The FBI has issued a warning about a rising cyber threat moving “from state to state” across the US, targeting citizens through malicious SMS messages, or “smishing” texts.
Authorities are urging iPhone and Android users to delete any suspicious texts immediately.
According to Palo Alto Networks’ Unit 42, cybercriminals have registered over 10,000 domains to fuel this new wave of scams. The FBI advises never clicking on unknown links and reporting suspicious messages to the relevant authorities.
What Are Smishing Texts?
Smishing, a blend of “SMS” and “phishing,” is a cyberattack where fraudsters send deceptive text messages to trick individuals into revealing personal information or clicking on malicious links. The messages trick users into revealing sensitive financial details, including credit, debit cards and account information.
Common Tactics Used In Smishing
- Urgent Alerts: Messages claiming issues with bank accounts or deliveries.
- Enticing Offers: Promises of prizes or deals requiring personal details to claim.
- Official Impersonation: Texts appearing to be from trusted entities like banks or government agencies.
How Smishing Works
A smisher (scammer) sends a text message pretending to be a trusted entity, such as:
- Banks (fraud alerts, payment issues)
- Government agencies (fake tax or legal notices)
- Delivery services (fake shipping updates)
- Tech support (account security warnings)
These messages often create a sense of urgency to trick recipients into clicking a malicious link or replying with confidential information.
Smishing Domain Names
A recent investigation by Palo Alto Networks’ Unit 42 found that many fraudulent domains associated with these smishing campaigns use the Chinese .XIN top-level domain (TLD).
Examples of these deceptive domain names include:
- dhl.com-new[.]xin
- ezdrive.com-2h98[.]xin
- fedex.com-fedexl[.]xin
- thetollroads.com-fastrakeu[.]xin
- usps.com-tracking-helpsomg[.]xin
These URLs are designed to mimic legitimate services like DHL, FedEx, USPS, E-ZPass, and SunPass, making them more convincing to unsuspecting victims. Clicking these links can lead to phishing pages that steal financial and personal information.
A threat actor leveraging the same naming pattern has registered 10K+ domains for various #smishing scams. They pose as toll services for US states and package delivery services. Root domain names start with “com-” as a way to trick victims. More info at https://t.co/drBEuvGoJj pic.twitter.com/7CBkvwYWxo
— Unit 42 (@Unit42_Intel) March 7, 2025
How To Protect Yourself From Smishing
- Never click on links in unsolicited text messages. Instead, visit official websites directly.
- Verify the sender. If a message claims to be from your bank or a government agency, contact them using official contact details.
- Beware of urgency. Scammers use pressure tactics to force quick decisions. Take a moment to think before responding.
- Use spam filters and report suspicious messages. Many mobile carriers allow you to report scam texts.
Cities issuing warnings include Boston, Denver, Detroit, Houston, and San Diego. Scammers also make small mistakes, like putting the dollar sign after the amount (10$ instead of $10), revealing the fraud’s foreign origins.