Mobile fraud losses are projected to decline in 2026. That headline is technically accurate and deeply misleading. The fraud is not going away. It is changing channels, picking up speed, and getting harder to stop.
The number looks like progress. Global subscriber losses from SMS fraud, smishing, account takeover, and related mobile threats reached $80 billion in 2025. In 2026, analysts project that figure will fall to $71 billion, an 11% decline.
Before your fraud or security team updates its risk posture based on that trajectory, it is worth understanding what is actually driving the drop, and what the headline does not capture.
The decline in raw SMS fraud losses reflects one thing: SMS as a channel is becoming less attractive to attackers. Message volumes are declining, carrier-level firewalls are getting better at blocking known smishing domains, and regulators in the U.S. and internationally are applying pressure on telecom operators to improve filtering. The result is that concealing fraudulent traffic in legitimate SMS traffic is becoming more expensive and more detectable for the criminal organizations running smishing operations at scale.
None of that means the fraud operators are shutting down. It means they are moving.
Where $80 Billion Worth of Mobile Fraud Is Going
The infrastructure behind large-scale mobile fraud campaigns, the Phishing-as-a-Service platforms, the affiliate networks, the SIM farms, the automated credential harvesters, is not being dismantled. It is being redirected to channels where carrier-level filters cannot reach.
iMessage and RCS are the new delivery infrastructure. Sophisticated PhaaS platforms including Darcula and Lucid, both linked to Chinese-speaking criminal networks, have largely shifted from SMS to Apple iMessage and Google’s Rich Communication Services protocol. The reason is structural: iMessage and RCS use end-to-end encryption, which makes it impossible for network operators to inspect or filter message content. Carrier spam controls that block known smishing domains are useless when they cannot read the message. Legitimate-looking blue bubbles from unknown email addresses now carry phishing links to 100-plus countries.
WhatsApp and Telegram carry the personalized campaigns. When attackers have high-quality PII, such as the reservation data from the recent Booking.com breach, the travel records from aviation sector breaches, or the financial transaction data from banking sector compromises, they use it to build targeted campaigns on trusted messaging platforms. A WhatsApp message that correctly names your hotel, your check-in date, and your booking reference number bypasses the instinct that flags generic smishing. These campaigns are not high-volume spray attacks. They are precision strikes built from breached data.
AI is eliminating the quality floor. The tell-tale signs that historically helped recipients identify smishing, awkward phrasing, grammatical errors, generic lures, are disappearing. AI-powered phishing kit updates have given even low-skill operators the ability to generate grammatically perfect, locally contextualized, brand-accurate messages in any language, at scale, in minutes. AI-powered smishing campaigns are now achieving click-through rates of up to 54%. The gap between AI-generated smishing and legitimate mobile communication is closing rapidly.
The monetization pipeline is automated and real-time. Modern PhaaS platforms stream victim-entered data to operators character by character as the victim types, including card numbers, PINs, and one-time codes. Stolen card data is verified against bank systems automatically and in real time. The entire chain from a victim clicking a link to fraudulent card provisioning to a digital wallet can complete in under three minutes. The $800 average financial loss per smishing victim understates the downstream fraud value of a single successful credential capture.
Every Major Vertical Is Exposed. The Attack Surface Is the Same.
The channel migration from SMS to encrypted messaging and AI-personalized lures affects every sector that holds personal data, processes payments, or communicates with customers through mobile channels. The attack surface is not sector-specific. The data that fuels the campaigns is.
- Financial services. Banks and fintechs are the primary impersonation target in smishing campaigns because the financial urgency of a fraud alert or account suspension notice drives immediate action. The Bank Policy Institute estimated $12.5 billion in consumer losses from scams in 2024 alone. Banks are increasingly liable for authorized push payment fraud in regulatory environments that require reimbursement, creating direct institutional exposure when their customers are successfully smished into approving fraudulent transfers.
- Telcos appear in multiple high-volume breach datasets, including SK Telecom (26.9 million records), TalkTalk (18.8 million), and AT&T (86 million) in Constella’s 2026 Identity Breach Report top 20 list. Telecom subscriber data, which includes names, phone numbers, account details, and service history, is the raw material for highly targeted mobile impersonation campaigns. When attackers have your carrier, your account number, and your service address, a fake account alert is nearly indistinguishable from a legitimate one.
- Retail and e-commerce. Package delivery and order confirmation lures remain the highest-volume smishing template globally. Retail breach data that includes phone numbers, shipping addresses, and order histories enables personalized delivery smishing that references real recent orders. The Darcula PhaaS network alone uses over 200 brand templates across postal services, retailers, and logistics operators in over 100 countries.
- Travel and aviation. Vietnam Airlines (26.7 million records) and Qantas (6 million) both appear in Constella’s top 20 breaches from 2025. Travel reservation data combines names, phone numbers, travel plans, accommodation details, and financial records in a single package. That combination is uniquely valuable for smishing operators building lures around upcoming travel. The Booking.com breach in April 2026 produced targeted WhatsApp campaigns within days of the breach confirmation, before most affected customers received notification.
