Smishing falls under the umbrella of phishing where fraudsters send text messages (SMS) to businesses and people trying to get them to click on a link, or answer the text, which have malicious and nefarious purposes attached.
In the following statistics, we will show you the seriousness and the rise in SMS phishing, also known as smishing.
Phishing can involve emails with malicious attachments or URLs, or websites that you click on thinking they are legitimate.
Smishing involves text messages referred to as text spam or text scams, which are like that of the phishing email idea.
Vishing also falls under the phishing umbrella but is used as a term for phone scams, or phone spam.
Don’t let the “cutesy” names of these malicious threats fool you.
Phishing, vishing, and smishing are used by malicious players who want to scam you out of money, gain access to your computer, steal your identity, just to name a few terrible things they strive to do.
While businesses are often the most vulnerable to smishing (mobile phone SMS spam/scam), individuals also received these messages, which is why we shared this article.
We want our readers to be as informed about cybercrimes and malicious threats as much as possible.
Let’s direct our attention to these serious smishing statistics.
Key Smishing Statistics
- The first two quarters of 2021 saw a massive increase of 700% in smishing incidents in the United Kingdom.
- In 2019 alone, United States consumers lost more than $86 million USD via SMS phishing.
- Only 36% of people in the United States know what smishing is.
- The prevalence in smishing attacks rose from 75% in 2021 to 76% in 2022.
- The FBI’s 2020 Internet Crime Report revealed that losses, due in part to smishing, amounted to over $54.2 million in 2019.
- According to the FBI, in 2022, 300,497 victims reported phishing, vishing, smishing, pharming attacks.
- The IRS has alerted U.S. taxpayers about the rise of IRS-themed smishing attacks.
- In 2020, cybercriminals took advantage of the self-assessment deadline to target U.K. residents.
- Mobile phishing is the most efficient method of stealing login credentials.
Serious Smishing Statistics in 2023
Because all smishing is serious, we are sharing all these researched smishing statistics under this subtitle.
Some of these facts, figures, data, and statistics will include the world, some will be specific to a country or region, and some will be according to demographics.
Some of these statistics may surprise you, or even shock you.
However, others may make sense or hit home for you.
If you have ever fallen victim to smishing (we hope not), spam texts, you will relate to some of this information.
If you get unsolicited text messages on your mobile phone, you need to read this information and take it seriously.
1. The First Two Quarters of 2021 Saw a Massive Increase of 700% in Smishing Incidents in The United Kingdom.
The rise in smishing in the UK in just the first six months of 2021 was 700%.
Smishing is 15 times higher in the United Kingdom than they are in the United States.
The biggest concern over smishing is that the text messages sent appear to be from legitimate sources like banks, trusted businesses, Post Offices, etc.
In a Which? Press release, it was reported that after the company (Which?) launched its own scam sharer tool in March 2021 that they got over 9,000 reports of smishing.
Of these 9,000 reports of smishing, 65% were via messages and phone calls, while 31% were exclusively text messages.
2. One Way to Recognize a Smishing Text Is Through Its Shortened URL.
URL shorteners are mostly used in smishing attacks. The focus in the text will claim it’s urgent to respond to the text, which is another red flag.
The text will tell you that it’s urgent that you take some kind of action immediately.
These scam texts can tell you that you need to claim a prize, get your tax refund, confirm or reschedule a delivery, or that your bank account is locked.
The most common form seen by Which? Has been the delivery sort.
The first sign that you have received a smishing text is the sense of urgency behind the text.
Next, if it contains a shortened link and then if you are asked for personal information. It’s essentially the same as with vishing and phishing attacks.
3. A Lloyds TSB Study Showed that Only 18% of Participants Correctly Identified Fake Emails and Texts Shown to Them.
Cybercriminals are smart, crafty, and creative, which means we need to pay attention and learn as much as we can about how they operate.
These criminals are so sneaky and crafty that they have already victimized hundreds of thousands of people across the globe
One Lloyds TSB study showed 20 text and emails to the participants, of which only 18% correctly identified the emails and texts as fake.
Anyone could fall for a smishing attack due to how persuasive and legitimate they can appear.
Reread number 2, above, to find out how to recognize a smishing text.
4. In 2019 Alone, United States Consumers Lost More than $86 Million USD via SMS Phishing.
SMS phishing is another term used to describe vishing.
The 2020 CSN Annual Data Book published by the FTC revealed that American consumers experienced a total loss of $86 million USD due to smishing, which is categorized under fraud.
The median loss due to vishing among American consumers accounted for $1,170.
