Financial Institution Phishing Texts Surge

Phishing text messages that impersonate banks and other financial institutions have spiked dramatically worldwide, with multiple data points showing triple‑digit growth in late 2024 and 2025.

What the new data shows

• AhnLab’s Q4 2025 report found texts impersonating financial institutions made up 46.93% of all phishing texts and had surged 343.6% from the prior quarter.​

• Similar analysis of Q4 2024 traffic also found more than half of phishing texts were posing as financial institutions, again with a roughly 343% jump in that category.​

• Globally, smishing (SMS phishing) incidents rose about 18–22% in 2024, with financial‑institution targets among the fastest growing segments.

• The international Anti‑Phishing Working Group recorded a record 989,123 phishing attacks in Q4 2024, with financial institutions identified as the main target vertical.​

• In the U.S., consumers reported $470 million in losses to scams that began with text messages in 2024, many of them fake bank “fraud alerts” or suspicious‑purchase messages.​

Why banks are such a big target

• Money and account access are high‑value targets, so criminals focus on messages that look like urgent bank alerts (card issuance, transaction notices, login warnings) to create anxiety and drive quick clicks.

• Attackers now rely on polished, typo‑free text generated with generative AI, which makes fake bank messages harder for consumers to distinguish from real ones.​

• Simple URL‑based texts dominate: in one large dataset, 98.89% of phishing texts used a link to a fake site or a fake call‑center number inside the message body.​

• Some gangs use SIM boxes (“SIM farms”) to blast huge volumes of bank‑impersonation texts, and at least one industry witness reported some U.S. banks seeing over 300% growth in these messages.​

Typical tactics in these texts

• “Card issued/transaction completed” alerts you don’t recognize, with a link to “report” or a number to call that leads to scammers.

• Fake bank fraud‑alert texts about suspicious purchases or account locks that push you to click a link or share one‑time passcodes (OTPs).

• Generic “financial services” wording instead of a specific bank name, plus shortened URLs that open convincing copies of online banking pages to steal credentials.

How to protect yourself

• Do not click links or call numbers in unsolicited bank texts; instead, open your bank’s app directly or call the number on the back of your card or on the bank’s website.​

• Never share one‑time codes, PINs, or full passwords by text or over the phone; legitimate banks emphasize they will not ask you for these in that way.

• Turn on multi‑factor authentication and account alerts in your banking app so you can verify real activity quickly without relying on incoming texts.

• If you receive a suspicious text, report it to your bank and your mobile carrier and, in the U.S., you can also report it to the FTC (via reportfraud.ftc.gov) so patterns can be tracked.