a prevalent smishing method..
- Messaging App Vulnerabilities: An international hacking agency, "Dark Caracal", exploited apps like WhatsApp and Signal to send phishing links.
- Reporting Mechanism: Major US mobile carriers support a fraud text reporting service, where suspicious messages can be forwarded to the number 7726 (SPAM).
- Smishing in the UK: Smishing incidents in the UK increased by 700% in the first six months of 2021.
- Lloyds TSB Study: Only 18% of participants could correctly identify fake emails and texts.
- US Consumers: In 2019, US consumers lost over $86 million due to SMS phishing.
- Awareness by Country: France had the highest awareness of smishing, while only 36% of surveyed participants in the US knew what smishing was.
- Smishing Trend: The prevalence of smishing attacks increased from 75% in 2021 to 76% in 2022.
- Organizational Training: Only 32% of organizations offer smishing simulations, but 79% offer formal training for phishing attacks.
- Generational Awareness: Millennials and Gen X were more aware of smishing in 2019 than other generations.
- Smishing by Country: Spain faced the highest risk of smishing attacks in 2019 at 100%.
- FBI Reports: The FBI's 2020 Internet Crime Report revealed that losses due to smishing amounted to over $54.2 million in 2019.
- Malware: Malware and malicious websites are often used in smishing attacks.
- COVID-19 Smishing: Cybercriminals exploited the COVID-19 pandemic, sending scam texts related to the virus and vaccines.
- Smishing Frequency: In 2021, 58% of Americans reported receiving more spam texts and calls than in 2020.
- Demographics: In 2022, the Hispanic demographic received fewer spam texts than the White or Black communities.
- Cybersecurity Awareness against Smishing: With targeted training, organizations can increase in employees' ability to recognize and report SMS phishing incidents by 87% within three months.
- Tax Scams as a Primary Tactic: Among the diverse strategies employed in smishing campaigns, tax scams stand out for their frequency and effectiveness. These scams exploit the general public's concerns and obligations related to tax filings, making them particularly convincing and dangerous.
- The Surge of Spam Texts in America: It has been revealed that, on average, Americans are inundated with nearly 41 spam texts per person each month. This smishing statistic underscores the widespread nature of unsolicited communications, highlighting the scale at which individuals are targeted by potentially malicious actors.
- Rise in Spam Texts During Quarantine: During the first two weeks of quarantine in the US, there was a noticeable increase in the frequency of spam text messages and calls.
- Global Scale of Smishing and Financial Losses: In 2019, victims of smishing attacks in the US alone lost $86 million. The global losses from smishing and related phishing attacks totaled more than $54 million.
- Demographic Specifics: Black and white communities in America were targeted more with smishing than Hispanic communities. The age group most aware of smishing risks is those aged 55 and above.
- Frequency of Phishing SMS in America 2023: Daily fraudulent texts in the US average 415,172,654. Weekly, the total climbs to 2,906,208,576 malicious SMS. On weekends alone, the volume is about 665,100,057 texts.
- Rise of Non-SMS Channels: Smishing attacks through KakaoTalk now constitute 39.6% of all attacks, highlighting the shift towards popular messaging platforms.
- Security Awareness Level: Only 23% of users over 55 can correctly define smishing, while 34% of millennials know the term.
- Financial Impact: In 2020, the IC3 reported over 240,000 victims of phishing, smishing, vishing, and pharming, costing over $54 million in losses. The average financial damage from smishing is $800 per individual globally.
- Specific Scams Identified: SMS phishing scams using the guise of public offerings and short-term & part-time work are prominent, making up 31.8% and 18.3% of attacks respectively.
- Diverse Tactics by Industry: Smishing attacks impersonating public institutions are the most common in the industry, making up 23.0% of all such attacks.
- Financial Institutions Targeted: Specific financial institutions such as Shinhan Card (10.3%), Samsung Card (9.5%), and Kookmin Card (8.0%) are frequently impersonated in SMS phishing attacks.
- Government and Public Service Impersonations: Significant impersonation of the Korea Environment Corporation (50.9%), Korea Customs Service (27.4%), and National Police Agency (15.5%) indicates targeted SMS phishing attacks against trusted public entities.
- Detailed Breakdown of Scams by Type: The breakdown includes detailed percentages of various smishing scams, such as those masquerading as credit card companies (11.6%) and government subsidies (8.6%).
