Smishing has evolved from crude scams into a sophisticated fraud economy, driven by AI, organized supply chains, and crime-as-a-service models. The rising scale and professionalism threaten SMS as a trusted channel for authentication, commerce, and communication. MEF Head of Global Anti-Fraud Solutions, Sham Careem, explores the growing challenge and the measures the industry can take to respond.
There was a time when scam texts were laughably obvious. A badly written message promising lottery winnings or notification of a missed delivery, and most of us knew to delete it on sight. But those days are long gone.
Smishing — phishing delivered via SMS — has evolved into something far more dangerous. It’s no longer a nuisance at the edges of the digital ecosystem; it has become a global, AI-driven fraud economy that threatens the very trust on which SMS depends.
The numbers tell a stark story. Proofpoint reports that smishing has jumped by more than 2,500 percent this year, with over half of all attacks now carrying malicious URLs. In the United States, one coordinated campaign compromised 115 million payment cards, with criminals sidestepping resale markets and loading stolen details straight into mobile wallets. On a global scale, the so-called “Smishing Triad” — a Chinese-speaking criminal syndicate — is active in over 121 countries, supported by an infrastructure of more than 200,000 fraudulent domains. What we are witnessing is not ad-hoc scamming, but industrialized fraud.
Smishing has grown up. It is no longer the amateur scam we could shrug off, but an industrial-scale fraud economy that adapts as quickly as technology allows.”
Part of the danger lies in how well organized the ecosystem has become. Smishing groups operate like businesses, complete with supply chains and reinvestment loops. They use kits such as Lighthouse and Darcula that package everything from fake bank login pages to campaign dashboards and even technical support. The process is frictionless: a criminal can launch a smishing operation with little more than money and intent. Recruitment of money mules, SIM farms, and laundering networks adds yet another layer of professionalization. This is what makes smishing today a fraud economy, not just a cybercrime tactic.
What’s more, smishing has embraced the logic of crime-as-a-service. Just as ransomware evolved into a franchise model, smishing has become something you can effectively buy off the shelf. Ready-made kits are advertised on underground forums; bulk SMS blasts can be rented via grey routes; AI-powered translation and message generation are offered as optional add-ons. Some vendors even guarantee replacements if domains are blocked. This means the barrier to entry is lower than ever. Technical skills are optional — the tools do the heavy lifting.
Both sides of the messaging ecosystem are under siege. On the one hand, A2P smishing exploits legitimate application-to-person routes, letting fraudsters impersonate banks, couriers, or government agencies. On the other, P2P smishing — where criminals hijack SIM cards or use SIM farms — is growing rapidly, slipping under the radar of traditional A2P filters. Together, they corrode consumer confidence in SMS. And when trust breaks down, the channel loses its value to enterprises, operators, and ultimately consumers.
The good news is that the industry isn’t powerless. The Mobile Ecosystem Forum’s Anti-Fraud in Messaging Framework offers a roadmap to rebuild trust. It builds on the MEF Business Messaging Code of Conduct with a set of binding accords uniting the CPaaS ecosystem in implementing real-world solutions to fraud in the SMS channel. The framework secures the A2P channel through standardized verification of message originators and implementation of sender ID registries, whilst strengthening the defenses in P2P SMS by working with MNOs and the most smished brands to block Smishing in the P2P channel. And this is not just theoretical, early results from a trial with a UK high street bank and mobile operator have shown remarkable results in eliminating P2P Smishing using the bank’s brand.
Smishing has grown up. It is no longer the amateur scam we could shrug off, but an industrial-scale fraud economy that adapts as quickly as technology allows. The stakes are high: the credibility of SMS as a trusted channel for authentication, commerce, and communication. If we don’t act, we risk losing it. If we do, by embracing frameworks like MEF’s, we can defend the channel, protect consumers, and preserve the enormous value that SMS still delivers every day.
=> Email me here sham@mef.email to find out more about the MEF Anti-Fraud in Messaging Framework.
