While we’ve covered SMS text phishing (“smishing”) attacks in previous communications, this month’s CyberAdvisor concerns an alarming evolution that demands your immediate attention. Financial institutions affected by this campaign have reported average losses of $28,000 per successful compromise, with several high-net-worth individuals losing more than $250,000 in a single transaction.
✔︎ A highly sophisticated smishing operation out of China—dubbed the “Smishing Triad”—has rapidly expanded and upgraded, now directly targeting financial institutions and their clients (you and me) across North America, Europe, and Asia.
A Refresher - the "Smishing" Threat
You’ve likely received a message about an unpaid toll or a pending package delivery. These aren’t random—many are part of a coordinated cybercriminal operation traced to China. Security researchers call it the Smishing Triad: organized groups that have become highly adept at digital wallet theft.
-
These attacks target Apple users and Android users.
-
They are highly convincing and mimic professionally designed websites impersonating trusted brands like postal services or toll authorities, PayPal, Chase, Wells Fargo, and many others.
-
The scale is staggering – Security researchers estimate these phishing pages receive over a million visits monthly, with operations spanning 121 countries.
-
And the delivery rate? Near 100%, because the attacks bypass traditional SMS networks using iMessage (Apple) and RCS (Android)—a next-gen delivery system that fuels this evolved threat.
✔︎ This is the infrastructure behind today’s next-generation smishing attacks.
Why This Threat is Different
Prepare yourself for a dramatic evolution in smishing: the "Smishing Triad" from China is rolling out an advanced and highly effective system that will soon become a regular presence in your messaging app.
Here's what you need to know:
- Unprecedented Success Rate: Victim conversion rates exceed 60% in some targeted regions, compared to the 5-8% typical of standard phishing operations. This level of success is a genuine game-changer, literally like a goose that can lay golden eggs, and will be the focus of the preeminent criminal cyber actors for 2025.
- Advanced Social Engineering: Attackers leverage real-time information about target accounts, including recent transactions, making their messages extraordinarily convincing.
- Multi-Stage Attack Vectors: Beyond initial SMS compromise, the attack chain includes voice simulation, web spoofing, and seamless fund transfer mechanisms that evade traditional fraud detection.
- Attribution to Sophisticated Actors: Technical analysis strongly suggests connections to groups operating from mainland China, with tactics, techniques, and procedures matching those documented by major threat intelligence providers.
Pause here for a moment, please, and re-read the four points above. These are facts that define a substantial emerging risk you must avoid.
✔︎ The convergence of these factors signals an imminent period of cybercrime-related losses globally—with the U.S. expected to be among the hardest hit.
Who is Behind It?
Security researchers have traced these operations to China-based groups with names like Darcula, Lighthouse, and the Xinxin Group, sometimes referred to as the "Smishing Triad". What's particularly interesting is their global reach while seemingly avoiding targeting Russia, Iran, and North Korea.
Their operations show a significant investment in infrastructure:
- Approximately 25,000 phishing domains active during any 8-day period
- Majority hosted on Chinese platforms Tencent and Alibaba
- Sophisticated technical capabilities allowing a single device to send approximately 100 messages per second
- Operations include walls of phones with human operators ready to handle time-sensitive verification codes
The Chinese Connection
One aspect of this threat that’s particularly interesting—and a bit unsettling—is the role of the Chinese government and Chinese hackers in this operation. While there’s no definitive proof that the Chinese government is directly involved, the affiliation of these cybercriminals with China-based servers and their operations through large Chinese companies like Tencent and Alibaba raises concerns. This is especially relevant considering the current tense political relationship between the U.S. and China, particularly regarding cybersecurity and state-sponsored hacking activities.
The fact that these hackers are based in China and operate at such a scale points to the sophistication of the threat. These aren’t just casual hackers—they’re part of a larger organized crime syndicate, with a business model designed to maximize efficiency and profitability. Their innovative approach is likely inspired by the growing demand for cybercrime as a service and the ability to target global financial markets.
How Do You Protect Yourself?
Now that you understand what smishing is, who the sophisticated perpetrators are, and why it’s so dangerous, let’s talk about what you can do to protect yourself:
- Be suspicious of urgent messages. Especially those concerning unpaid tolls, package deliveries, or financial matters requiring immediate action.
- Never click links in unexpected messages. Instead, go directly to the official website by typing the URL yourself or using your existing bookmarks.
- Don't provide card details on sites reached via messages. Legitimate organizations typically don't request full payment details via text message links.
- Be wary of verification code requests. If you receive an unexpected verification code by text message, it likely means someone is trying to access your accounts.
- Consider using your bank's app for verification. Many financial institutions are moving away from SMS verification, instead requiring approval through their official mobile app.
- Use an MFA "authenticator" app instead of text for verification codes. Google Authenticator and Microsoft Authenticator are best.
- Use mobile security software (like what we provide at TDS) to detect and block suspicious apps and websites.
The Bigger Picture
The Smishing Triad represents more than just another scam—it’s a case study in how cybercrime has become professionalized, scalable, and profitable.
This threat illustrates the broader shift we’re seeing in 2025:
- The rise of AI-enhanced attacks, as-a-service cybercrime platforms
- State-adjacent threat actors operating with efficiency once reserved for multinational corporations.
At Total Digital Security, we stay on top of these developments to protect our clients—not just with software, but with awareness, strategy, and personalized service. That’s what Cybersecurity for Life is all about.
✔︎ As always, your security is our top priority. We stay vigilant so you can stay confident and informed in an increasingly digital world.
Stay smart. Stay secure. Stay resilient.
That’s Cybersecurity for Life.
Contact us if you have questions or need assistance.
