logo svg
logo

July 6, 2026

Updated: July 6, 2026

Smishing Statistics 2026: SMS Phishing, OTP Theft & Mobile Fraud

A source-backed 2026 guide to smishing statistics covering SMS phishing, mobile phishing, text scams, OTP theft, account takeover, AI scams, vishing overlap, quishing, and business risk.

Mohammed Khalil

Mohammed Khalil

Featured Image

Executive summary and key statistics

Smishing statistics 2026 matter because the most credible evidence no longer points to a single-channel phishing problem. The strongest current data shows a mobile-heavy threat environment in which SMS phishing, voice follow-up, QR lures, credential theft, OTP interception attempts, and account takeover increasingly overlap. The most useful smishing statistics are therefore the ones that separate true smishing data from broader phishing, fraud, robotext, or identity-abuse datasets, and explain what each number actually measures.

Executive Summary / TL;DR

Key Smishing Statistics Table

CategoryStatisticSourceYearScopeWhy It Matters
Phishing baselineAPWG recorded 3.8 million phishing attacks in 2025.APWG Phishing Activity Trends Report Q4 20252025GlobalUseful phishing-wide baseline; not smishing-only.
Mobile delivery shiftAPWG said phishing through social media and SMS rose from 15.4% to 17.3% QoQ in Q4 2025.APWG2025GlobalIndicates mobile/social delivery is growing inside broader phishing.
Mobile phishing compositionZimperium said mishing was roughly one-third of threats in zLabs telemetry, and smishing was over two-thirds of mishing.Zimperium Global Mobile Threat Report2025Vendor telemetryStrong mobile-phishing signal, but not universal market truth.
Smishing share of mishingZimperium reported observed mishing vectors as SMS 69.3%, PDF 28.4%, QR 2.4%.Zimperium2025Vendor telemetryUseful for answering whether most mobile phishing is SMS-led in one major dataset.
Text-scam lossesFTC said consumers reported $470 million in losses to scams that started with texts in 2024, over 5x the 2020 level.FTC text-scam spotlight2024United States, complaint dataStrong consumer-loss indicator for text scams; not identical to smishing incident volume.
Toll-road smishingFBI IC3 said it received over 2,000 complaints about toll-road smishing texts since early March 2024.FBI IC3 PSA2024United States, complaint dataImportant evidence that toll smishing is a real and rapidly spreading scam type.
Enterprise mobile phishingLookout recorded 1,088,406 phishing and malicious web attacks prevented in Q1 2025 and said 100% of protected organizations were targeted with socially engineered phishing.Lookout Q1 2025 Mobile Threat Landscape2025Vendor telemetryIndicates enterprise mobile exposure is persistent, not episodic.
Mobile click riskVerizon’s 2026 DBIR said successful click rates in mobile-centric vectors were 40% higher than email in phishing simulations.Verizon DBIR 20262026Phishing simulation dataDirectly relevant to employee text and voice lure risk.
OTP security postureNIST says phone- and SMS-based OTPs are restricted authenticators.NIST Digital Identity FAQCurrent guidanceUnited States federal guidanceKey control implication for OTP theft and MFA bypass discussions.
Finance-sector exposureENISA analyzed 488 European finance incidents and found banks were affected in 46% of observed incidents.ENISA Threat Landscape: Finance Sector2025 reportEurope, Jan 2023–Jun 2024 incidentsUseful sector-risk context for bank-alert and payment-brand smishing.
AI-linked fraudFBI IC3 logged 22,364 AI-related complaints and $893.3 million in losses in 2025.FBI IC3 Annual Report 20252025United States, complaint dataRelevant for AI-enhanced lures, voice cloning, and fraud scaling.
UK public reportingNCSC said that, as of May 2026, UK reporting systems had received 55.7 million scam reports and removed 250,000 scams across 443,000 URLs.UK NCSC phishing reporting page2026United Kingdom, cross-channel reportingHighlights reporting scale, but combines scams across channels rather than isolating smishing.

Quick answer: What do smishing statistics show?

Smishing statistics show that SMS phishing is best understood as part of a larger mobile social-engineering problem, not as an isolated text-only nuisance. The strongest current evidence links malicious texts to credential theft, OTP theft, MFA bypass attempts, account takeover, banking and payment scams, delivery and toll lures, and multi-channel fraud that may move from SMS to voice calls, QR codes, email, or messaging apps. The most reliable sources also show that mobile click behavior, unmanaged devices, and identity-centric fraud are major business risks. For security leaders, that points to awareness, mobile telemetry, authentication hardening, account-recovery controls, and carefully scoped social-engineering validation.