While this figure pales in comparison to “vishing”, or phone call phishing, which came to $436 million USD in 2019, the loss of millions of dollars is nevertheless massive.
These reports came from 334,524 people who fell victim to smishing.
(Consumer Sentinel Network Data Book 2020)
5. Only 36% of Surveyed United States Participants Correctly Answered, “What Is Smishing?”.
In a 2019 survey from Proofpoint where 3,500 employed adults in seven countries, only 36% of participants in the United States knew what smishing is.
The country that came in the highest in knowledge of smishing is France. Surprisingly, the lowest is Japan.
Also, 26% of U.S. participants gave the incorrect answer and a whopping 38% didn’t know.
Out of the participants in France, 9% got chose the wrong answer and 27% didn’t know.
Knowing that Japan had the lowest correct answers, it may not be as surprising to know that 26% got the wrong answer and 35% didn’t know.
The seven countries with survey participants included the United States, Australia, France, Germany, Japan, Spain, and the United Kingdom.
The percentages from this question varied between each country. However, most of them know what phishing is.
(Proofpoint: 2020 State of the Phish)
6. Only 29% of Surveyed People Across 15 Countries Understand Smishing, According to 2022 Statistics.
A newer survey conducted by Proofpoint in 2022 among 7,500 employed adults across 15 different countries revealed that only 29% understand what smishing is.
It’s worth noting that this is a 5% increase compared to 2021 statistics.
An overall slight increase of 5% understood phishing was noticed between 2021 and 2022.
While a 5% increase in understanding phishing and vishing shows some improvement, it’s still slight.
What this data shows us is that smishing, though a common threat, is still not understood by end-users.
(Proofpoint: 2023 State of the Phish)
7. The Prevalence in Smishing Attacks Rose from 75% in 2021 to 76% in 2022.
A one percent increase doesn’t seem like much, but since we’re looking at a survey sampling of 15 countries, it’s significant enough to be concerned.
Any growth in malicious online threats and cybercrimes is scary.
In this survey, 84% of organizations said they experienced at least one successful phishing event.
Remember that smishing is a subcategory of phishing, which means that it’s included in these outcomes.
Another 54% said they experienced three or more phishing attacks.
Nearly all areas of phishing attacks are up as of 2022 as cybercriminals continue to take advantage of the gaps that organizations and individuals have in awareness of security threats.
(Proofpoint: 2023 State of the Phish)
8. 32% of Organizations Claim to Offer Smishing Simulations to Help Employees Recognize It.
Overall, 79% of worldwide companies said they offer formal training for phishing attacks.
Did you know that this is a decrease of 6% from 2021? So, with only 32% of companies offering training options for smishing (texts) and/or vishing (calls), we can surmise that there is either not enough awareness, or there’s not enough concern.
79% of organizations say that they are using threat intelligence to guide their security threats training, which says that most of them do offer some kind of training.
However, it’s mostly related to malware, ransomware, and email phishing.
Sadly, only 31% address BEC (business email compromise), and 32% have simulations for smishing and vishing.
(Proofpoint: 2023 State of the Phish)
9. In 2019, Millennials and Gen X Outperformed Other Generations in Their Recognition of Smishing.
Overall, Baby Boomers outperformed all age groups in the 2020 State of the Phish survey in their recognition of phishing itself.
However, Boomers lagged in their recognition of smishing.
The two age groups that showed the highest level of smishing recognition accounted for those 23 to 38 (34%) and 39 to 54 (31%).
Together, both Gen X and Millennials showed the best and most understanding of smishing over Gen Z and Baby Boomers.
(Proofpoint: 2020 State of the Phish)
10. Spain Faced the Most Smishing Attacks at 100% in 2109.
In a survey of 7 countries, Spain was at 100% risk of facing smishing attacks.
Spain was also at 100% risk for social media malicious attacks. Overall, 84% of international organizations experience smishing in 2019.
Australia was also at risk for smishing attacks at 62%, which is a lower risk than Spain, but it’s still high.
These figures alone tell us that smishing is a global concern that needs to be addressed.
Consider this. Text messages are considered more personal than emails, victims more vulnerable to SMS phishing (smishing).
(Proofpoint: 2020 State of the Phish)
11. The FBI’s 2020 Internet Crime Report Revealed that Losses, Due in Part to Smishing, Amounted to Over $54.2 Million in 2019.
American organizations reported that they lost over $54.2 million because of phishing, vishing, smishing, and pharming in 2019.
