Back to Blog

Scam Texts Are Up 40%. Most Businesses Treat Them Like a Personal Problem.

The email security industry has been getting better. Filters are smarter, warnings clearer. And it shows: email phishing click rates among trained employees have dropped to 2-4%.[1]

Attackers noticed. So they moved to your phone.

Smishing, the phishing-via-text-message variety, now accounts for 35% of all phishing attacks.[2] Volume jumped 40% in the past year.[2] Click rates on smishing attacks run between 19% and 36%[1] compared to that 2-4% on email. The reason for the gap is simple: there is no corporate spam filter between your employees and their texts. The message arrives, looks like it came from somewhere real, and people respond to texts faster than they respond to emails. That speed is the whole attack.

The $60,000 Text

A finance manager at a small company gets a text from a contact saved as "CEO." The message is brief: "Stuck in a meeting, need you to wire a payment before end of day, I'll explain tonight." A follow-up text provides the account details and amount. The finance manager doesn't want to bother a busy executive over what sounds like routine business. Sixty thousand dollars gone.[3]

That's not hypothetical. It's a documented attack pattern that's played out at small businesses all over the country. It works because texts feel personal and immediate in a way emails don't. We're conditioned to respond to them fast. That conditioning is what attackers are counting on.

Why Your Email Filter Doesn't Help Here

Most of the security infrastructure small businesses have built is designed around email. Spam filters, phishing detection, domain authentication. Good things, worth having. None of it touches the SMS messages your employees receive.

When a smishing text lands on someone's phone, it arrives with no warning. No "this message may be suspicious" banner, no IT visibility, no quarantine. If your employees use personal phones for work texts, which is most small businesses, there's no management layer at all.

76% of organizations were targeted by at least one smishing attack in a single year.[4] U.S. consumers and businesses reported $470 million in losses from text-based scams in 2024 alone.[4] That number almost certainly undercounts business incidents, since most don't get reported the same way consumer fraud does.

What the Attacks Actually Look Like Now

The generic ones, fake delivery notices, "your account has been suspended" texts, most people have gotten those and learned to delete them. The new wave is more targeted.

Finance teams get texts that look like alerts from their expense management software. IT staff get fake notifications mimicking their monitoring tools or Microsoft support. Small business owners get texts impersonating their accountant, their lawyer, or their largest vendor. Attackers use publicly available information, LinkedIn profiles, company websites, press mentions, to craft messages with real names, real context, and real-sounding urgency.

This isn't a mass campaign blasting millions of random numbers. It's a few people at your company, specifically identified, receiving a text that references something accurate about their role or their relationships. The volume is lower. The success rate is much higher.

Three Things That Actually Help

You can't stop smishing messages from arriving. You can make it much harder for them to succeed.

The most effective control is a verbal confirmation policy for any action taken over text. Anyone who receives a text requesting a wire transfer, a payment change, a vendor account update, or login credentials calls the requester back on a known number from your contacts, not a number provided in the message, before taking action. Urgency is part of the script. The policy has to hold regardless of how pressing the message sounds.

Second, talk to your team about this specifically. Not annual compliance training. A real conversation, five minutes, with actual examples of what these attacks look like. Show them the CEO text scenario above. Let it land. That kind of brief, concrete awareness does more than most formal training modules.

Third, if your employees use mobile phones for work, ask your IT provider what visibility you have into those devices. Mobile device management isn't a complete solution for smishing, but it gets you some visibility and control. If you have no management layer over the phones connecting to your network and business data, that's a gap worth knowing about before it becomes a problem.

Pittsburgh businesses in healthcare, construction, legal, and financial services deal with third-party payments and sensitive requests constantly. Those workflows are exactly what these attacks target. Our team works with businesses across the metro area and we're seeing more of this firsthand.