For broader DeepStrike context, compare this dedicated smishing page with related guides on phishing statistics, vishing statistics, social engineering statistics, deepfake statistics, mobile security threats, and cybercrime statistics. Those pages cover adjacent channels; this guide stays focused on SMS phishing, mobile-message abuse, OTP theft, account takeover, and multi-channel social engineering.

Definitions, methodology, and the smishing statistics landscape

Why Smishing Statistics Matter

Smishing deserves its own analysis because the attack surface is different from email phishing. SMS reaches users on a device they carry constantly, often outside the controls that protect desktops and corporate inboxes. Lookout’s 2025 mobile research shows that phishing and social engineering remained the most significant mobile threat category in volume and operational relevance, and that even managed mobile fleets still experienced meaningful exposure. Verizon’s 2026 DBIR adds a practical buyer insight: in phishing simulations, voice and text campaigns outperformed email on median click success.

The trust model is different too. FTC and FBI reporting shows that high-performing text scams often imitate delivery brands, banks, toll operators, government agencies, job recruiters, or wrong-number conversations that escalate into finance or identity fraud. In 2024, the FTC found package-delivery messages were the most commonly reported text scam, while fake bank fraud alerts and bogus unpaid toll notices were also frequent. The FBI separately logged more than 2,000 toll-road smishing complaints within weeks in 2024.

Smishing also intersects directly with authentication abuse. NIST classifies SMS-based OTPs as restricted, and its phishing-resistance guidance explains why one-time codes are still attractive targets: attackers want the password, PIN, or passcode that lets them step through account recovery, session establishment, or adversary-in-the-middle workflows. CISA therefore prioritizes phishing-resistant MFA and recommends number matching when organizations are still using push-based systems.

Smishing vs Phishing vs Vishing vs Quishing

Attack TypeMain ChannelCommon GoalTypical LureSecurity Relevance
PhishingEmail, webCredential theft, malware delivery, fraudShared file, login alert, invoiceBaseline category for most breach and fraud reporting
SmishingSMS, MMS, sometimes mobile messaging appsCredential theft, OTP theft, payment fraud, account takeoverDelivery issue, bank fraud alert, toll notice, tax alertHigh mobile click risk and strong brand-impersonation overlap
VishingVoice calls, voicemail, AI-generated audioOTP capture, helpdesk manipulation, payment fraud, account recovery abuseBank fraud call, executive request, support desk callOften used as smishing follow-up or MFA interception stage
QuishingQR codes in messages, pages, posters, packagesRedirect to malicious site, credential theft, payment fraudPackage tracking QR, tax QR, parking or payment QRConverts phone camera behavior into phishing entry
Multi-channel phishingEmail, SMS, voice, QR, chat appsMove victim across channels until trust is establishedSMS plus call, email plus text, QR plus callIncreasingly common in modern fraud operations
Deepfake-assisted social engineeringAI-generated audio or video layered onto SMS, voice, or conferencingImpersonation, urgency, trust hijackOfficial, executive, or family-member impersonationRaises believability, especially in high-trust or high-value workflows

These categories overlap more than many statistics roundups admit. Europol’s IOCTA 2024 said smishing was the most common phishing type used by fraudsters in 2023, while quishing emerged as an additional threat. The FBI’s 2025 warning on impersonated senior U.S. officials described a campaign that combined smishing, AI-generated voice messages, and a move to a separate messaging platform to steal access. NIST likewise notes phishing increasingly occurs across channels, including email, voice, and text.

Methodology: How We Selected and Verified the Statistics

This article treats definitions as part of verification. A statistic was included only if the source stated what it measured, when it was measured, and what population or dataset it covered. Government complaint data, phishing consortium reporting, enterprise telemetry, and fraud-network benchmarks were used differently because they answer different questions. FTC and IC3 complaint counts are useful for scam patterns and reported losses, but they do not equal total incident volume. Mobile-security vendor datasets help answer mobile-exposure questions, but they do not represent the whole market. Standards and government guidance are used for control interpretation, not attack prevalence.

Older figures were used sparingly and only when they added historical context, such as the FCC’s robotext complaint trendline. Broad phishing figures were never presented as smishing-only figures, and robotext or text-scam data was labeled separately from smishing when the source did not define the traffic as SMS phishing. Vendor claims were retained only when they added something smishing-specific or mobile-specific that public-sector sources do not track well, such as the split between SMS, PDF, and QR mishing vectors.

