The short version: SMS phishing — "smishing" — surpassed email phishing as the primary credential-theft vector for mobile users sometime around 2024 and has accelerated through 2025–2026. The reasons are structural: phones don't run a Safe Browsing equivalent for SMS, URL previews are mostly absent, link shorteners look legitimate, and people tap on phones with much less scrutiny than they click on a desktop browser. Three campaigns dominate volume right now. Here's exactly how each works.
Campaign 1 — USPS package "undeliverable" smishing
Active since 2023. Volume per FTC/USPS reporting: ~5M+ US recipients per month at peak. Attributed by FBI and security researchers (Resecurity, Trend Micro) to the Chinese-language "Smishing Triad" cluster.
The lure
A text arrives, typically morning or early afternoon, claiming the recipient's package has an "incomplete address" and will be returned unless they confirm details within 24 hours. The text includes a link that looks like USPS (variations like usps-track[.]top, uspstracking-info[.]com, us-postss[.]cn) but is registered to throwaway domains hours or days old. Most people are expecting a package — Amazon, an online retailer, a friend's gift — and the timing converts.
What clicking gets you
A pixel-perfect USPS clone page asks for your address (to "redeliver"), then escalates to a $1.99–$3.50 "redelivery fee" requiring credit card details. The card form is the prize: full card number, CVV, expiry, billing address, mobile number for "delivery SMS confirmation." The card is then used or sold within hours. The information collected — full name, address, phone, last 4 of card — also seeds follow-on attacks (fake-bank calls, account takeover attempts).
Why it works
- Most people have a package in transit at any given time — high prior probability the recipient will believe the premise.
- USPS doesn't normally text — but most users don't know that, and the brand is universally recognized.
- The "small fee" ($1.99) feels too small to fight; people pay and move on.
- Domains rotate every few days, so blocklist-only defenses lag behind the campaign.
What catches it
The domain pattern is highly predictable: hyphenated USPS variants, .top / .cn / .info TLDs, registered through Chinese-language registrars, hosted behind Cloudflare or AS-rotating proxies, certificates issued by Let's Encrypt or ZeroSSL within the last 48 hours. An ML classifier trained on these features catches new domains the first time anyone reaches them — long before they appear in PhishTank or the major commercial blocklists. The classifier is the entire point of network-level threat detection.
Campaign 2 — Unpaid-toll smishing (E-ZPass, SunPass, FasTrak)
Surged in 2024 as states moved to all-electronic tolling. FBI IC3 issued a public advisory in April 2024. Now hits all 50 states (and Canadian users) with state-specific brand variants.
The lure
"[State DOT or toll authority]: You have an unpaid toll balance of $4.27. Pay before [date] to avoid a late fee. Pay here: ezpass-payments[.]com." The dollar amount is small. The brand name matches the state ("E-ZPass" in the Northeast, "FasTrak" in California, "SunPass" in Florida, "TxTag" in Texas, "I-Pass" in Illinois). The link looks like the real toll website at a glance. Recipients in states with electronic-only tolling — most of the country now — have plausibly used a toll road recently.
What clicking gets you
A clone of the relevant state toll-authority's payment portal, customized per state. The form asks for full name, address, phone, license plate (to "look up the violation"), and then routes to a payment screen requesting credit card information for the trivial balance. As with USPS, the card data is the prize, but this campaign also captures license-plate data — useful for follow-on scams (fake-DMV impersonation, vehicle-registration fraud, insurance fraud setup).
Why it works
- Toll authorities do sometimes contact drivers via text or mail — the premise is plausible.
- Most users don't know exactly what they owe in tolls and assume small charges are real.
- The threat of "late fees" or "DMV holds" pushes payment without verification.
- State-specific brand mimicry means each region's residents see their familiar brand name.
What catches it
Toll-scam domains follow a tight signature: brand-name + payments/pay/billing in the hostname, .com / .net / .top TLDs, ~24–72 hour registration age, certificates from the same handful of free CAs, common ASN clusters (Cloudflare, Namecheap, hosting providers known for permissive abuse policies). Even with rotation, an ML classifier scoring on registration age + hostname-to-brand similarity catches the entire campaign family — including domains observed for the first time on your specific device.
Campaign 3 — Refund-confirmation texts (Apple, Amazon, Netflix, Walmart)
Active throughout 2024–2026, with seasonal volume spikes around tax-refund timing (Feb–Apr in the US) and Black Friday / Cyber Monday.
