PORGiESOFT Security researched and provided a quantitative map of the UK smishing ecosystem, detailing how threat actors, infrastructure and victims intersect. What did we learn?

1. Attack infrastructure

Nearly 99 percent of all messages were written in English, confirming that UK consumers remain a primary focus for global smishing campaigns. The study identified nine distinct classes of smishing messages, from Class A (URL only, 58 %) to Class M (multiple fraud data points, 8.2 %) and smaller reply-based classes (Y and Z) that asked users to text “Y”, “YES”, or “STOP”. Each class revealed a different operational intent - whether to capture clicks, phone calls or conversation engagement.

On the organisational side, 13 impersonation levels were mapped.
The top three were:

  1. Banks (Level B) – 39.4 % of attacks
  2. Parcel Delivery Companies (Level P) – 26.3 %
  3. Government Departments (Level G) – 16.3 %

Together, these sectors accounted for over 80 percent of all UK smishing incidents analysed.

2. Infrastructure and coordination

While the report did not include technical telemetry such as domain lifespan or hosting overlap, qualitative OSINT review showed that most URLs were unique and short-term, often created specifically for a campaign before being abandoned. The presence of 200 + associated phone numbers highlighted the close operational link between smishing (SMS) and vishing (phone fraud), confirming that many threat groups operate across multiple communication channels rather than through isolated attacks.

3. Patterns of impersonation

The data exposed a recurring tactic of brand hijacking - cloning or referencing legitimate organisations that interact with the public daily. Fraudsters repeatedly used wording associated with banks, government services and delivery notifications. Common phrases such as “Your parcel is waiting”, “You are eligible for a tax rebate” and “Unusual activity on your account” appeared across thousands of samples, showing that smishing language is standardised and scalable.

4. Victim journey analysis

A critical finding from the Smishing Report 2022 was that smishing rarely operates in isolation. It typically forms the first step in a chain of deception:

  1. Initial SMS delivery – the hook message.
  2. Engagement – victim clicks a link or replies.
  3. Data harvest & phishing site – credentials or details collected.
  4. Follow-up contact (vishing or email) – further exploitation or APP fraud.

This progression demonstrates that smishing is a gateway attack, not an endpoint, enabling criminals to escalate quickly from text engagement to full financial compromise.

The UK threat landscape in context

The research positioned the United Kingdom among the most heavily targeted regions worldwide, alongside Australia and Canada. High mobile-banking adoption and strong public-service digitalisation have created ideal conditions for SMS-based impersonation.

Turning research into protection

Findings from the 2022 study directly shaped PORGiESOFT Security’s Fraud Threat Intelligence Index, which monitors and tracks smishing trends in real time for councils, banks and enterprises. By mapping each new message to one of the nine classes and 13 levels, it provides consistent terminology for identifying, sharing and responding to threats across sectors.

Key takeaway

The Smishing Report 2022 remains a significant intelligence asset on SMS-based fraud. Its evidence confirms that smishing is an interconnected ecosystem - linking message content, infrastructure and human behaviour. It revealed the industrial scale, operational rhythm and cross-channel nature of the threat. Understanding these relationships enables organisations to move beyond reactive filtering and toward coordinated, intelligence-driven prevention.