This isn’t close to other forms of fraud inflicted upon American countries, but it’s still within the scope of significant fraud losses.
The number of victims who reported smishing (along with phishing, vishing, pharming) accounted for 241,42 victims in 2019 alone.
In the 2022 Internet Crime Report, the findings for smishing are not separately listed. They are all bundled into phishing reports.
(FBI 2020 Internet Crime Report)
12. According to the FBI, in 2022, 300,497 Victims Reported Phishing, Vishing, Smishing, Pharming Attacks.
The FBI’s 2020 Internet Crime Report bundles all phishing attacks, which includes vishing smishing, and pharming into its figures.
Due to this, we can only surmise that of the 300,497 victims of phishing included smishing attacks.
There was a downturn in phishing attacks between 2021 and 2022 with 23,475 victims.
While that seems like good news, we’ll wait to see the 2023 figures to see how the trend will play out.
(FBI 2022 Internet Crime Report)
13. Malware and Malicious Websites Are Used in Smishing to Steal Your Personal Data.
Kaspersky, a multinational internet security service, says that malware and malicious websites are used in smishing to obtain your personal data.
The URL that is in the smishing text may contain a shortened URL that directs the user to a fake website where cybercriminals steal your personal data.
Likewise, the offending text may contain malware that includes a URL that “tricks” you into downloading malicious software on your mobile phone or tablet.
Most often, the SMS malware mimics a legitimate mobile app to get you to click it then type in your personal information that is then sent to the cybercriminal.
Have we stressed the importance of smishing awareness? If not, keep reading to learn the seriousness of smishing and how it can affect you and others.
14. COVID-19 Related Text Messages Are Commonly Used in Smishing Attacks.
As you might expect, cybercriminals that use smishing to get your personal data have been taking advantage of the pandemic.
In fact, the United States Better Business Bureau, and the FCC both warned Americans about this threat.
The FCC recommends that you contact law enforcement immediately if you are victimized by this coronavirus scam SMS phishing (smishing) scheme.
Additionally, the FCC has some tips to help you protect yourself from being victimized.
You can find this data on the FCC website along with plenty of tips and information about how to prevent smishing attacks.
15. Recently, the Office of Inspector General Alerted the American Public About New COVID-19 and Related Fake Vaccine SMS Messages.
On February 28, 2023, the U.S Department of Health and Human Services’ Office of Inspector General (OIG) announced that cybercriminals are committing fraud using smishing to send fake texts about the coronavirus and vaccines.
The article states that smishing fraudsters are offering services related to COVID-19 in exchange for your personal data.
This includes Medicare data if you’re on Medicare. The OIG warns that these services are fake and not approved by any United States entity.
Beware of this smishing scam and don’t offer up any information about your vaccine status, Medicare data, medical data, or anything else related to the pandemic.
16. 58% of Americans Claim They Are Getting More Spam Texts and Phone Calls than They Did in 2020.
According to data from 2021, 58% of Americans claimed they were getting more spam calls and texts than in 2020.
Only a measly 14% said they were getting fewer spam texts and calls.
Consequently, the average number of smishing spam texts in 2022 accounted for 19.5 per month.
That figure is up from 16.9 in 2021, 14.7 in 2020, etc. Research shows that there has been significant increases year-on-year in spam texts since 2018.
17. 65% of Americans Said They Would Delete a Text Message if It Came from An Unknown Number
Most of us can relate to deleting text messages from phone numbers we don’t recognize.
However, cybercriminals are sneaky enough to get around that issue by using more recognizable phone numbers that include your local area code.
What this all means is that everyone must be more diligent about responding to or clicking on links in text messages from even numbers we think we recognize.
Again, awareness is the key to avoiding smishing.
18. 2022 Studies Show that The Hispanic Demographic Gets Fewer Spam Texts than The White or Black Communities.
While Hispanics get more spam texts, they are victimized more than their White and Black counterparts.
In fact, this is true for vishing and smishing.
The data regarding race and smishing are like those regarding phone spam because these types of phishing are usually lumped together.
Therefore, we suspect that if 89% of Caucasian are apt to answer a call from a number they can easily identify, they are also more likely to respond to a text from a number they can easily identify.
That number among Hispanics is 82% and among African Americans it’s 81%.
19. More Recent Smishing Schemes Use the 2FA Authorization Ideal to Steal Your Data.
Smishing cybercriminals are getting more advanced with their trickery, which means we all need to be more aware of their schemes.
Their latest scam involves using 2FA authentication against you to steal your personal data and logins.