- Healthcare records are the most persistent identity fraud risk because they contain the widest range of PII: names, dates of birth, addresses, insurance identifiers, and treatment history. UnitedHealth (72 million records) and Yale New Haven Health (5.5 million) both appear in Constella’s 2025 breach data. Healthcare smishing campaigns that reference real appointment history or insurance claims produce victim response rates that generic campaigns cannot match.
- Government and critical infrastructure. Toll road smishing is the most visible current example of government infrastructure being weaponized in mobile fraud campaigns. The FBI’s IC3 received 59,271 complaints tied specifically to toll-related smishing. The FTC reported $470 million in text scam losses in 2024, a fivefold increase from 2020. Josh Swenson of the Oklahoma Turnpike Authority, one of the practitioners on our April 30 webinar, can speak directly to what this looks like on the receiving end of a national-scale toll fraud campaign.
The Data Comes First. The Smishing Campaign Follows.
The reason smishing is becoming more effective, even as it declines in raw SMS volume, is the quality of the underlying identity data powering the campaigns. That data comes from breaches. It comes from infostealer logs. It comes from the PII-rich breach records that Constella’s 2026 Identity Breach Report documents surging 661% year over year in 2025.
Ian Matthews, founder of WMC Global and one of the practitioners joining the April 30 webinar, spends his days tracing exactly this chain: how data that originates in a breach or an infostealer infection eventually surfaces in a mobile fraud campaign. His background building SMS interconnect infrastructure gives him a unique view into how the routing and delivery side works. His current work focuses on detecting, disrupting, and attributing the mobile fraud operations that sit downstream of the identity exposure Constella monitors.
The connection between the two is not incidental. It is the operational reality of how modern mobile fraud works. Attackers do not generate their own targeting data. They buy it, harvest it from phishing campaigns, or extract it from breach packages circulating in underground markets. Constella’s monitoring of those markets, across 54.6 billion curated records spanning 125 countries, is the early warning system that identifies when a specific organization’s customer or employee data has entered the adversary ecosystem, before it fuels the next wave of campaigns.
What Organizations Should Do Now
- Stop treating smishing as an SMS problem. SMS-specific filters and carrier-level controls address a shrinking share of the threat. The same criminal infrastructure is now operating across iMessage, RCS, WhatsApp, and Telegram with substantially better evasion. Your mobile fraud defenses need to account for the full channel landscape, not just traditional text messaging.
- Monitor the breach ecosystem as a leading indicator of campaign risk. Every major smishing campaign is preceded by a data acquisition event: a breach, an infostealer infection, a dark web data purchase. Organizations that monitor for exposure of their customer and employee PII in underground markets get advance notice before those campaigns launch. Constella’s continuous monitoring of adversary channels, including private Telegram groups and closed forums where breach data is traded, provides that early warning.
- Treat phone numbers as high-risk PII. Phone numbers are the delivery vector for mobile fraud. They warrant the same access controls, breach response protocols, and exposure monitoring as payment card data and account credentials. Most organizations do not have visibility into where their customers’ phone numbers are circulating in underground markets. That visibility gap is where smishing campaigns begin.
- Connect your fraud and security teams to the same intelligence. Mobile fraud operations cross the traditional boundary between cybersecurity and fraud prevention. The credential theft is a security problem. The fraudulent payment is a fraud problem. The smishing lure that connects them is a mobile communications problem. Organizations that operate these as separate silos miss the full picture. Identity intelligence that spans all three gives fraud and security teams a common operating picture.
- Prioritize sectors with the most personalization-enabling data. Healthcare, financial services, travel, and telecommunications organizations hold the data types, names, phone numbers, account history, transaction details, that make smishing campaigns most convincing. If your organization is in one of these sectors, your exposure to personalized smishing campaigns is structurally higher than organizations that hold less contextual personal data.
The Conversation Continues April 30
The migration of mobile fraud from SMS to encrypted channels, the industrialization of PhaaS infrastructure, and the role of breached identity data in fueling targeted campaigns are exactly the topics the Constella smishing and mobile fraud webinar was built to address.
On April 30 at 1:00 PM ET, Ian Matthews of WMC Global, Josh Swenson of the Oklahoma Turnpike Authority, and the Constella Intelligence team will cover how this threat pipeline actually works, what it looks like from the practitioner side of both financial fraud and critical infrastructure, and what organizations across every vertical can do to get ahead of it.
If mobile fraud, smishing, or the role of identity exposure in downstream campaigns is relevant to your organization, this is the conversation worth having.
Register for the Smishing and Mobile Fraud Webinar — April 30, 1:00 PM ET
Sources: Infosecurity Magazine (March 18, 2026); Infobip SMS Fraud Guide (April 2026); Keepnet Smishing Statistics (March 2026); Bank Policy Institute (February 2026); FBI IC3 PSA (April 2024); FTC text scam data (2024). Statistics: Constella Intelligence 2026 Identity Breach Report.