CriterionRequirementWhy It Matters
Source credibilityGovernment, regulator, standards body, consortium, or named primary telemetry sourceLowers the risk of fabricated or recycled numbers
Publication yearPrefer 2024–2026Keeps the article current enough for 2026 decision-making
Smishing-specificityClearly identify whether a number is smishing-specific, text-scam-specific, mobile-phishing-wide, or phishing-widePrevents definitional inflation
SMS vs mobile-app messaging definitionCheck whether “mobile phishing” includes SMS only or also chat apps, browsers, QR, and app links“Mobile phishing” is wider than smishing in many datasets
Measurement definitionComplaint count, survey response, incident count, blocked event, click simulation, or loss amountDifferent measures answer different questions
Attack type clarityConfirm whether the source distinguishes smishing, vishing, quishing, phishing, spoofing, or impersonationAvoids false precision
Fraud or security scopeSeparate consumer fraud, enterprise security, and telecom abuse measuresOne dataset rarely fits all audiences
Industry or user segmentIdentify whether the number applies to banks, employees, consumers, or sectorsBuyers need segment-relevant interpretation
Regional relevanceState the region or say “global” only when justifiedSmishing patterns vary by geography
Vendor telemetry caveatLabel vendor datasets as telemetry, not market censusStops overgeneralization
Complaint-data caveatTreat FTC, IC3, FCC, and reporting hotlines as reported incidents, not all incidentsComplaint systems undercount real harm
Cross-industry caveatAvoid using one sector’s experience as economy-wide truthFinancial services is not the same as SaaS or retail
ReproducibilityPrefer sources with named datasets, sample sizes, or methodology notesSupports editorial verification
Practical security relevanceInclude numbers that affect controls, staffing, or investment choicesKeeps the article useful
Fraud and business impact relevanceInclude losses, ATO, impersonation, or operational burden where clearly sourcedConnects security data to executive decisions

Smishing Threat Landscape in 2026

The most credible 2026 picture is a layered one. APWG’s global data shows phishing remains massive, while mobile and social delivery continues to rise. Zimperium’s mobile threat telemetry shows that, inside mobile-targeted phishing, SMS dominates observed delivery more than QR or PDF-based variants, but those secondary formats are growing and matter because they help attackers bypass legacy assumptions about what a phishing lure looks like on a phone.

The lure catalogue is also converging around a handful of reliable pressure points: package delivery, toll revenue, account-fraud warnings, tax impersonation, recruiting offers, support calls, and investment or crypto narratives. FTC data indicates that package-delivery scams led reported text fraud in 2024, while the IRS elevated email-and-text impersonation to its 2026 Dirty Dozen list and explicitly warned about QR-enabled fake IRS websites. The FBI’s current public-service announcements reinforce that attackers are comfortable mixing SMS with voice, links, and platform changes.

That is why a modern smishing campaign rarely ends at the text itself. It may start with an SMS lure, move to a fake login page, demand an OTP, trigger a call from a fake fraud desk, or redirect the victim to a QR code or secondary chat app. Europol’s IOCTA 2026 explicitly ties the prominence of phishing and smishing to the spread of 2FA, while NIST and CISA keep pushing organizations toward phishing-resistant alternatives precisely because code-based and prompt-based defenses can still be socially engineered.

