One of the most innovative aspects of the Smishing Report 2022 was its forensic linguistic framework - a system that treated text messages as structured data rather than random spam. By analysing grammar, tone, syntax, and response prompts, PORGiESOFT Security’s Threat Intelligence Function could uncover consistent behavioural patterns across threat actors. Language as an intelligence layer The research introduced nine smishing “classes”, each representing a distinct linguistic strategy. This classification showed that language choice directly correlated with sophistication across the global threat landscape. Simpler messages often targeted broad audiences (“Your package is waiting”), while complex multi-element messages targeted high-value individuals. The linguistic shift Between 2020 and 2022, the report observed a clear simplification in sentence structure and increase in conversational tone. Older scams used rigid, formal phrasing (“Kindly verify your account to avoid suspension”)

What is smishing? Smishing refers to SMS-phishing attacks where scam messages are sent via SMS. Instead of longer scams being delivered via emails, it’s scams being sent via text messages. Such messages usually contain a link and impersonate legitimate organisations. Threat actors use various manipulative techniques to convince and trick recipients of smishing messages. Fig 1 - Legacy smishing message Emerging tactics Smishing messages traditionally used to contain only links, but threat actors have adapted their tactics to include confusing linkless messages that use phone numbers or that ask for one word or letter replies without any URLs included initially. Some recent messages we’ve noticed have only contained one word - “Hi”, once the recipient engages with the threat actors by replying they then send further messages sometimes offering work opportunities or acknowledging a non-existent job application. End Game for Smishing Threat Actors The end goal for threat actors is to piqu

Why do consumers respond to smishing messages despite knowing it exists? The Smishing Report 2022 dedicated an entire section to this paradox - revealing that the issue lies less in awareness, and more in behaviour under pressure. The awareness gap According to wider analysis, 95% of consumers could not reliably detect fraudulent SMS messages. This reflects what psychologists call overconfidence bias - people believe they can spot scams, yet fail to apply that confidence under stress. The fraud moment PORGiESOFT Security’s victim research and OSINT analysis revealed a pattern called the fraud moment - a short window between receiving a message and deciding to act. During that short interval, emotional response overrides rational thought. The report identified three high-risk triggers: Financial anxiety – messages about refunds or fines. Social pressure – fake job or delivery updates. Authority bias – impersonations of government or banks. In each case, the victim’s emotional state det

PORGiESOFT Security researched and provided a quantitative map of the UK smishing ecosystem, detailing how threat actors, infrastructure and victims intersect. What did we learn? 1. Attack infrastructure Nearly 99 percent of all messages were written in English, confirming that UK consumers remain a primary focus for global smishing campaigns. The study identified nine distinct classes of smishing messages, from Class A (URL only, 58 %) to Class M (multiple fraud data points, 8.2 %) and smaller reply-based classes (Y and Z) that asked users to text “Y”, “YES”, or “STOP”. Each class revealed a different operational intent - whether to capture clicks, phone calls or conversation engagement. On the organisational side, 13 impersonation levels were mapped. The top three were: Banks (Level B) – 39.4 % of attacks Parcel Delivery Companies (Level P) – 26.3 % Government Departments (Level G) – 16.3 % Together, these sectors accounted for over 80 percent of all UK smishing incidents analysed.

When PORGiESOFT Security first released the Smishing Report 2022, it was one of the first threat intelligence studies to classify smishing using both linguistic and organisational taxonomies. The findings revealed a sophisticated and fast-evolving threat landscape. At the time, 45 million UK adults (around 71% of the population) had received a smishing text. More than 3,000 attacks were analysed and classified into nine attack classes and thirteen levels, revealing how fraudsters weaponised SMS as a psychological and technical tool. The scale of the problem The report found that smishing was not random. It followed discernible trends and emotional triggers. The top three impersonated sectors were: Banks (Level B) - 39.4% of analysed messages Parcel Delivery Companies (Level P) - 26.3% Government Departments (Level G) - 16.3% Together, these categories represented over 80% of all smishing activity in the UK at the time. Since then, smishing has only grown more complex. Threat actors no

Smishing, short for SMS phishing, is one of the fastest-growing forms of cyber fraud in the UK. The term describes fraudulent text messages designed to trick people into revealing personal information, clicking on malicious links, or making payments to criminals. At PORGiESOFT, we study smishing attacks, identifying common structures, impersonated brands and linguistic markers. We've found that the majority of mobile phone users had received a smishing text at some point and the problem has expanded each year since. How smishing works Smishing attacks use psychological and emotional manipulation rather than malware. A text message may claim to be from a bank, parcel company or government agency. Common smishing tactics include: “Your package is waiting for delivery.” “Your bank account has been suspended.” “You are eligible for a tax rebate.” When recipients click the link or respond, they are directed to a fraudulent website or prompted to share sensitive details such as login credent