Click rates for text message scams run nine times higher than email. Attackers have noticed.
The text arrived on a Tuesday afternoon: a toll notice claiming $6.99 was overdue, with a link to pay immediately. Millions of Americans received variations of the same message throughout 2025, each purporting to come from E-ZPass, SunPass, or another regional toll authority. The urgency felt real. The branding looked right. And the link led to a credential harvesting page that captured payment card details within seconds of the tap.
This wasn’t a sophisticated operation targeting high-value individuals. It was industrial-scale smishing—phishing via SMS—run by a criminal network that victimized over a million people across 120 countries. According to Google’s November 2025 lawsuit against the operation, the toll scam alone generated an estimated $1 billion over three years.
The numbers explain why. Click-through rates for SMS phishing range from 19% to 36%, compared to just 2% to 4% for email. That nine-to-one effectiveness gap has made text messages the fastest-growing attack vector in social engineering, with smishing volume up 328% since 2020.
Why text messages convert
The advantage isn’t just that people check their phones constantly, though they do. It’s that two decades of security training have conditioned users to scrutinize email while leaving text messages largely unexamined.
According to Proofpoint research, only 23% of mobile users over 55 can correctly define smishing. Millennials fare only slightly better at 34%. The awareness gap is structural: corporate security programs spend heavily on email phishing simulations while rarely extending the same rigor to SMS. Attackers have responded by shifting resources toward the channel that still converts.
Mobile devices compound the problem technically. Phone screens display limited URL information, making it harder to inspect links before tapping. Spoofed sender IDs can display as legitimate company names rather than suspicious numbers. And unlike email, which passes through corporate security gateways, personal text messages bypass enterprise infrastructure entirely. The attacker reaches the user directly, unmediated by any defensive layer the organization controls.
The infrastructure behind the scams
The toll scam wasn’t an isolated campaign. It was a product offering.
The Smishing Triad, the Chinese cybercrime network behind the operation, ran a phishing-as-a-service platform called Lighthouse that sold turnkey smishing capabilities to other criminals. The platform offered over 600 templates impersonating more than 400 brands, with subscription tiers ranging from $88 per week to $1,588 per year. Features included two-factor authentication bypass, automated domain rotation, and real-time credential harvesting.
Google’s lawsuit invoked RICO statutes typically reserved for organized crime prosecutions. At any given time, Lighthouse operated approximately 25,000 active phishing domains.
This professionalization explains the growth trajectory. What once required technical expertise can now be purchased as a subscription service. The barrier to launching a sophisticated smishing campaign has dropped to under $100, and the returns justify the investment: three-quarters of businesses reported being targeted by smishing campaigns in 2024.
Where enterprise security falls short
The mismatch between threat and defense is stark. Enterprise security architectures were designed around email as the primary attack vector. Secure email gateways, DMARC authentication, and inbox filtering create multiple layers of protection that catch the majority of email phishing attempts before they reach users. No equivalent infrastructure exists for SMS.
Text messages travel through carrier networks that prioritize delivery over security. Commercial anti-smishing solutions blocked only 25-35% of threats in 2025. While AI-powered detection is improving those numbers, the gap remains wide. Carrier filtering catches known spam patterns but struggles with the constantly rotating domains and fresh phone numbers that characterize professional smishing operations.
The organizational gap matters as much as the technical one. Security teams have visibility into corporate email but limited ability to monitor employees’ personal phones. When a smishing message arrives on a personal device, as most do, it falls outside the security perimeter entirely.
What's converging
Smishing rarely operates in isolation anymore. The toll scam texts led to fraudulent websites that harvested not just payment cards but personal information enabling identity theft and account takeover. Attackers increasingly use text messages as the initial contact point, then pivot victims to phone calls, messaging apps, or follow-on campaigns that exploit the trust established in the first interaction.
The phishing kit ecosystem has evolved to serve this convergence. Modern kits include automated chatbots that engage victims in text conversations, simulating customer support interactions that request additional verification. Some operations have integrated AI-generated responses that adapt to victim replies in real time. The line between automated attack and human social engineering is blurring.
The Bottom Line
Text messages occupy a privileged position in how people communicate: immediate, trusted, and rarely filtered. The nine-to-one click rate differential between SMS and email phishing isn’t a curiosity—it’s a structural advantage that explains why smishing now accounts for 39% of all mobile threats.
The defenses that made email phishing manageable don’t transfer cleanly to SMS. Until carrier filtering improves, enterprise tools gain visibility into personal devices, and user awareness catches up to the threat, smishing will continue offering attackers something increasingly rare: a channel where victims still click.
Key Takeaways
Smishing is phishing conducted via SMS text messages rather than email. It has grown 328% since 2020 and now accounts for 39% of all mobile threats. The growth reflects attackers exploiting the trust gap between how users treat email versus text messages.
SMS phishing achieves click-through rates of 19-36%, compared to just 2-4% for email—up to nine times more effective. Text messages create immediate urgency, display limited URL information on mobile screens, and bypass corporate email security infrastructure.
In 2025, the Smishing Triad sent millions of fake toll fee messages impersonating E-ZPass and other toll authorities. The operation victimized over one million people across 120 countries and generated an estimated $1 billion over three years before Google filed a RICO lawsuit.
Phishing-as-a-service platforms offer turnkey smishing operations starting at $88 per week, including pre-built templates, automated domain rotation, and real-time credential harvesting. The Lighthouse platform behind the toll scams operated 25,000 active domains at any given time.
Enterprise security was designed around email as the primary attack vector. Text messages travel through carrier networks with less filtering, arrive on personal devices outside corporate visibility, and face detection systems far less mature than email security. Commercial tools blocked only 25-35% of threats in 2025.
