This article will discuss SMS phishing, or smishing statistics in 2025.
Smishing (SMS phishing) is a type of phishing where an attacker uses text messages (SMS) to lure targeted recipients to send the hacker personal information, download malicious programs to a mobile phone, or click a phishing link.
More than 3.5 billion phone users receive spam text messages daily.
While most users know the dangers of clicking a link in email, fewer people know the dangers of clicking links in text messages.
In fact, phone users trust text messages more, so smishing is advantageous for attackers to steal banking information, credentials, and other private data.
Key Smishing Statistics 2025
- Only 36% of people in the United States know what smishing attacks are.
- Victims have lost many millions of dollars to smishing attacks.
- On average, Americans receive 41 spam texts per person per month.
- Smishing attacks expanded by over 700% in the first two quarters of 2021.
- Around 378,509,197 spam texts were sent/received per day in April 2022.
- Tax scams are one of the most common categories of smishing attacks.
Detailed Smishing Statistics in 2025
1. Around 378,509,197 Spam Texts Are Sent/Received per Day in April 2022
Spam texts are those messages which are unwanted and unsolicited.
Generally, these messages originate from a computer and are sent to your devices (phones) through the instant messaging account.
These are easy and cheap for scammers because they’re sent online.
In fact, there were 376,032,773 spam texts sent per day in April 2022.
This is a considerable increase from the year before.
These texts are often disguised as a service message or an update and are usually delivered by SMS.
2. An Estimated 2,649,564,381 Smishing Messages Were Sent per Week in April 2022
Despite living in the 21st century (where everything is just a few clicks away), 95% of our population own mobile phones that don’t need an Internet connection.
And that’s why scammers want to make the most of this messaging technology.
The smishing stats show spam texts are indeed increasingly becoming an essential medium for scammers.
The average number of spam texts per week as of April 2022 is 2,649,564,381.
That is a very high number, and it’s only increasing each year.
3. On Average, Americans Received Nearly 41 Spam Texts per Person per Month
As of April 2022, we saw that the United States citizens received nearly 41 spam texts in an average month.
However, the average number of spam texts received by an American per month in 2021 was 16.9.
While 14.7 was the average number of spam texts in 2020, followed by 10.6 in 2019 and 8.5 in 2018. This clearly indicates that The numbers are increasing significantly year on year.
Moreover, of all the texts received from an unknown number in April 2022, more than 67% of Americans said that they ignored these texts.
And 65% of them revealed that they have deleted those spam texts.
4. Less than 35% of The People Actually Know when They’re Becoming the Target of Smishing Attacks
For mobile phone users, especially the older generation, it can be pretty hard to assess the authenticity of an SMS.
And that’s one of the main reasons smishing (text message-based fraud) has such a high success rate.
Moreover, as per the reports, only 23% of mobile phone users over the age of 55 had been competent to precisely define smishing.
The numbers are pretty low, to be very honest.
However, the millennials didn’t do any better; in fact, only 35% of the people aged 23-38 years are aware of the term smishing.
Another disturbing smishing statistic is that less than 35% of mobile phone users know when they’re being targeted by this kind of fraud.
Okay, we can’t blame them for being less aware because this cybercrime uses social engineering, which is quite hard to catch.
As smishing attacks are becoming more and more sophisticated, you need to be very careful with your messages.
You can inspect for spelling and grammar errors as these are common indicators.
5. Smishing Attacks Have Expanded by Over 700% in The First Two Quarters of 2021
According to statistics, smishing (or text phishing) attacks will grow by nearly 700% in 2021.
In fact, a trusted authority has compared the occurrence of smishing attacks between July to December 2020 and January to June 2021.
This survey found that 700% more SMS phishing attacks occurred in the first six months of 2021.
This shows that with scammers taking advantage of text messages to trick victims into transferring cash or giving away personal data, smishing attacks have increased dramatically over the past year.
Apart from that, smishing attacks were 15 times higher in the UK than in the US.
