Scam texts have gone from half-hearted phishing to a streamlined fraud machine. Law enforcement officials and analysts say that in recent years, organized groups have reaped more than $1 billion by commandeering some of these channels to blast out misleading messages, posing as toll agencies and delivery services, banks and mobile carriers — then harvesting card data known as fullz and cash codes from anyone who bites.
Authorities have traced a large portion of the recent rise to overseas operations, including networks that U.S. Homeland Security officials have linked to Chinese groups assisted by some U.S. “mules.” These operations use SIM farm infrastructure and gig workers hired on messaging apps to cash out stolen funds at scale, according to a report by The Wall Street Journal.
How the Smishing Pipeline Prints Money at Massive Scale
Attackers can fire off thousands of texts per minute using SIM farms — banks of inexpensive modems linked to prepaid SIM cards. These messages create a sense of urgency, typically through some sobering claim: an unpaid toll, for instance, or a package that is held up or even blocked, or a bank lockout. Clicking the link takes you to an authentic-looking phishing page that collects card numbers, logins, and passcodes.
Stolen card data is then loaded into mobile wallets such as Apple Pay or Google Wallet, where it is used to generate working tokens.
U.S.-based mules get those tokens, buy high-resale goods or gift cards, and take a small cut of each successful purchase — some as little as 12 cents on $100. Physical merchandise is then reshipped overseas, and digital value is flipped automatically as well.
The scale is staggering. Text messages are now a top way that fraudsters reach out to victims, according to the Federal Trade Commission, which has seen reported losses rise significantly over the years. The F.B.I.’s Internet Crime Complaint Center still lists phishing — by email, text message, and messaging apps — as the most commonly reported cybercrime by victims. Independent analysts of call and text traffic also estimate that Americans receive tens of billions of robotexts annually, potentially making for a huge pool of potential targets.
How to Detect Scam Text Tells and Avoid Losses
Urgency is the hook. If a text says you owe a toll or a fee to the postal service, and will be subpoenaed if it isn’t addressed immediately, assume it’s a setup until you verify. Real agencies hardly ever require immediate action by text.
Links are the trap. Look-alike domains frequently feature letter swaps or extra characters — like “t-moble” instead of “t-mobile.” Shortened links hide destinations entirely. If you can’t see and verify the domain, don’t tap.
One-time passcode requests are a red flag. No genuine business is going to request a text response with your 2FA code, or cave when you claim “this will work just fine.” Think of any such request as an account takeover.
Other red flags to look for include strange grammar, unknown senders, texts arriving when local businesses would be closed, and messages that seem to know more about you than they should (such as a message mentioning your city but not your name).
“Any time it becomes personal, we have our guard down,” Fisher said. Pay attention to consistency — swindlers tend to fumble the little stuff.
The Very First Thing to Do When You Get a Scam Text
Do not tap or reply. This interaction tells scammers your number is active. Rather, check the company’s official app or phone number, as listed on a billing statement or the back of your card.
Report and block. Forward the message to 7726 (SPAM), if your carrier supports it, and then block the sender. Carriers and the F.C.C. refer to these reports to determine which campaigns are live.
Use the fraud reporting portal of the Federal Trade Commission and, when relevant, the U.S. Postal Inspection Service for shipping scams. Your report is a key tool for law enforcement to tie infrastructure together and shut down repeat offenders.
If You Have Already Clicked or Shared Information
Contact your bank or card provider immediately. Freeze and discard the card, delete any compromised mobile wallet tokens, and inquire about a replacement number. Many issuers allow you to lock cards immediately via their own apps.
Put a freeze on your credit with all major credit bureaus — Equifax, Experian, and TransUnion — to prevent new-account fraud. Establish transaction and sign-in alerts on your financial accounts to spot any additional misuse fast.
Change the password of any account that you even partially entered on a suspicious site, and if possible add multifactor authentication using an authenticator app or security key; do not use SMS. If you suffered a big loss, report it to the F.B.I. at its Internet Crime Complaint Center and hold onto screenshots, transaction IDs, and message headers as evidence.
Pro-Level Defenses That Work Against Modern Smishing
- Use password managers and passkeys to minimize password reuse and reduce the effect of phishing. Most managers will auto-detect mismatched domains and prevent you from entering credentials into look-alike sites.
- Use virtual card numbers for online purchases if your bank provides them. Even if a number is stolen, the damage is contained. Set up notifications to alert you in real time to transactions, card-not-present purchases, and new payees.
- Lock down your phone number. Request that your carrier turn on SIM-swap and number port-out protection, and put a strong account PIN in place. Both iPhone and Android have built-in spam filters that relegate unknown senders to a separate list.
- Educate your circle. Families and groups that practice popular scams — toll notifications, missed deliveries, tax refunds, and prize alerts — commit fewer errors. Organizations like CISA and NIST release free material on phishing-resistant authentication and incident response plans that small firms can readily apply.
The bottom line: The strategy you fall for, the experts say, is simple and has two prongs — urgency and convenience. You should slow down, confirm via a trusted route, and toughen up your accounts before bad actors catch you out, even with a billion-dollar industry trying to steal it.