Smishing Statistics 2026 by Threat Type

Threat AreaKey StatisticSourceScopeSecurity Takeaway
SMS phishingSmishing made up 69.3% of observed mishing vectors in zLabs telemetry.ZimperiumVendor mobile telemetrySMS remains the leading mobile phishing vector in this dataset.
Mobile phishingGlobal mobile phishing click rate was 12.88% in Lookout Q3 2025 reporting; iOS exposure was 16.07% versus 7.78% on Android.LookoutVendor enterprise telemetryMobile browsing and messaging exposure remain structurally high.
Text scamsFTC recorded $470 million in reported losses to scams that started with texts in 2024.FTCU.S. complaint dataText scams are costly even though complaint data undercounts total harm.
Credential theftCompromised credentials were an initial access vector in 22% of 2025 DBIR breaches.VerizonBreach datasetSmishing that steals passwords often feeds larger intrusion chains.
OTP and MFA riskNIST says SMS OTPs are restricted; CISA recommends phishing-resistant MFA and number matching if stronger options are not yet available.NIST and CISAU.S. guidanceCode-based MFA is better than passwords alone, but still exposed to social engineering.
Account takeoverSift reported an overall ATO attack rate of 2.5% in Q2 2025, up 4% YoY.SiftVendor fraud networkATO pressure remains high after credential theft.
Financial-services targetingFinance and fintech ATO attacks in Sift’s network rose 122% YoY, from 0.54% to 1.2%.SiftVendor fraud networkFinancial accounts remain high-value post-smishing targets.
Package-delivery scamsFTC identified fake package delivery as the most reported text scam in 2024.FTCU.S. complaint dataDelivery season and shipping brands remain prime impersonation themes.
Toll-road smishingFBI received over 2,000 toll-smishing complaints in a short 2024 window.FBI IC3U.S. complaint dataToll lures spread quickly across jurisdictions.
AI-enhanced fraudIC3 logged 22,364 AI-related complaints and $893.3 million in losses in 2025.FBI IC3U.S. complaint dataAI materially raises fraud scale and believability.
Vishing overlapZimperium saw vishing up 28% and smishing up 22% in its mobile observations.ZimperiumVendor telemetryVoice and SMS should be managed as connected threats.
Quishing overlapAPWG and Mimecast logged 655,673 unique malicious QR codes in Q4 2025.APWGGlobal QR-focused phishing telemetryQR lures are smaller than SMS in mobile telemetry, but large enough to matter.

Threat analysis by attack path and sector

SMS Phishing, Mobile Phishing, and Text Scam Statistics

The cleanest way to separate these terms is this: smishing is phishing via SMS or text messaging; mobile phishing is broader and can include SMS, chat apps, mobile browsers, QR codes, PDF lures, and app-based redirection; text scam is broader still and can include non-phishing payment or impersonation fraud. Mixing those categories produces misleading content.

On volume and exposure, the best 2025 evidence is vendor-side mobile telemetry. Lookout reported more than 1 million mobile phishing attacks on enterprise users in Q1 2025, and more than 1.2 million enterprise-targeted phishing and malicious web attacks in Q3 2025. Lookout’s Q3 data also showed iOS encountering materially more phishing exposure than Android, and unmanaged devices slightly more than MDM-managed devices. That does not mean MDM is ineffective. It means device management alone does not neutralize socially engineered links delivered through apps workers are allowed to use.

Zimperium’s telemetry sharpens the picture inside mobile phishing. In its 2025 report, SMS made up 69.3% of observed mishing vectors, versus 28.4% for PDF lures and 2.4% for QR. That gives a defensible, source-bound answer to the common question “Are most mobile phishing attacks smishing?” In this dataset, yes. But that answer is dataset-specific, not universal, because other vendors define mobile phishing differently and may count app, browser, or malicious-site events instead of initial delivery channels.

Public-sector data confirms user harm, even when it does not isolate smishing perfectly. FTC data showed text-originated fraud losses hit $470 million in 2024. The FCC, meanwhile, has warned that robotext complaints rose more than 500% from about 3,300 in 2015 to 18,900 in 2022. That FCC figure is a robotext complaint measure, not a smishing count, but it still shows the scale at which text-based abuse became a consumer-protection issue.

Credential Theft, OTP Theft, MFA Bypass, and Account Takeover Statistics

Smishing becomes an organizational security issue when it moves from nuisance to authentication abuse. The text usually does not need to “hack” anything. It only needs to push a user toward a fake login, a fake support workflow, or a fake fraud-resolution process. Verizon’s supplemental 2025 DBIR research found compromised credentials were an initial access vector in 22% of breaches, and credential stuffing accounted for a median 19% of all authentication attempts in the SSO logs it analyzed, rising to 25% in enterprise-sized companies.

The account-takeover side of the picture is broader than smishing, so it needs labeling. Sift’s Q3 2025 Digital Trust Index reported an overall ATO attack rate of 2.5% in Q2 2025, up 4% year over year, with fintech and finance seeing a 122% rise in its network. TransUnion’s H1 2026 update similarly reported a 37% increase in the suspected digital-fraud rate for account takeover from 2024 to 2025. These are not smishing-only ATO numbers. They are best understood as the downstream fraud pressure that successful smishing can feed.