This means that the smishing practice is more prevalent in the United Kingdom than in the United States.
6. Victims Have Lost Millions of Bucks Due to Smishing Attacks
Smishing attacks include text messages that seem to come from a legitimate organization.
Most of these text contains links that navigate unsuspecting victims to a phishing website where they’re asked to download malware onto their devices, divulge personal information, or give an OTP that will allow the scammer to bypass MFA (multi-factor authentication).
More precisely, smishing and phishing are interlinked, so it can be challenging to find separate statistics for these two.
However, the FBI’s cybercrime complaint division “Internet Crime Complaint Center” (IC3) 2020 has documented a steady growth of online scams.
As per its reports, more than 240,000 victims of smishing, phishing, pharming (where a scammer redirects victims to a fake website to steal their sensitive information), and vishing (voice phishing where a hacker leaves a voice message or makes a phone call) lost over 54 million USD.
In addition to that, the amount of virus/malware attacks reported was around 1,400 and cost nearly 7 million USD in losses. However, it isn’t just a problem in the United States.
In fact, according to the European Payments Council, over 166,000 cybercrime victims had made complaints between 2016 and 2019, with more than 26 billion USD in losses.
Smishing Trends
7. Smishing Attackers Can Rob a Victim’s Confidential Information by Operating Fake 2Fa (Two-Factor Authentication) Messages
If you’ve ever received an OTP to verify your identity on Amazon or PayPal, you’ve used text-based 2FA (two-factor authentication).
However, hackers can use this same technology to steal your personal information, redirect you to fake login pages, or use various hacking techniques to send OTPs to complete access to your device.
Now, how does that work?
Hackers or scammers send you a text message stating that your account may have been compromised and ask you to reply to the authorization code that you’ll receive in a few minutes to confirm your identity.
They’ll then attempt a login to the target website using your password and username. It’ll trigger a text message to you, including the authentication code.
Scammers will send you another phishing text message requesting to send the authentication code sent by the website.
If you, by any chance, fall for this smishing trap and text back the authentication code to the hackers, they’ll immediately enter your code.
As a result, they’ll have all your information and account details. Thus, it’s a hazardous kind of scam.
In fact, that’s one of the primary grounds why the NIST (National Institute for Standards and Technology) doesn’t recommend anyone to use text-based 2FA passwords.
Moreover, if you don’t rely on 2FA, you won’t fall for this vicious scam.
8. Scammers Repeatedly Use the COVID-19 Pandemic in Smishing Attacks
After the outbreak of the COVID-19 pandemic, government authorities started communicating about lockdowns, vaccine options, and contact tracing via text messages.
And as a result, it became a breeding ground for a wave of scam text messages.
In fact, NCSC has observed increased attempts to carry out scams through other means, including SMS (smishing).
Back in the days, smishing attackers were mainly concerned about tricking people in the name of financial incentives only (including tax rebates and government payments).
However, the pandemic outbreak brings a lot of changes in their strategies.
They started using COVID to harvest emails, names, addresses, and other information from victims.
For instance, they send a series of text messages using a United Kingdom government-themed lure to get data like name, email, and banking information.
These text messages purporting to be from “UKGOV” and “COVID” include a link to a phishing website.
Besides messages, WhatsApp and other messaging services can be some possible channels for scammers.
According to a trusted report, 44% of Americans said that they had seen rapid growth in the number of scam text messages during the nationwide quarantine period.
Moreover, in countries where the government has passed economic stimulus bills, SMS from a scammer pretending to have money from government bodies has become widespread.
So much so, organizations such as the FCC (Federal Communications Commission) have been issuing press releases to notify individuals against the increasing variety of COVID-19 scams through text messages.
9. Most of The Time, Cyberpunks Use Neighbor Spoofing to Attract Victims
Almost always, hackers pretend to be texting from your same area code.
This offers them a layer of authenticity, ultimately tricking many individuals.
