Key Findings
- The brands that scammers imitate the most are USPS (15.43%), IRS (11.71%), and Amazon (7.71%)– over 170 other brands were identified.
- The most common scam types are account alerts (28.7%), delivery messages (21.1%), and subscription-related messages (14.7%).
- Over a quarter (2%) of links embedded in the analyzed scams contained the subdomain irs.gov.
- The most common domain in links embedded in SMS scams is inc (17.3%).
- One in ten (15%) scams signed off with names used ‘Lisa’as a front.
Brands Most Frequently Imitated by Scammers
Many SMS scams impersonate businesses to appear legitimate. The brands most commonly impersonated are USPS (15.4%), IRS (11.7%), and Amazon (7.7%).
However, scammers frequently impersonate many other companies—over 170 companies have been identified.
The Most Prevalent Types of SMS Scams
The most common SMS scam attempts involve preying on urgency and trust. The report has uncovered account alert scams as the most prevalent (575 incidences), followed by delivery scams (422) and subscription scams (294).
However, despite their lower frequency, there are many other ways these scamming attempts may manifest, and these niche approaches may be harder to identify as a scam.
The Most Used Fake Names in SMS Scams
Out of the scams analyzed, hundreds were addressed using false aliases to convince victims. Reboot’s report uncovered the most common front is Lisa (9.15%), followed by Annie (6.69%), Michael (5.63%), Kelly (5.63%), and Mary (4.23%).
Scammers capitalise on the familiarity of these common names to increase the chances of victims engaging.
Most Common Domain Registrars Used in SMS Scams
Out of the SMS scams analyzed, three domain registrars were identified as the most commonly used.
NameCheap.inc was used in 17.3% of attempts, followed by ALIBABA.com (13.2%) and Internet BS Corp (8.01%). Scammers use domain registrars to register domains that impersonate legitimate services or organisations, exploiting them by creating fake URLs that appear trustworthy.
Top Subdomains Used in Smishing Attempts
The most common subdomain used in smishing attempts is irs.gov, with over a quarter (24.2%) of those analyzed including it. Www (12.8%) and usps (7.5%) are also commonly incorporated into the misleading links shared in these scamming attempts.
Common Wording and Phrases in SMS Scams
Content analysis of SMS scams revealed some key trends in wording and phrasing. Phrases such as “Your account has been locked” and “Due to unusual activity” are among the most used to panic victims in the hope of quick action.
Familiar, casual greetings like “Hi,” “Dear,” and “Hey” are the most common introductions in smishing attempts.
Similar openers like “Congratulations” and “We regret” are used to lure victims in.