OTP theft sits at the center of that transition. NIST says phone- and SMS-based OTPs are restricted authenticators, while its phishing-resistance guidance explains that the most damaging phishing attacks often focus on passwords, PINs, and one-time passcodes. CISA’s MFA guidance takes the same direction: if organizations cannot yet deploy phishing-resistant MFA broadly, they should at least reduce prompt-bombing and code-relay exposure with safer MFA patterns such as number matching.

For buyers, the important interpretation is straightforward. Code-based MFA is still materially better than password-only login, but it should not be treated as “solved” in the face of smishing, vishing, AiTM, SIM-swap-adjacent abuse, or helpdesk manipulation. NIST’s own position is why passkeys, FIDO authenticators, and other phishing-resistant flows matter most for privileged users, finance staff, administrators, and high-value customer workflows.

Banking, Financial Services, Crypto, and Payment Smishing Statistics

Financial brands remain some of the most attractive names for mobile impersonation because the desired action is immediate: log in, verify a charge, move money, reset a credential, approve a payment, or reveal an OTP. ENISA’s finance-sector report found banks accounted for 46% of the sector incidents it analyzed, and it explicitly described phishing, smishing, and vishing as prevalent social-engineering tactics against both individuals and credit institutions.

APWG’s Q4 2025 brand-impersonation data adds useful targeting context. In its ecrimeX dataset, social media and SaaS/webmail each accounted for 20.3% of targeted sectors, telecom accounted for 18.7%, financial institutions for 9.3%, payment services for 7.6%, crypto for 3.6%, and shipping for 2.0%. That is phishing-wide targeting data, not smishing-only data, but it maps well to the brand types most often seen in malicious texts.

The FTC’s text-scam spotlight also showed that fake “fraud alert” messages from a bank or Amazon remained common in text-originated fraud. And Microsoft has documented AiTM phishing and BEC activity targeting banking and financial-services organizations, which matters because a text lure may only be the first stage in a larger compromise chain.

Crypto needs even tighter caveats. Most crypto-loss statistics are not smishing-specific. The FBI’s 2025 IC3 report showed crypto-related losses remained enormous overall, and ENISA noted investment fraud and crypto-related financial crime remain important predicate offenses in cyber-enabled fraud. Those figures should not be presented as “crypto smishing” totals. What they show is why criminals use texts, fake support contacts, wrong-number conversations, and recovery scams to move victims toward wallets, exchanges, or scam investment platforms.

Package Delivery, Toll Road, Tax, Government, and Impersonation Scam Statistics

This is the most operationally useful smishing category because the lures are repeatable, seasonal, and easy to recognize in telemetry, customer support tickets, and brand-abuse monitoring. The FTC’s 2024 analysis found fake package-delivery problems were the most reported text scam, with bogus job offers second, followed by fake fraud alerts, bogus unpaid toll notices, and wrong-number scam texts. The FTC also noted that these top categories accounted for about half of text frauds reported to the agency in 2024.

Toll-road smishing is now well-established as more than anecdotal noise. The FBI said IC3 received over 2,000 complaints about toll-road smishing texts since early March 2024, and the FTC’s 2025 text-scam release confirmed unpaid toll warnings remained a frequent text-scam theme. The attack logic is simple: a low dollar amount, a threat of added fees, a local-looking road authority, and a mobile payment link. That is why these campaigns scale so efficiently.

Tax and government impersonation remain durable because they combine urgency, authority, and personal-data collection. IRS guidance for 2026 explicitly lists IRS impersonation by email and text as a Dirty Dozen scam and warns that criminals are using alarming language and QR codes to send taxpayers to fake IRS websites. FTC 2024 fraud data also showed losses to broader government imposter scams rose to $789 million. Again, that FTC number is not smishing-only, but it shows why government-brand impersonation remains such a profitable lure family.

Business Email Compromise, Executive Impersonation, and Employee Smishing Risk

Smishing is increasingly adjacent to BEC rather than separate from it. In many environments, the mobile text is the reconnaissance or pretext layer used to move a user into email compromise, SSO compromise, payroll fraud, or helpdesk-assisted account takeover. The FBI’s 2025 IC3 report recorded $3.05 billion in BEC losses. That is not a smishing number, but it is one reason mobile pretexting deserves executive attention.

Employee exposure is also amplified by mobile-use patterns. Verizon’s 2025 DBIR said the human element appeared in roughly 60% of breaches and found that 46% of compromised systems with corporate logins in infostealer data were non-managed, likely reflecting BYOD or out-of-policy use. Verizon’s 2026 DBIR then added that mobile-centric phishing simulations outperform email on click success. Together, those figures tell a clear story: employee mobile risk belongs in identity, endpoint, and social-engineering planning, not just awareness content.

