Smishing Statistics 2026: Latest Trends and Numbers in SMS Phishing

Explore 2026 smishing statistics backed by Verizon DBIR simulation reference numbers (p. 50), VERIS Phishing vs Pretexting context, and regional data. Distinct from our vishing statistics guide.

Ozan Ucar, Founder and CEO of Keepnet

Last Updated: 2026-05-30

Smishing Statistics 2026: The Latest Trends and Numbers in SMS Phishing

Smishing (SMS phishing) delivers malicious links and urgency via text. APWG Q4 2025 cites smishing volume growth of 30-40% quarter-over-quarter (Crane Authentication contributor). DBIR 2026 phone-centric simulations median ~2% click versus ~1.4% for email.

Keepnet's Extended Human Risk Management Platform (xHRM) pairs multi-channel simulations with Secure Behavior Management (SBM) outcomes: reporting speed and repeat-failure cohorts, not completion exports alone.

Source: Gartner, "6 Ways to Transform Your Cybersecurity Awareness Program" (G00840741, March 2026), based on the 2025 Secure Behavior Strategies Survey (n=65).

Executive summary: smishing statistics 2026

Smishing volume growth: 30-40% QoQ (APWG Q4 2025)
Phone/SMS sim median click: ~2% (DBIR 2026, p. 50)
Email sim median click: ~1.4% (DBIR 2026, p. 50)
EU initial access via phishing (incl. vishing/malspam): ~60% (ENISA ETL 2025)

Smishing statistics at a glance

Metric	Value	Source
Smishing volume growth	30-40% QoQ	APWG Q4 2025
Phone sim median click	~2%	Verizon DBIR 2026
Email sim median click	~1.4%	Verizon DBIR 2026
Global phishing sites (2025)	~3.8 million	APWG Q4 2025
Leaders prioritize phishing reporting	73%	Gartner G00840741, n=65

Smishing statistics at a glance (2026)

Why this matters

Proofpoint smishing click-rate claims are blocked in Keepnet stat posts. Use APWG volume trends and DBIR sim medians instead.

What security leaders should do

Do not cite vendor SMS click rates without primary URLs. Track smishing in smishing simulations and compare to DBIR phone channel baselines.

Smishing vs vishing statistics

Smishing is asynchronous (text + link); vishing is synchronous (live call or callback). DBIR 2026 splits phishing (16% initial access) from pretexting (6%). See vishing statistics 2026 for voice-specific reference numbers.

Smishing growth and phishing volume context

APWG recorded ~3.8 million phishing attacks in calendar 2025 (+1% YoY). Smishing grew faster than headline volume , channel mix shifted. Full volume context: phishing statistics 2026. APWG index: apwg.org/trendreports.

Why this matters

73% of security leaders prioritize phishing reporting metrics (Gartner, n=65) while many SAT programs still test email only.

What security leaders should do

Add SMS templates to quarterly sims; measure reporting rate separately from click rate.

Sources

SMS risk should sit in the same program as email, not a separate tool. KnowBe4 alternatives (2026) covers multi-channel options.

Schedule your 30-minute demo now

You'll learn how to:

Initiate SMS phishing simulations swiftly to elevate your team's defense against Smishing risks.

Engage your staff with practical SMS phishing scenarios to sharpen their alertness and readiness.

Generate tailored reports detailing your employees' missteps, identifying precise opportunities for enhancing cybersecurity measures.

Frequently Asked Questions

What is smishing?

Smishing is phishing via SMS/text message , malicious links or urgency delivered to mobile devices.

How fast is smishing growing?

APWG Q4 2025 cites smishing volume growth of 30-40% quarter-over-quarter.

What click rate should we baseline?

DBIR 2026: phone-centric sim median ~2% vs email ~1.4% (p. 50).

Smishing vs vishing?

Smishing = SMS/text. Vishing = voice/callback. DBIR splits async phishing (16% IA) from pretexting (6%).