Virtually every mobile phone user likes to have multi-level protection on their phones to prevent others from accessing our websites and data.
However, now you must be watchful about 2FA (2-factor authorization) before we allow these fraudsters access to your data.
Cybercriminals are using something that we trust and that we rely on to steal our data.
Two-factor authentication is something that gives phone users some level of peace of mind that they now use to take away our personal information.
20. Hackers Use Fake Local Phone Numbers to Trick You Into Providing Confidential Data.
Do you get text messages from local numbers, or even numbers you can easily recognize?
If so, you could fall victim to a hacker who wants to rob you of your personal data.
Not only that, but hackers are adept at spoofing phone numbers that you know.
In fact, hackers can spoof your own personal phone number to send texts to other people, or to call them.
While this trick is used mostly for phone spam (vishing), it can also be used for smishing.
How? Hackers can track your metadata and get your local area code to “spoof” numbers in your hometown.
Therefore, a cybercriminal from another country can seem like someone you know is texting or calling you from your local area.
21. Statistics Show that Smishing Is the Most Used Form of Mobile Phishing.
To reiterate, smishing is SMS phishing, which is when a cybercriminal sends malicious text to your mobile phone.
Vishing is phone call phishing when they call you on your phone (mobile, VoIP, or landline).
In 2018, research showed that the average mobile device user is more apt to experience a smishing attack than a malware attack by 18 times.
Hackers are using the mobile platform to send malicious texts to users.
(Global Newswire, 2018)
22. Data Shows that A New Mobile-Friendly Phishing Webpage Is Launched Every Twenty Seconds.
With new mobile-friendly pages being launched every 20 seconds, which represents 4,000 new phishing websites every day.
Since the 2018 data, this figure has likely grown, which means more malicious and fake websites are being sent via text as smishing attacks to get your valuable data.
Additionally, mobile users are 3 times more apt to fall victim to smishing than email or website phishing on desktops.
Mobile phishing includes smishing, but also messaging on social media apps.
(Global Newswire, 2018)
23. The IRS has Alerted U.S. Taxpayers About the Rise of Irs-Themed Smishing Attacks.
According to our research, Investopedia reported that the IRS has alerted taxpayers to the critical rise in IRS-themed mobile texting schemes.
The goal of these smishing attacks are the same as with all others; to steal financial and personal data from the receiver.
According to the report, texting scams started to rise in 2020 and have not shown signs of slowing down.
This problem is so serious that the IRS posted a video for taxpayers to help them recognize and avoid getting scammed.
(Investopedia, 2022, IRS, 2021)
24. In 2020, the IRS Warned Taxpayers About the COVID-19 Stimulus Payments Text Scam.
During the pandemic, cybercriminals went into full swing on scam text messages.
This issue was/is so bad that the IRS warned taxpayers about this specific IRS scam in 2020.
The text message would say that the IRS needs money or your personal information before your stimulus payment could be sent.
Federal officials with the IRS alerted taxpayers to this smishing attack and urged them not to engage with this fake scam text.
25. In 2020, Cybercriminals Took Advantage of The Self-Assessment Deadline to Target U.K. Residents.
The IRS text scam in America isn’t the only government agency used for smishing attacks.
In 2020, cybercriminals used the HRMC to target self-assessment customers to get their financial and/or personal data.
UK residents who were categorized as self-assessment customers were warned about SMS messages coming from the HMRC that were not legitimate.
They urged these customers not to respond or give out any information to these scammers.
26. Scam Delivery Notifications Are Considered One of The Top Smishing Scams of 2022.
According to reliable sources, delivery scam text messages were one of the top smishing scams of 2022.
Cybercriminals can be impersonators that pretend to contact you from legitimate delivery services to scam you for personal data or money.
The top impersonated delivery notifications were from the U.S. Postal Service, Amazon, FedEx, and other recognizable and trusted delivery services.
In fact, delivery smishing attacks accounted for 26% of all text scams in 2021.
(Consumer Reports, 2022)
27. The Second Most Used Smishing Attack Involved COVID-19 Scams in 2021.
We discussed scams that involve COVID-19 in this list already, but we didn’t mention that it was the second most used smishing scheme in 2021 in the United States.
It was second only to those fake delivery notification scams.
It’s worth noting that COVID-19 smishing statistics revealed that in 2021, some of the scams were related to getting COVID-19 test kits where the scammers would urgently request your financial and/or personal information before they could “send out your test.”
Note the urgency in these texts that signify their fakery.
