Smishing at Scale: USPS and Toll-Authority Impersonation Has Changed the SMS Threat Model

The ongoing smishing campaigns impersonating the US Postal Service and various state toll authorities are no longer a series of isolated incidents to be tracked. Instead, they represent a significant, structural shift in the SMS threat landscape. The volume is sustained, the underlying infrastructure is industrialized, and the downstream impacts on legitimate SMS usage are substantial and show no signs of self-correction.

What began as opportunistic phishing has matured into a multi-year operation orchestrated by actors researchers have termed the "Smishing Triad" and associated clusters. This apparatus maintains thousands of lookalike domains, generates messages in multiple languages, and demonstrates an adaptive capacity, pivoting within days when filtering mechanisms improve. The sheer scale, measured in weekly message volume, is such that virtually every US mobile phone has likely received at least one of these messages.

What the Campaign Actually Does

The typical message is concise, leveraging plausible logistics or compliance scenarios. A package delivery is on hold, awaiting address confirmation. A toll payment is due, with an impending late fee. A signature is required for an incoming parcel. The message invariably contains a link, which directs the recipient to a credible imitation of the agency's legitimate website. There, personal and financial details are solicited under the guise of resolving the supposed issue.

The data harvested through these campaigns is monetized through several avenues. Immediate card-not-present fraud is the most direct. A secondary, yet significant, value comes from account takeovers, particularly when individuals reuse their credentials across multiple services. The tertiary value, which has bolstered the campaign's profitability, involves adding fresh phone numbers to their targeting pool for future smishing operations.

The campaign's infrastructure rotates with a speed that often outpaces the filtering capabilities of most carriers and platforms. New domains are registered in bulk, frequently using names that are visually similar to legitimate ones, a technique known as homoglyph attacks or typo-squatting. Sending numbers cycle through compromised SIM cards, meticulously spoofed caller IDs, and bulk SMS services that exhibit weak abuse controls. The cost per message is sufficiently low that filtering efforts impose only a marginal economic penalty on the operators.

What This Has Done to Consumer SMS Trust

The cumulative effect of consistently receiving these scam messages, week after week, has been to condition consumers to view any unexpected SMS from a logistics or compliance entity with extreme skepticism. While this learned caution offers some short-term consumer safety, it is corrosively undermining the legitimate utility of the SMS channel in the medium term.

Legitimate organizations that rely on SMS for critical communications-such as delivery notifications, appointment reminders, payment confirmations, or service alerts-are observing measurable declines in engagement. Customers now routinely disregard messages from unknown short codes. They are increasingly hesitant to click links embedded in messages, even from familiar brands. Consequently, customers often resort to calling the organization's main support number to verify information, which inflates contact center volumes and degrades the very customer experience the SMS was intended to streamline and improve.

Vercon has consulted with several organizations confronting this exact problem. In these candid discussions, the framing is clear: SMS, as a trusted notification channel for consumer engagement, is in serious decline. This decline is not attributable to the actions of any single organization. It is a collective consequence of the sustained volume of these campaigns. Any meaningful recovery, if it occurs, will necessitate a level of coordinated industry action that is not yet evident.

What Enterprise Teams Should Do About SMS Channel Trust

Despite the degraded channel environment, there are concrete steps organizations can implement to preserve as much value as possible from legitimate SMS communications. This isn't about restoring the channel single-handedly, but about optimizing within current constraints.

The first step is to invest in branded sender identity. Verified sender IDs, available through programs like RCS Business Messaging where supported, provide customers a clear visual indicator that a message originates from the legitimate brand. While not a complete solution, this cue is meaningfully more robust than relying on an isolated short code.

Second, minimize the inclusion of links in SMS messages. Every link presents another potential phishing vector for an attacker. Legitimate SMS communications should, where possible, direct customers to log in via an already installed application or to call a verified, known phone number, thereby avoiding contribution to the broader link-trust problem.

