A recent scam report by Reboot found that the brands that scammers imitate the most are USPS (15.43%), IRS (11.71%), and Amazon (7.71%) – over 170 other brands were identified.

According to researchers, the most common scam types are account alerts (28.7%), delivery messages (21.1%), and subscription-related messages (14.7%). Over a quarter (24.2%) of links embedded in the analyzed scams contained the subdomain irs.gov.

The most common domain in links embedded in SMS scams is Namecheap.inc (17.3%). One in ten (9.15%) scams signed off with names used ‘Lisa’ as a front.

The most common SMS scam attempts involve preying on urgency and trust. The report has uncovered account alert scams as the most prevalent (575 incidences), followed by delivery scams (422) and subscription scams (294). However, despite their lower frequency, there are many other ways these scamming attempts may manifest, and these niche approaches may be harder to identify as a scam.  

Out of the scams analyzed, hundreds were addressed using false aliases to convince victims. Reboot’s report uncovered the most common front is Lisa (9.15%), followed by Annie (6.69%), Michael (5.63%), Kelly (5.63%), and Mary (4.23%). Scammers capitalize on the familiarity of these common names to increase the chances of victims engaging.

Out of the SMS scams analyzed, three domain registrars were identified as the most commonly used. NameCheap.inc was used in 17.3% of attempts, followed by ALIBABA.com (13.2%) and Internet BS Corp (8.01%). Scammers use domain registrars to register domains that impersonate legitimate services or organizations, exploiting them by creating fake URLs that appear trustworthy.

The most common subdomain used in smishing attempts is irs.gov, with over a quarter (24.2%) of those analyzed including it. Www (12.8%) and usps (7.5%) are also commonly incorporated into the misleading links shared in these scamming attempts.

Content analysis of SMS scams revealed some key trends in wording and phrasing. Phrases such as “Your account has been locked” and “Due to unusual activity” are among the most used to panic victims in the hope of quick action. Familiar, casual greetings like “Hi,” “Dear,” and “Hey” are the most common introductions in smishing attempts. Similar openers like “Congratulations” and “We regret” are used to lure victims in.