- Distribution by Delivery Services: Analysis shows significant impersonation of delivery services like CJ Logistics (45.4%), Coupang (11.8%), and Logen (11.2%).
- Smishing Attacks on the EU: 80% of global smishing attacks targeted EU citizens.
- Tax-Related Smishing Scams in 2024: Average loss of $8,199 per victim; 1 in 4 Americans affected.
- Mobile Phishing Threats in 2024: Smishing accounted for 39% of mobile threats.
- Smishing Campaigns in Australia 2024: Arrests linked to 300 million fraudulent SMS messages.
- Holiday Season Scams (2024): Nearly half of UK adults reported fake parcel delivery texts as the fastest-growing scam.
- Use of AI in Smishing: Introduction of deepfake audio and automated phishing systems to create convincing messages.
- Delivery Service Exploitation in 2024: A 174% increase in smishing incidents targeting delivery services like Evri.
- Global Smishing Volume Increase: Analysts predict that smishing volumes will double year-over-year by the end of 2024.
- Daily Smishing Texts: Mobile users are expected to receive an estimated 147 million smishing texts per day in 2023, representing a 20% increase over the previous year.
- Financial Impact on Organizations: The average cost of a successful smishing attack on an organization exceeded $9.5 million in 2022.
- Finance and Insurance: 33% of businesses experienced smishing attempts.
- Healthcare: 27% of organizations were targeted.
- Government: 23% reported smishing incidents.
- Retail/E-commerce: 19% faced smishing attacks.
- Energy: 17% encountered smishing threats.
- Top Brands Impersonated in Smishing Attacks: Amazon: 38% of brand impersonation smishing attempts; Apple: 17%; HMRC (UK tax authority): 15%; PayPal: 12%; USPS: 11%; FedEx: 7% and Netflix: 5%.
- Global Smishing Incidents: More than 3.5 billion phone users receive spam text messages daily.
- Credential Phishing Surge: Credential phishing saw a 967% increase, driven by ransomware groups seeking access to companies in exchange for money.
- TOAD Messages: Approximately 10 million Telephone-Oriented Attack Delivery (TOAD) messages are sent every month, guiding victims into revealing sensitive information and credentials.
SMS phishing statistics emphasize the growing threat of smishing and the importance of security awareness training and protective measures against cybercrime.
SMS Phishing (Smishing) Real-Life Examples
The following detailed real life smishing examples from recent years illustrate tactics used by Smishers. It also shows the wide range of smishing scenarios in which individuals and institutions have been targeted. By revealing these real-life smishing incidents, you can increase security awareness to strengthen defenses against smishing.
Here are some real smishing attack incidents in recent years:
2018: Fifth Third Bank Smishing and ATM Fraud
- Incident Description: Customers of Fifth Third Bank received deceptive SMS messages claiming their accounts were locked.
- Scammers' Tactics: The messages included a fraudulent link, redirecting victims to a website mimicking the official bank site to "unlock" their accounts.
- Victim Impact: Approximately 125 customers disclosed their banking credentials.
- Financial Damage: Scammers withdrew $68,000 from 17 ATMs around Cincinnati using the stolen information.
2020: Operation Genmaicha: Large-Scale Smishing
- Law Enforcement Action: Australian Federal Police discovered SIM boxes used in widespread smishing attacks, impersonating banks and telecom companies.
- Operational Scale: Over 10,000 smishing messages were sent in a two-week period, illustrating the extensive reach of these operations.
- Customer Impact: One bank reported 45 phished customers, with losses including more than $30,000 stolen from a single individual.
2021: Amazon Impersonation Scam
- Incident Description: U.S. consumers received fake texts posing as Amazon, alerting them of suspicious account activity or delayed packages.
- Scammers' Tactics: These texts often prompted recipients to click on malicious links under the guise of resolving the issue.
- Financial Impact: Contributed to U.S. consumers losing approximately $5.8 billion to fraud in 2021, with a notable portion from imposter scams.
2021: Singapore Bank's Multi-Million Dollar Smishing Loss
- Incident Overview: A smishing attack targeted a bank in Singapore, leading to S$13.7 million lost across 790 victims.
- Average Loss Per Victim: Approximately S$17,300 (around $12,800 USD), highlighting the significant per-victim financial impact.
- Broader Context: The scam underscores the costly nature of smishing, not just in immediate losses but also in reputational damage and potential customer attrition.