Lookout reinforces that point with its enterprise telemetry. In Q1 2025 it reported that 100% of protected enterprise organizations saw socially engineered phishing attacks, and it observed that threat actors increasingly target mobile users first. For security teams, that means helpdesk verification, executive communications, payroll-change workflows, and MDM exception handling deserve as much scrutiny as email filtering.

AI, Deepfake, Vishing, Quishing, and Multi-Channel Social Engineering Statistics

AI is most important here as a scale and believability multiplier. The FBI’s 2025 IC3 report logged 22,364 AI-related complaints tied to $893.3 million in losses, including more than $30 million in BEC losses involving AI and more than $5 million in distress-scam losses where voice cloning helped mimic loved ones. The FBI’s 2025 warning about impersonated senior U.S. officials further showed how attackers are blending AI-generated voice with smishing to gain trust before moving victims to malicious links or secondary platforms.

Europol’s IOCTA 2024 and ENISA’s finance work support the same direction. Europol said AI tools and deepfakes are expanding social-engineering opportunities, while ENISA documented phishing, smishing, and vishing as prevalent social-engineering tactics in finance-related attacks. Microsoft’s 2025 fraud reporting added that AI can scan public information to build more convincing lures, and by April 2025 Microsoft said it had thwarted $4 billion in fraud attempts across its own environment and customers.

Quishing deserves caution, not hype. APWG and Mimecast observed 655,673 unique malicious QR codes in Q4 2025, which is significant. But Zimperium’s mobile telemetry still placed QR at only 2.4% of observed mishing vectors, far below SMS and PDF. NCSC guidance likewise says QR-enabled fraud is real but still relatively small compared with other fraud types. The right interpretation is that quishing is neither dominant nor negligible. It is an increasingly useful bridge from one channel to another.

Industry and Regional Smishing Statistics

The industry view is strongest where public-sector data and vendor-sector studies overlap. ENISA’s finance-sector report is the clearest sector-specific source in this set: banks were affected in 46% of observed incidents, and public finance organizations were second at 13%. Individuals were also directly affected, including through finance-themed social engineering. For European financial institutions, that is strong evidence that bank-brand impersonation and customer-facing fraud cannot be treated as a pure consumer-awareness issue.

Regional patterns are harder because many datasets are ecosystem-specific. Zimperium reported that the United States made up 44% of mobile phishing targets in its 2024 mobile-phishing observations. NCSC, meanwhile, said UK reporting systems had received 55.7 million phishing-scam reports as of May 2026 and removed 250,000 scams across 443,000 URLs. These are useful signals, but they come from different collection models and should not be compared as if they measure the same thing.

For procurement and leadership readers, the practical conclusion is that industry matters at least as much as geography. Financial services, telecom, ecommerce, logistics, public-sector agencies, and payroll-heavy employers have far more incentive to harden mobile workflows because their brands and processes map directly onto the highest-performing smishing lures.

Security priorities, buyer takeaways, and FAQs

What These Numbers Mean for Security Leaders

The first priority is to stop treating SMS as “outside” the identity program. The combination of NIST’s restricted treatment of SMS OTP, Verizon’s mobile click-rate data, and Zimperium’s SMS-heavy mishing split means authentication and mobile-security teams should plan together. Phishing-resistant MFA, passkeys or FIDO where feasible, recovery-flow hardening, and helpdesk verification controls matter more than generic “be careful of scam texts” advice.

The second priority is visibility. MDM helps, but Lookout’s data shows it does not remove exposure. Organizations need mobile reporting workflows, brand and domain monitoring, fraud-ops feedback loops, and detection logic that connects SMS lures to SSO logs, impossible travel, step-up challenges, password resets, and support tickets. BYOD governance also needs a reality check, given Verizon’s findings around non-managed devices with corporate credentials.

The third priority is validation, not assumption. Security, fraud, and IT teams can use these statistics to prioritize testing across employee mobile risk, login flows, account recovery, customer portals, APIs, mobile apps, and social-engineering workflows. DeepStrike’s relevance in this context is practical and limited: penetration testing, mobile application penetration testing, API testing, web application testing, red team assessments, remediation tracking, and retesting can help validate whether the paths implied by these smishing statistics are actually exploitable in a specific environment.