(Consumer Reports, 2022)
28. Dark Caracal Was a Specific Smishing Scam that Targeted Various Forms of Messaging and Text Platforms.
“Dark Caracal” was uncovered by researchers from the Electronic Frontier Foundation and Lookout.
What they found was an international hacking agency, called Dark Caracal.
This “agency” was sending out phishing links via SMS, WhatsApp, Messenger, and Signal that directed receivers to download harmful updates to their encrypted messenger apps.
These so-called updates were fake malware designed to gain access to the receiver’s device screen, keystrokes, and for remote access to the targeted device.
Once they had access, they could send smishing links from these breached mobile phones to spread the malware further.
29. According to Lookout’s 2022 State of Mobile Phishing Report, Mobile Phishing (Smishing) Is the Most Efficient Method of Stealing Login Credentials.
The most current data shows that smishing is the cybercriminal’s most effective tactic for stealing end-user’s login credentials.
In fact, 2022 saw the highest percentage of smishing globally compared to previous years.
An average of over 30% of enterprise and personal end-users face smishing attacks in 2022 each quarter.
According to statistics for 2022, hybrid work is considered one of the biggest contributors in the growth of the smishing “trend”.
(Info-Security Magazine, 2023)
30. You Can Report Smishing, Mobile Phishing to The Authorities.
If you suspect you’ve received a spam text or smishing attack on your mobile phone, you can report it to the authorities.
In fact, iOS mobile users can report directly to Apple from the messaging app.
Likewise, Android users can report spam texts or smishing events to Google.
All the major mobile carriers in the United States have partnered with the FTC to give you ways to report spam messages and smishing.
(Apple Support, Google Support, FTC.gov)
Is Smishing a Successful Cybercrime?
We would like to say, “no” to this question, but the fact is that 7 in 10 people get a scam text, as reported in 2021.
A successful smishing attack is one where the victim is tricked into giving out their login credentials, personal information, or financial information.
See the above statistics to read how much money was lost to smishing fraudsters. You don’t need to be a victim when you are aware of this threat.
What Happens if I Respond to A Smishing Text?
You may feel tempted to send a “Stop” to the sender but resist that temptation. Don’t ask them to stop contacting you or send any message back at all.
We cannot stress enough that you should never engage with any smishing message.
If you send a message of any kind back, you will have verified your phone number for the cybercriminal and that it’s an active number.
Also, it can at least result in an increased volume of unsolicited text messages. This is not the worst-case scenario, but it’s one of the things that can or will happen.
Never, ever give out your personal or financial information in a text response, especially when it comes from an unknown number or if you don’t recognize the sender.
If you can, verify the identity of the sender, then consider why or if the sender would need any of your information.
Remember, the IRS never requests personal information over text or phone.
Just don’t do it even if the message says it’s from the IRS. Other entities familiar to you are unlikely to ask for personal information in a text message.
It’s wise to treat your mobile device like your computer and protect it from scammers, viruses, malware, and other malicious infections.
How Can I Report Smishing?
We have provided websites to the real FTC, Google Support, and Apple Support so you can report it to them.
However, you should also contact the bank, business, or government agency being impersonated in the text and report it to them.
The process is to forward smishing messages to the short code 7726, which spells out SPAM on your number pad.
This will send your cell phone carrier the smishing messages so they can identify and take action to limit messages from the offending sender thereafter across their account holders.
Reporting smishing isn’t an obligation, but it is a responsible thing to do.
Even if the message doesn’t victimize you, someone else could fall victim to the offending sender.
You can do your part to stop this cybercrime. Ultimately, that’s your decision. You don’t have to do it.
One thing to keep in mind is that not all smishing events are reported by businesses or individuals who get text scams.
The facts, figures, and statistics we shared come from research, studies, polls, and “reported” incidents to the authorities because that’s what we have.
We can’t even fathom how many are left unreported each year all over the globe.
Have you ever gotten a fake text message that fits smishing attacks?
Did you report it? If not, think about how many deleted them and never report them. That number can be massive.
It’s common for only those who lost money or were otherwise victimized by these cybercriminals to report these malicious texts.
When we recognize a phishing email, a scam phone number, or an unsolicited text, we tend to just delete them.
Unfortunately, not everyone expects to get these malevolent texts, so they don’t recognize them
It’s not about being smarter than anyone. It’s about being aware of the threat that helps you realize that you need to protect yourself better.
We have not only shared statistics to better inform you, but we also included some links to Apple, Google, and the FTC if you want to report smishing events if you experience one.
We hope you have enjoyed reading these serious smishing statistics for 2023 and that you learned something valuable.