2021: The Royal Mail Scam
- Incident Description: Fraudulent messages, claiming to be from Royal Mail, demanded additional payment to release parcels supposedly held up.
- Scammers' Tactics: The scam directed victims to enter payment details on a fake website, leading to unauthorized bank withdrawals or purchases.
- Incident Scale: There was a reported 1,077% increase in Royal Mail-related scam incidents in 2020.
2022: OCBC Bank SMS Phishing
- Incident Description: Nearly 470 OCBC Bank customers lost at least $8.5 million to SMS phishing, where scammers impersonated the bank in text messages.
- Scammers' Tactics: The messages contained links to phishing sites designed to steal banking credentials.
- Financial Impact: Significant losses indicating the high level of sophistication in the scam operations.
- Bank's Response: OCBC may have issued warnings and potentially reimbursed affected customers, emphasizing the importance of skepticism toward unsolicited banking texts.
2022: BNZ Text Scam Victimizing a Queenstown Woman
- Incident Description: Savannah Jackson believed she received an SMS from BNZ, prompting her to log in and verify a new device added to her account.
- Immediate Consequence: Upon entering her bank login details through the link provided, she witnessed unauthorized money transfers, totaling a loss of $42,000.
- Scammers' Tactics: Utilizing a sense of urgency and legitimacy by mimicking bank alerts.
2022: FTC Scam Report Highlights
- Report Findings: A sharp increase in victims of text-messaging scams, with losses reaching $330 million, significantly up from $131 million in 2021.
- Average Loss: The median loss reported by victims was $1,000, doubling the amount from the previous year.
2022: Scammers' Urgency Tactic at JFK Airport
- Victim's Experience: Alex Nemirovsky lost $49,000 after responding to an urgent scam text about his bank card needing attention before his flight.
- Scammers' Approach: They crafted a convincing fake banking site complete with the Citibank logo to collect his credentials.
- Aftermath: Nemirovsky discovered the fraud upon returning, highlighting the dangers of acting on unsolicited texts without verification.
2022: The UPS Text Scam
- Scam Operation: Fraudulent SMS messages claimed to be from UPS, notifying recipients of package deliveries and requesting action through a provided link.
- Wider Impact: This scam was part of a larger trend contributing to the $330 million lost to fraudulent texts in 2022, as reported by the FTC.
2023: HMRC Tax Fraud Warning
- Government Alert: HMRC issued a warning about scam texts and emails targeting Self Assessment customers with fraudulent tax refund offers.
- Reported Incidents: Over 130,000 reports of tax fraud in the year leading up to September 2023, with a significant focus on fake refunds.
2023: Apple ID Recovery Scam
- Scam Mechanism: Fraudulent texts alerted recipients to unauthorized access of their iCloud accounts, urging password changes through a fake link.
- Targeted Information: Aimed to harvest personal and financial information by exploiting fears of account compromise.
2024: Cyberattacks on US Hospitals Using Smishing
- Law Enforcement Action: Not specifically stated, but involves general cybersecurity measures within healthcare systems.
- Operational Scale: Widespread smishing campaigns targeting multiple hospitals, exploiting the trusted status of healthcare communications.
- Customer Impact: Increased risk and potential exposure of sensitive patient data due to deceptive messages pretending to be legitimate healthcare communications.
2024: Sophisticated Smishing Scam in New Zealand
- Law Enforcement Action: New Zealand police, with the cooperation of multiple agencies including Australia's cybercrime team, launched Operation Orca to tackle the scam.
- Operational Scale: Use of a novel technology, an SMS Blaster acting as a fake cell tower to send deceptive texts to a large number of users simultaneously.
- Customer Impact: Approximately 120 individuals received scam messages in a single night, although no financial losses were reported due to preventive actions by law enforcement.
2024: Homemade Mobile Antenna Smishing Scam in the UK
- Law Enforcement Action: City of London Police made two arrests, one in Manchester and one in London, in connection with the use of a homemade mobile antenna or "SMS blaster" that bypassed network protections to send smishing messages.
- Operational Scale: The device, a makeshift telephone mast, was used to send thousands of fraudulent messages impersonating banks and other institutions to unsuspecting members of the public.
- Customer Impact: While specific numbers on how many people responded to the fraudulent messages were not provided, the police and partnering cybersecurity teams acted swiftly to mitigate further impact and prevent large-scale financial losses from occurring.