Smishing Defense Benchmarking Checklist

Security AreaWhat the Statistics SuggestWhat Security, Fraud, and IT Teams Should Check
Employee awarenessText and voice lures can outperform emailInclude SMS, toll, delivery, payroll, and fake bank scenarios in training
Mobile phishing reportingConsumer and enterprise exposure is persistentGive users a one-step path to report suspicious texts and calls
Phishing-resistant MFASMS OTP remains restricted and socially engineerablePrioritize FIDO, passkeys, hardware-backed auth, and stronger admin auth
OTP handlingOTP theft remains central to smishing monetizationBlock code re-entry into support workflows and warn users never to share codes
Account recoveryAttackers use urgency and impersonationReview recovery, password reset, and trusted-device flows
Helpdesk verificationVishing and executive impersonation overlap with smishingAdd call-back, ticket-binding, and step-up verification
Executive impersonation controlsAI voice and text combinations are now documentedProtect exec accounts, assistants, and communications workflows
BYOD policyNon-managed devices carry corporate credentialsReassess app access, credential storage, and mobile browser policy
MDM / MAMDevice management reduces but does not remove exposureConfirm approved messaging apps, browser controls, and risky-app policy
Mobile threat defenseMobile telemetry helps surface phishing and malicious web activityIntegrate mobile signals into SIEM, SOAR, or XDR workflows
Domain and brand monitoringDelivery, toll, bank, and government impersonation are commonMonitor lookalike domains, spoofed brands, and trending scam themes
Customer educationBank, toll, and package lures hit consumers directlyPublish channel-specific warnings and official contact guidance
Banking and payment alertsFraud-alert impersonation remains commonReview language, sender validation, and callback procedures
Package delivery and toll warningsThese lures scale fastCoordinate fraud, comms, legal, and customer support communications
Fraud investigation workflowText scams are often reported first to support or fraud teamsPreserve message samples, sender data, and URLs for triage
SOC detection workflowSmishing often precedes credential abuseCorrelate mobile reports with login anomalies and session risk
Phishing simulation cadenceMobile vectors deserve separate measurementRun safe, authorized, scoped exercises across mobile workflows
Social engineering testingAwareness alone is not enoughValidate helpdesk, payroll, identity proofing, and escalation processes
API and login flow testingATO often lands on session and recovery weaknessesTest auth logic, reset flows, token handling, and session protections
Incident responseMulti-channel campaigns move fastDefine ownership across security, fraud, support, legal, and comms
Executive reportingMetrics must connect to business exposureReport on mobile reporting speed, auth strength, and fraud-loss trends

Common Mistakes When Using Smishing Statistics

The most common mistake is presenting broad phishing, text-spam, mobile-fraud, or cybercrime numbers as if they were smishing-only. The second is treating complaint data as total prevalence. The third is repeating vendor telemetry without its scope. FTC losses, FCC complaints, APWG phishing counts, Zimperium mobile telemetry, and Verizon breach analysis are all useful, but they are not interchangeable.

Another mistake is focusing on message volume while ignoring the more consequential downstream paths: OTP theft, helpdesk abuse, credential reuse, password reset fraud, session theft, BEC adjacency, and account takeover. Verizon, Sift, TransUnion, NIST, and CISA all point to the same conclusion from different angles: the real business risk is not the text itself. It is what the text gets the user or employee to do next.

FAQs

What are the most important smishing statistics for 2026?

The highest-value figures are the ones that separate smishing from adjacent categories. The strongest current set includes APWG’s 2025 phishing baseline, FTC’s $470 million in U.S. text-originated scam losses, Zimperium’s finding that SMS made up 69.3% of observed mishing vectors, Verizon’s mobile click-rate result, and NIST’s position that SMS OTP is a restricted authenticator.

What is smishing?

Smishing is phishing conducted through SMS or text messaging. The goal is usually to make the recipient click a malicious link, call a fraudulent number, reveal credentials, share an OTP, or send money. FBI, NCSC, and industry threat reports all describe smishing as a social-engineering attack that uses text messages rather than email as the entry channel.

How common are smishing attacks?

Precise global smishing totals are scarce because many sources track broader phishing or broader text scams instead. The best current indicators are the FTC’s text-scam loss data, FBI complaint data for specific campaigns such as toll scams, and mobile-security telemetry showing SMS remains a major mobile-phishing vector. Smishing is clearly common, but exact prevalence depends on the source definition.

What is the difference between smishing, phishing, vishing, and quishing?