In fact, hackers can quickly gain access to the code of your area by tracking your metadata.
They can then “spoof” a local number which lets hackers from a different location appear to be messaging you from your neighborhood or city.
In addition, scammers can spoof numbers of individuals you know, devising you into giving away all your personally identifiable information to the hackers.
(In case you don’t know), spoofing is an act where a scammer intentionally falsifies the information sent to your ID display to hide or disguise their identity.
Moreover, hackers generally use neighbor spoofing to appear like an incoming message is coming from a known number or spoof a number from a government agency or a company that users already know and trust.
If you mistakenly reply to the message or click on their links, they’ll steal your money or personal data, which they can use in fraudulent activity.
However, the FCC in 2019 made it wholly illegal for SMS and international calls to be spoofed.
That doesn’t stop hackers from doing this kind of activity; they still impersonate numbers (as long as anyone doesn’t catch them) for running Robotext operations.
10. The Tax Scam Is One of The Most Ordinary Categories of Smishing Attacks
With the increasing stimulus to issue IRS payments virtually, 2020 (the year of lockdown, COVID, and quarantine) opened the door to many United States tax-based smishing attacks.
As a result of the increasing number of tax-based scams, the American Association of Retired Pensioners (AARP) issued a guide on how you can quickly identify American tax scams.
However, when it comes to the United Kingdom, the most common tax scam includes hackers sending false notifications from HMRC (Her Majesty’s Revenue and Customs).
In fact, scammers use spoofed numbers (as we’ve talked about in the last point) that display ‘HMRC’ as the message sender.
In that text message, they claim that the receiver owes HMRC money, and if they don’t clear the payment in time, they’ll be arrested by the police.
As per the data, 846,000 individuals in the UK reported fake ‘HMRC’ tax scams in 2020.
Also, the government has taken down more than 50,000 fake HMRC websites that year.
11. Smishing Is Currently the Standard Variety of Mobile-Based Phishing Attacks
Phishing is a crack by a scammer to gain victims’ trust and lure them into sharing valuable information or clicking a link. It can come in various forms.
While email is one of the biggest concerns for phishing, SMS phishing is on the rise.
Obviously, the growth of smartphones and tablets in the workplace comes with zero surprises.
Moreover, a successful smishing attack can bring various consequences that can severely affect organizations, from data breaches to monetary loss.
In fact, various business organizations are trying hard to protect their employees against smishing to avoid this kind of adverse outcome.
As per some reports by the cloud-infrastructure provider Wandera in 2018, 17% of its users encountered smishing attacks (phishing links on their mobile devices).
On the contrary, only 15% received a phishing email, and only 16% received phishing links through social media apps.
Moreover, the Bank of Ireland in 2020 was forced to pay out 800,000 Euro to more than 300 bank customers who gave off their bank information in a single smishing attack.
Other Statistics
12. Majority (85%) of Americans Say They Received a Robotext in 2021
85% of the United States population received at least one robotext in 2021.
Moreover, data breaches (like identity theft) are among the significant types of robotexts that Americans received in 2021, with 32% reporting it.
Other robotexts include discount retail gift cards (30%) and offers to bundle or switch cable TV, satellite TV provider, or mobile (30%).
In addition, 21% of robotexts include password changes, 19% include cybersecurity software, and 18% include cryptocurrency deals. However, 15% of Americans haven’t received any robotext in the past year.
13. More than 61% of Japanese Smartphone Users Are Unaware of The Term ‘smishing’
The survey conducted between December 2021 and January 2022 revealed that over 61% of Japanese smartphone users neither heard about the term nor knew the meaning of smishing.
Conclusion
And with that, we’re ending our discussion about some smishing stats in 2025. Sadly, phishing is a part of our life in today’s technological world.
Moreover, as people trust text messages the most, it has become one of the most essential mediums for cybercrime.
While attackers keep sharpening their art of deception, we must spread awareness about smishing.