How to Protect Yourself from Smishing Attacks
Protecting oneself from smishing attacks is not just about being cautious; it's about being informed and proactive.
Here are some important tips to consider:
- Stay Informed: Knowledge is your first line of defense. Regularly educate yourself about the latest smishing tactics and trends. Many organizations and cybersecurity firms publish updates and warnings about new smishing schemes. Also, conduct smishing simulations to help employees understand different smishing attack vectors, monitor their behaviors, and provide the best training for their specific behavior.
- Verify the Source: Always be skeptical of unsolicited messages, especially those that ask for personal or financial information. If you receive a message from a bank or any other institution, call the official number on their website (not the one provided in the text) to verify its authenticity.
- Avoid Clicking on Suspicious Links: Cybercriminals often use shortened URLs to hide the actual web address in smishing texts. Before clicking on any link, hover over it to see the full URL. If it looks suspicious, do not click.
- Use Two-Factor Authentication (2FA): While SMS-based 2FA has vulnerabilities, using app-based 2FA or hardware security keys can add an extra layer of security to your accounts.
- Install Antivirus Apps: Just as computers need antivirus software, so do mobile devices. Several reputable antivirus apps are designed for mobile devices, offering protection against malware, phishing sites, and other threats.
- Regularly Update Your Device: Ensure your mobile device's operating system and apps are always updated. Manufacturers and app developers frequently release security patches to fix vulnerabilities.
- Be Wary of Caller ID Spoofing: Scammers can make it appear like they're calling or texting from a trusted organization. Remember that caller ID can be spoofed, so always verify the sender's identity.
- Report Suspicious Messages: If you receive a smishing text, report it to your telecom provider. In the US, for instance, you can forward the text to 7726 (SPAM). Reporting helps telecom companies track and block these malicious numbers.
Keepnet Smishing Simulator
In the fight against smishing, proactive measures are as significant as reactive ones. This is where Keepnet Labs' Smishing Simulator comes into play, offering a comprehensive solution to tackle smishing threats effectively. The platform is designed to address several key areas:
- Amplified Threat Awareness: Keepnet's Smishing Simulator uses real-world scenarios to train employees across various locations in detecting smishing threats. This hands-on approach ensures that staff are not just theoretically informed but practically prepared to identify and respond to smishing attempts.
- Streamlined Reporting: One of the most significant challenges in combating smishing is the lack of a streamlined reporting mechanism. Keepnet's security awareness training educates staff about the nuances of smishing threats and provides a unified platform for reporting suspicious activities. This is particularly beneficial for large organizations like hotel chains, where a centralized reporting system is important.
- Minimized Human Error: Human error is often the weakest link in cybersecurity. By exposing employees to simulated smishing attacks, Keepnet helps reduce the error margin. The simulations are designed to mimic real-world scenarios, making the training as realistic as possible.
- Fostering Security Culture: Cybersecurity is not just an IT issue; it's an organizational one. Keepnet's regular training sessions aim to create a proactive security culture. Employees become active participants in the cybersecurity strategy, making the system more robust.
- Regulatory Compliance: With the increasing number of cybersecurity regulations, compliance has become a significant concern for organizations. Keepnet's frequent simulations ensure the organization adheres to various cybersecurity regulations, thereby minimizing legal risks.
- Efficient Risk Management: Managing human risk is complex, especially for organizations across multiple locations. Keepnet's platform provides a centralized system for managing this risk, offering real-time monitoring and feedback. This ensures continuous improvement and helps in identifying potential areas of concern.
- Real-time Monitoring: The Smishing Simulator doesn't just stop at training; it goes further by tracking employee behavior during simulations. This real-time monitoring helps identify weaknesses and determine training needs across all locations. The collected data is invaluable for refining future training programs and enhancing the organization's cybersecurity posture.
Next Steps
Don't leave your organization's security to chance. Equip your team with the tools and knowledge they need to combat smishing and other cyber threats effectively.
👉 Start Your Free Trial Today!
Also, watch our YouTube video to discover how our smishing simulator offers robust protection against SMS phishing threats. This tool not only educates but also empowers you to recognize and respond to smishing attempts proactively. Learn the functionalities and benefits of our simulator, designed to enhance your cybersecurity defenses in a practical, engaging way.
Editor's note: This blog was updated on December 4, 2024.