Phishing is the umbrella category. Smishing uses text messages, vishing uses voice calls or voice messages, and quishing uses QR codes to move victims to malicious content or workflows. Modern campaigns often combine them. Europol and the FBI both describe overlap between text, voice, and other impersonation channels, especially when fraudsters want a second step such as OTP capture or account access.

Are most mobile phishing attacks smishing?

Not universally, but some major mobile-security datasets say SMS is the leading mobile-phishing vector. In Zimperium’s 2025 zLabs telemetry, SMS accounted for 69.3% of observed mishing vectors. That is useful evidence, but it should be framed as dataset-specific because other sources define mobile phishing more broadly and may count QR, browser, app, or messaging-platform events differently.

How does smishing lead to account takeover?

A user clicks a link, enters credentials, shares a one-time code, approves a prompt, or calls a fake support number. Attackers then reuse those credentials directly, relay them through AiTM pages, or automate them into credential-stuffing and account-recovery abuse. Verizon, Sift, TransUnion, and NIST all support this general attack-path interpretation, even though their datasets measure different stages of the chain.

Why do attackers use smishing to steal OTPs and MFA codes?

Because an SMS lure can create urgency on the same device where the victim receives an OTP or push prompt. That makes it easier to drive users into fake fraud-resolution or account-verification steps. NIST’s treatment of SMS OTP as restricted, and CISA’s push toward phishing-resistant MFA, both reflect the fact that code-based authentication can still be socially engineered.

Which industries are most affected by smishing?

Financial services, banking, telecom, ecommerce, logistics, government-adjacent services, and payroll-heavy employers face the clearest smishing pressure because their brands and workflows fit common lures. ENISA’s finance-sector work shows bank exposure clearly, while APWG’s brand-targeting data shows telecom, finance, payment, shipping, and SaaS/webmail brands remain regular phishing targets.

Are AI and deepfakes making smishing worse?

The evidence supports a measured yes. The FBI, Europol, and Microsoft all describe AI as making fraud and social engineering easier to scale and more believable. But none of those sources support the claim that most smishing is AI-generated. The better conclusion is that AI is improving lure quality, translation, impersonation, and voice-follow-up workflows.

How can businesses reduce smishing risk?

The most defensible stack is phishing-resistant MFA, stronger helpdesk verification, hardened account recovery, mobile reporting, mobile telemetry, brand monitoring, and user education tied to real lure families such as delivery, toll, and bank fraud alerts. For high-risk workflows, safely scoped social-engineering exercises and application security testing help confirm whether the control set works in practice.

How should employees report smishing messages?

Employees should not click, reply, or call the number in the message. They should forward or submit the message through internal reporting paths and approved carrier or platform mechanisms. FTC, FCC, IRS, and NCSC all point users toward reporting suspicious texts rather than engaging with them, and security teams should mirror that guidance internally with a fast, low-friction workflow.

How often should companies test smishing and social-engineering controls?

There is no universal fixed cadence, but the data supports recurring validation rather than annual awareness events. Mobile click risk remains persistent, delivery and tax themes cycle seasonally, and AI-enhanced lures iterate quickly. A reasonable program tests critical mobile, identity, helpdesk, finance, and customer-service workflows on a recurring, authorized, and carefully scoped basis.

Conclusion

Smishing statistics 2026 do not support a simplistic narrative that “text scams are rising” and nothing more. The better reading is that SMS phishing now sits inside a broader mobile-fraud and identity-abuse system that includes mobile phishing, OTP theft, account takeover, banking fraud, delivery scams, toll scams, tax and government impersonation, vishing follow-up, and growing use of AI-enhanced social engineering. The strongest sources also show that executive risk is not just consumer-facing. Employee mobile exposure, unmanaged devices, weak recovery workflows, and code-based MFA all expand the blast radius.

Security, fraud, and IT teams should use these numbers to prioritize validation, not replace it. That means validating employee mobile risk, login flows, account recovery, customer portals, APIs, mobile applications, and social-engineering workflows against the attack paths these statistics point to. DeepStrike helps teams validate real-world exposure through penetration testing, mobile application penetration testing, API penetration testing, web application testing, red team assessments, remediation tracking, and retesting support.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led red team and application security engagements across technology, finance, healthcare, cloud, and regulated environments. His work focuses on real-world attack path validation, application vulnerabilities, API security, cloud security, identity exposure, social engineering risk, and adversary emulation.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us