Even though SMS is older than many fraud analysts :) , fraudsters still love it. Wanna know why?
π© Spoofed sender IDs - Attackers forge the display name so the text appears to come from your bank, courier, or tax authority. Most phones won't show the real number.
π "Smish-mobiles" - GSM vans cruise city streets blasting thousands of phishing texts per hour to every SIM in range. Yes, that is a real thing.
π€ OTP-pumping bots - Automated tools trigger one-time passwords to premium-rate numbers, silently draining budgets without a single human tap.
π SS7 exploits + SIM swap - Outdated telecom signaling (SS7) means a determined attacker can redirect your OTPs to their own device. Your phone stays quiet; they get your code.
π± Mobile malware - Rogue apps quietly forward incoming SMS to the attacker. Plain-text OTPs are the easiest payload imaginable.
π°οΈ Silent SMS pings - Flash messages confirm your phone's live location without ever showing up in your inbox. Surveillance-grade, zero notification.
The numbers tell the story: in 2024, consumers reported $470 million in losses to text message scams - five times higher than in 2020, even as the number of reports declined (meaning each victim is losing more)[ref]. Smishing incidents rose 18% globally in 2024, and 76% of businesses reported being targeted by SMS phishing in the past year[ref].
So, if you use SMS:
- Switch to authenticator apps or hardware tokens wherever possible - SMS OTP is the weakest link in your MFA chain.
- Treat any unexpected text as suspicious: verify directly via the official website or a known number, never through the link in the message.
- If your phone goes suddenly and unusually quiet - check your signal. Unexplained loss of service can be an early sign of a SIM-swap in progress.
π¨ For organizations still using SMS for authentication, treat it as a last resort, not a default. Implement app-based or FIDO2 token MFA first, and audit which services still rely on SMS OTPs - you may be surprised.