Smishing Triad: Cybercriminals send billions of fraudulent SMS messages

The perfect deception today comes via text message. An unprecedented global fraud offensive is currently sweeping smartphone users worldwide – and Germany has long been in the sights of cybercriminals.

Security researchers are sounding the alarm: The so-called "Smishing Triad" has already activated nearly 200,000 fake websites since January 2024 to defraud unsuspecting victims of their personal data. What makes this new generation of scammers so dangerous? Artificial intelligence transforms primitive SMS spam into perfectly crafted, deceptively real messages.

The dimensions are frightening: Criminals now send 3.4 billion fraudulent messages every day. While only 3 to 5 percent of recipients click on links in email phishing, the rate for SMS fraud is a devastating 20 percent.

What used to be exposed by spelling mistakes and awkward wording is now barely distinguishable from genuine government messages. Since the availability of AI tools, phishing volumes have exploded by 1,265 percent .

The algorithms analyze public profiles and social media activity to set tailor-made traps. The result: personalized attacks that call their victims by name and target their vulnerabilities with frightening precision.

The financial damage is already immense. Data leaks caused by phishing attacks cost companies an average of €4.9 million . In the US, business email compromises caused over $2.7 billion in damages in 2022.

Post office, tolls and authorities in the crosshairs

The Smishing Triad deceptively operates with frightening professionalism. Particularly perfidious: The criminals pose as the US Postal Service, German toll operators, or government agencies . The fake messages create a sense of time pressure – supposedly undeliverable packages, outstanding toll fees, or urgent official matters.

The infrastructure is globally interconnected: Thousands of domains are registered daily through registrars in Hong Kong, but the servers run on American cloud services. The target? Social Security numbers, addresses, payment data, and login information —the victims' entire digital lives.

Vishing and Quishing: The multi-dimensional attack

Texting is just the beginning. Cybercriminals are now using deepfake voices for phone calls (vishing) and hiding fraudulent links in QR codes (quishing). Even business platforms like Slack or Microsoft Teams are becoming a trap.

The FBI warns urgently: Any unsolicited message containing links or data requests should be deleted. Verification via official apps or websites is the only safe method.

Advertisement: By the way: Anyone who wants to protect themselves from smishing, quishing, and data theft on their smartphone should know the most important basic security steps. Many Android users overlook these five measures – but they can be set up in just a few minutes. This free guide explains step by step how to secure your Android, including WhatsApp, online banking, and PayPal – clearly and without additional apps. Get the free Android security package now .

The digital arms race

The cybersecurity industry is facing its greatest challenge yet. Traditional security filters are failing to protect against the mass of intelligent attacks. Companies must rely on AI-powered defense systems that can analyze the context and intent of messages.

Experts expect a further escalation in the coming months: Deepfakes will become more sophisticated, chatbots more convincing, and attacks more targeted. The fight against phishing and smishing has become a daily struggle for survival in the digital space.

The most important defense remains common sense: skepticism of unsolicited messages, verification through official channels, and two-factor authentication wherever possible.