The lure
"Apple ID: A $239.99 charge for [iCloud Storage / Apple Music annual / etc.] was approved today. If you didn't authorize this, cancel here: [link]." Sometimes Amazon ("A $499.94 charge for [product]…"). The premise is a charge the recipient didn't make — the threat is financial. Curiosity + alarm drive the click. Some variants are upside-down: "Your refund of $237.45 is ready. Confirm your bank account to receive it." Same hook, opposite framing.
What clicking gets you
A near-perfect clone of the brand's account-login page. The credentials harvested here are more dangerous than the credit-card prizes from campaigns 1 and 2: an Apple ID or Amazon login opens the door to account takeover — full purchase history, saved payment methods, gift card balances, App Store purchases, the ability to read sensitive emails, and access to other services that use the same email for SSO recovery. Many variants escalate further: after the credential capture, a fake support chat or callback "from Apple" walks the victim through reading SMS 2FA codes aloud, defeating second-factor protection.
Why it works
- Real Apple/Amazon billing texts exist, so the premise is plausible.
- The dollar amount is specifically tuned to be high enough to alarm but not impossibly large.
- Account takeover is more valuable to the attacker than a single credit-card hit — a "successful" credential capture seeds weeks of follow-on fraud.
- Targets that engage with the credential page are demonstrably converting — refund-scam ops focus follow-up energy there, including the support-call escalation.
What catches it
Refund-scam domains tend to look like apple-billing-verify[.]top, amazon-refund-claim[.]net, netflix-payment-update[.]com — short-lived, brand-spoofing, registered through known-abuse-friendly registrars. The classifier signal is essentially the same as the other campaigns: hostname-to-brand similarity (Levenshtein-distance scoring against "apple.com", "amazon.com", "netflix.com"), registration age, certificate provider, hosting infrastructure. Catches the campaign on first observation, regardless of which specific brand variant is in play.
Common patterns across all three
All three campaigns share structural features that make them detectable as a class:
- Recently registered domains — usually less than a week old, often less than 24 hours.
- Hostname mimicry of a recognized brand — measurable via string-distance scoring against a known-brands list.
- Free certificates from Let's Encrypt or ZeroSSL — legitimate sites also use these, but the combination of "new domain + free cert + brand-impersonation hostname" is highly predictive.
- Hosting on a small set of abuse-tolerant providers — Cloudflare-fronted, with origin servers in jurisdictions known for slow takedown.
- Page templates that match known phishing kits — domain-specific UI assets are reused across campaigns.
- URL structure — long paths with random-looking tokens, frequent use of query-string redirects.
What doesn't catch them
- iOS Safe Browsing only runs in Safari. The phishing link tapped from the Messages app opens in a web view that doesn't get the same protection.
- Carrier-level SMS filtering blocks some volume but rotates infrequently — campaigns adjust the sending number and the filter is permanently behind.
- "Just don't click suspicious links" — fine advice that fails against the small minority of texts where the user is currently expecting a package, a refund, or a toll bill. Volume is the strategy.
- Pure blocklists (PhishTank, OpenPhish, etc.) — these are reactive. By the time a domain is reported and added, it's been live for hours-to-days; campaign operators rotate before the lists catch up.
What does catch them
Network-level threat detection that runs an ML classifier on the destination domain at the time of DNS resolution. The classifier doesn't need the specific URL to be reported anywhere first — it scores on the structural features above (registration age, brand similarity, cert provider, hosting ASN, URL shape) and refuses to resolve domains above the risk threshold. That's the entire architecture of Casper's threat-protection layer (explained in detail here), and it's the only thing that materially closes the gap on these three campaigns.
One subtler benefit: Casper's classifier reports false-positives (a user marked a block as wrong) back into retraining. The three campaigns above are now well-classified, but the operators behind them keep rotating tactics — new TLDs, new registrars, new hosting patterns. A continuously-learning model adapts faster than any static blocklist can.
Bottom line
Smishing is winning right now because SMS is the channel mobile users least suspect, the protections built into the OS only cover one browser, and the dominant campaigns rotate domains faster than reactive blocklists update. The leverage point is at the DNS layer — every clicked link makes a DNS query before the browser opens it, and that query is the cleanest place to intervene. If you take nothing else from this post: never tap a payment link from a text. Open the app yourself. The handful of seconds it costs you is the entire defense.