According to Infosecurity Magazine, SMS fraud losses are set to decline 11% next year, dropping from $80 billion in 2025 to $71 billion in 2026. Juniper Research analyst Ardit Ballhysa explained that diminishing message volumes make it harder for fraudsters to hide their scam traffic within legitimate communications. Enhanced operator firewalls are also making it increasingly difficult for bad actors to reach users. However, sophisticated threats persist, including the China-based “Smishing Triad” group that registered 60,000 domains to impersonate US toll agencies. Security firm SecAlliance also reported that Chinese smishing syndicates may have compromised 115 million US payment cards over 16 months. Meanwhile, phishing-as-a-service platforms are enabling even technical novices to launch sophisticated SMS, iMessage, and RCS attacks.
Sponsored content — provided for informational and promotional purposes.
<h2 id="why-fraud-is-finally-declining”>Why Fraud Is Finally Declining
Here’s the thing about SMS fraud – it’s always been a numbers game. Scammers rely on sending massive volumes of messages and hiding their malicious traffic within legitimate communications. But as overall SMS usage declines (thanks to WhatsApp, iMessage, and other platforms), there’s simply less cover for them to operate. Ballhysa nailed it when he said this drives up costs and erodes profits for bad actors. And operators are finally getting serious about security too. They’re deploying firewalls that do more than just screen sender IDs – they’re actually inspecting message content in real time. Basically, it’s getting harder and more expensive to run SMS scams successfully.
The New Threat Landscape
Just because traditional SMS fraud is declining doesn’t mean we’re safe. Far from it. Look at what’s happening with RCS – the rich communication service that’s supposed to be the modern replacement for SMS. It enables high-resolution photos, clickable buttons, and rich media. Sounds great, right? But security experts are worried it could open the door to entirely new attack vectors. And then there’s the professionalization of smishing. We’re not talking about random scammers anymore – we’re dealing with organized groups like Smishing Triad that register tens of thousands of domains and run sophisticated campaigns impersonating legitimate businesses. They’re not just sending spam – they’re running full-scale operations.
Phishing-as-a-Service Changes Everything
This might be the most concerning development. Phishing-as-a-service platforms are basically democratizing fraud. You don’t need technical skills anymore – these platforms handle all the heavy lifting across SMS, iMessage, and RCS. They provide multiple social engineering lures and even harvest OTP codes when threat actors try to provision stolen card information. Think about that for a second. We’ve gone from individual scammers to organized crime to what’s essentially fraud-as-a-service. It’s like AWS for criminals – they just pay for what they use and scale up as needed. This lowers the barrier to entry dramatically while increasing the sophistication of attacks.
What Operators Need to Do
So where does this leave mobile operators? They can’t just rely on traditional security measures anymore. Deep content inspection is becoming essential – not just screening sender IDs, but actually analyzing the content within messages. This allows operators to identify emerging fraud patterns in real time and block new attack vectors faster. But here’s the challenge: RCS makes content inspection more complex. With rich media, clickable buttons, and embedded content, there are simply more ways for attackers to hide malicious payloads. Operators need to invest in security that can keep pace with these evolving communication standards. Otherwise, they risk being caught on the back foot as traffic shifts from SMS to RCS.