Third, ensure that customer-facing guidance on SMS scams is easily discoverable and concise. Many organizations maintain a security page detailing, in dense legalistic prose, what their SMS messages will and will not contain. A more effective approach is a single-paragraph reference, prominently linked from the main support page, explicitly stating what legitimate SMS from the organization will look like and what information will never be requested via SMS.

The SMS Side of Account Takeover

A secondary, but critical, risk stemming from the smishing wave demands separate attention. The data collected by these campaigns, particularly phone numbers linked to personal information, is subsequently utilized in downstream operations. These operations often involve attempting SIM swaps and account takeovers against high-value targets identified during the initial data harvesting phase.

Vercon has reviewed multiple incidents where the initial compromise stemmed from a smishing-collected dataset. The eventual loss manifested as cryptocurrency theft, a brokerage account takeover, or the compromise of a corporate account facilitated by a successful SIM swap. While the path is indirect, the sheer volume of the upstream campaign means these downstream incidents are common enough to warrant dedicated defensive planning.

Defenders should operate under the assumption that any phone number subjected to smishing messages for over a year is now part of an active targeting pool. Consequently, SMS-based account recovery mechanisms for sensitive accounts should be treated as a workflow requiring additional protections, rather than a default, low-friction option.

What Telecom Carriers Are and Are Not Doing

Major US carriers have made substantial investments in their filtering capabilities. These filters effectively block a significant proportion of obvious smishing campaigns before they reach the recipient, and the quality of this filtering has demonstrably improved year over year. Furthermore, carriers coordinate through organizations like the GSMA and various industry forums, sharing blocklists and best practices.

However, given the inherent structure of the SMS protocol and the complexities of international interconnects, carriers face limitations in achieving perfect filtering. Messages routed through certain international gateways often carry attributes that complicate filtering. Campaigns that adapt their phrasing to evade simple pattern matching necessitate manual review, which is not scalable to the immense volumes involved. Critically, these campaigns consistently invest in strategies to circumvent the latest filtering improvements.

A structural solution would involve a more authenticated SMS channel, where the sender's identity is cryptographically verifiable, and the receiving handset explicitly displays the verification status. While several partial implementations of such a system exist, none has yet achieved the scale necessary to profoundly alter consumer behavior.

The Regulatory Picture

Regulatory scrutiny on smishing has intensified, a trend we anticipate will continue. The FCC has taken enforcement actions against several gateway providers complicit in enabling bulk smishing campaigns. State attorneys general have initiated legal challenges against identifiable operators. However, the existing legal framework often proves ill-suited to addressing a problem largely driven by overseas operators whose infrastructure rotates with greater agility than legal processes can accommodate.

Over the next two years, we anticipate a shift in regulatory focus towards platform liability. This would entail holding SMS gateway providers themselves accountable for the abuse transiting their systems. Such a shift would fundamentally alter the economic model of these campaigns by compelling gateways to invest in abuse controls that are currently external to their core business model.

A Short Action List

For organizations that regularly send legitimate SMS to consumers, implementing three specific steps this quarter is advisable.

First, conduct an audit of your current SMS volume, classifying messages by purpose. Specifically identify any messages that include a link. For each, critically assess whether the link is truly necessary, or if the customer could be more securely directed to an existing application or a verified phone number.

Second, publish a brief, easily discoverable consumer-facing page that clearly describes what your SMS communications will look like and explicitly states what your organization will never request via SMS. This page should be linked prominently from your main support page, not buried within a legal section.

Third, establish metrics to track the engagement rate on your legitimate SMS over time. The sustained trend in this rate will serve as a leading indicator of the channel's ongoing value to your organization, providing critical data to support future budget allocation discussions.

Closing

The smishing campaigns of the past two years have inflicted structural damage on the trust consumers extend to SMS as a communication channel. Repairing this damage will likely require years, and such repair will necessitate a coordinated effort across carriers, platforms, and regulators-a coordination not yet demonstrably in place. Individual organizations cannot unilaterally fix the channel. They can, however, preserve the functional parts of it for their customers, and they should be realistic about the inherent limitations of such preservation efforts.