Recap of the live panel hosted by Constella and WMC Global on April 30, 2026
If you’ve gotten a text recently warning you about an unpaid toll, a missed delivery, or suspicious activity on your bank account, you’ve interacted — however briefly — with one of the most sophisticated fraud ecosystems operating today.
On April 30, Constella and WMC Global hosted a live practitioner panel to pull back the curtain on exactly how that ecosystem works: who builds it, how the stolen data moves, why no one organization is taking ownership of the problem, and what defenders can actually do about it right now.
The conversation ran for just over an hour and covered more ground than most conference keynotes manage in three. Here are the key takeaways.
Phishing-as-a-Service Is Not a Tactic. It’s a Supply Chain.
Andres Andreu, Constella’s CEO and the panel’s moderator, opened with a framing that set the tone for everything that followed.
“Phishing as a service is not a particular tactic anymore. It’s not even a campaign model. It’s a fully operationalized pipeline — a supply chain. Like any mature supply chain, it’s designed to scale, to optimize, and most importantly, to be effective.”
— Andres Andreu, CEO, Constella
The operational structure is deliberately layered: a public-facing layer that interacts with the victim, an operational layer where the attack runs, and a separate monetization layer where the money is extracted. Each layer is intentionally isolated — infrastructure is not reused, identities are not shared, signals do not line up cleanly. That compartmentalization is precisely what makes the system so difficult to disrupt.
The numbers put the problem in stark context. Andres cited $80 billion in estimated annual global losses tied to mobile fraud — smishing, account takeover, and related attacks. And even as some headline metrics show improvement, he was clear that the decline does not represent progress: “It’s because they’re shifting channels. They’re moving into environments where visibility is lower, where controls are weaker, where detection is harder.”
Perhaps most striking: entry into this ecosystem now requires almost no technical skill. Pre-built kits, automated infrastructure, real-time telemetry, and AI-powered adaptive systems are available to anyone who knows where to pay for access. “Folks with no technical skill whatsoever can tap into this,” Andres said. “It’s production-grade infrastructure.”
The Exfiltration Layer Is Industrialized — and More Accessible Than You Think
Alberto Casales, Constella’s CTO and co-founder, walked the audience through what happens after a smishing campaign runs — tracing stolen data from collection through real-time validation, aggregation, and distribution.
The collection layer captures credentials, payment data, session cookies, AI tokens, and government-issued ID information. Real-time validation checks immediately whether captured data is still active. An aggregation layer packages and cross-references credentials across multiple services. And then the distribution layer pushes everything out — not just to dark web markets, but increasingly to Telegram channels, Discord servers, and open web shops.
“A lot of this stuff is not necessarily being distributed on the dark web. A lot of it is actually on Telegram, on Discord, on open web shops. It’s a lot more available than people think.”
— Ian Matthews, Founder & President, WMC Global
Alberto grounded the abstract in current reality: 900 individual breaches observed in a single week at the time of the panel, the overwhelming majority affecting small companies with no awareness that their data had been exposed. Those small companies represent a meaningful supply chain risk precisely because they provide services to larger organizations that are not actively monitoring them.
Mobile Is the Structurally Advantaged Attack Channel
Ian Matthews of WMC Global built one of the panel’s clearest arguments: mobile is not just another attack surface. It is structurally advantaged for PhaaS operators in ways that email never was.
Enterprise mobile device management gives organizations visibility into devices, but not into SMS or end-to-end encrypted messaging activity — especially on employee personal devices. Apple’s adoption of RCS in late 2024, while a genuine consumer privacy win, created a corresponding blind spot for carriers: encrypted traffic that was previously inspectable is now completely opaque at the network level.
“Between 20 and 60 percent of people share passwords between personal and corporate accounts. When an attacker gains access to a login and password combination on a personal device, now they’re trying it against enterprise systems. And that’s all they need to get access to the right system to be a major event on the front of the New York Times.”
— Ian Matthews, Founder & President, WMC Global
Ian made a point that deserves wider attention in the security industry: the vast majority of ransomware investigations focus on the ransomware itself — not on how the initial credential was compromised. “If we can identify where these intrusion points are, and many of them are at the messaging or the mobile layer, we can stop this before it happens.”
Toll Road Fraud: Why Nobody Is Stopping It
The panel spent significant time on toll road smishing — the use case that brought Josh Swenson, Assistant Chief Information Officer at the Oklahoma Turnpike Authority, into the conversation.
Josh described the escalation from his organization’s perspective: what began as scattered individual smishing attempts accelerated sharply in early 2025, with campaigns blasting simultaneously across every state. Call centers fielded calls from confused customers. Internal messaging had to be updated. And the targeting deliberately blurred brand ownership — using EZDriveMA branding to hit residents of states that had no connection to Massachusetts tolling whatsoever.
“The scammers figured out if they target each individual state and everybody’s playing whack-a-mole and not talking to each other, it’s easy to get away with the scam. It has to be owned by a federal entity.”
— Josh Swenson, Asst. Chief Information Officer, Oklahoma Turnpike Authority
Ian’s explanation of why this campaign model is so difficult to shut down was analytically precise: toll road smishing exfiltrates credentials from whoever happened to have been driving on any highway — spreading losses across an unknown number of financial institutions, none of which absorbs enough damage to justify acting. Brands suffer reputationally. States say they’re not losing money. Banks absorb dispersed individual losses. Law enforcement thresholds are never met.
The playbook keeps adapting. After toll authorities improved their response, campaigns pivoted to DMV impersonation — because every state has a DMV and ownership is even less clear.
Attribution Is Hard. Accountability Is Harder.
The panel addressed a persistent misconception: SMS spoofing in the United States is generally not a significant factor in these campaigns. What attackers actually rely on is easier to abuse and harder to trace — prepaid SIM cards with no identity attached, or legitimate CPaaS accounts like Twilio that have been compromised through exposed API keys.
Alberto added a real-time example from the week of the panel: a WhatsApp account hijacking used to blast phishing campaigns to an entire contact list. The click rate on messages from known contacts is dramatically higher than on messages from unknown numbers — and as OTT platform adoption grows, so does the attack surface for session hijacking.
“The level of sophistication is not just on classical approaches or fake phone numbers. It could happen from someone on your contact list who suffered session hijacking. We are going to see this more and more often.”
— Alberto Casales, CTO, Constella Intelligence
Experts Weight In: What Practitioners Can Do in the Next 30 Days
- Josh Swenson: Invest in education — inside your organization and with your family. The scammers are targeting loved ones and non-technical users deliberately. Broad awareness is the most widely deployable defense.
- Ian Matthews: Eliminate SMS-based two-factor authentication at the enterprise level. Any knowledge-based authentication is a target. Move to stronger authentication, and plan for the assumption that some employees will be compromised — then invest in what you do in the critical window after you know it’s happened.
- Alberto Casales: Start continuously monitoring for exposed credentials and data tied to your organization. Not quarterly. Not after a breach. Continuously. The question is no longer if your organization’s credentials are exposed — it’s whether you know it yet.
Watch the Full Recording
The panel covered more than this recap captures — including a detailed discussion of how geopolitical actors intersect with criminal PhaaS infrastructure, why regulatory frameworks create data-sharing barriers that actively hinder consumer protection, and the specific IOCs and monitoring signals practitioners should be watching today.
Constella delivers Identity Risk Intelligence that helps organizations detect exposure before it becomes a breach. Visit constella.ai/request-a-demo to see how Constella monitors the credential and dark web threat landscape.