Two years of FBI crime data point to the same unguarded channel. Here’s what the numbers reveal.
Every conversation about fraud prevention eventually comes back to email. Phishing simulations, secure gateways, employee training — all of it pointed at the inbox. And while security teams have spent years hardening that channel, attackers have quietly shifted to one that most enterprise stacks don’t touch.
Text messaging.
The FBI’s 2024 and 2025 Internet Crime Complaint Center (IC3) Reports don’t have dramatic headlines about SMS fraud. What they have is something more useful: specific numbers, tied to specific attack types, that together paint a clear picture of where the threat has moved — and where protection hasn’t followed.
The Attack the FBI Actually Named
The IC3 report tracks dozens of crime categories. Most are broad, but buried in the cyber-enabled fraud section is something unusually specific: a category called toll scams, which the FBI explicitly describes as a smishing attack — fraudulent text messages impersonating state toll collection services like E-ZPass and demanding payment for phantom violations.
In 2024 alone, the IC3 received 59,271 complaints tied to this single smishing campaign. Every one of those complaints involved a criminal impersonating a real, trusted brand via SMS.
The same infrastructure has since expanded far beyond tolls — with organized cybercrime groups building and deploying more than 20,000 domains each designed to impersonate a legitimate organization over SMS. Toll agencies. Shipping companies. Banks. Financial institutions. The infrastructure behind these attacks isn’t opportunistic. It’s industrial.
When Brand Impersonation Becomes a Nine-Figure Problem
Toll scams are the most visible example, but the broader impersonation picture in the IC3 data is harder to look at. Government impersonation — criminals posing as agencies, regulators, and officials via text and phone — generated $797.9 million in reported losses in 2025, nearly double the $405.6 million recorded the year before. That figure almost certainly understates the real number. Fraud victims consistently under-report, and the IC3 itself acknowledges that complaints represent only a fraction of actual incidents.
The Federal Trade Commission’s own data adds another layer. American consumers lost $470 million to text message scams — a fivefold increase compared to 2020 figures. Five times. In four years. That trajectory doesn’t describe a threat that is growing. It describes one that is compounding.
Your Brand Is the Attack Surface
Here is the part that matters most for banks and enterprises: brand impersonation scams don’t succeed despite your brand. They succeed because of it.
Smishing attacks via text work because they appear to come from someone the recipient already trusts — their bank, their carrier, their delivery company, their toll authority. The criminal doesn’t build credibility from scratch. They borrow yours. Your name, your tone, your domain structure, your logo. All of it deployed against your own customers without you knowing it’s happening.
By the time a customer has clicked a fraudulent link, entered their credentials, or authorized a payment, the damage is done.
The Gap in the Stack
Enterprise security was built to address enterprise-facing threats. Email gateways, endpoint protection, and network monitoring — none of it operates within the SMS channel. And transaction monitoring, however sophisticated, detects fraud after the customer has already acted on a fraudulent message.
That gap is exactly what the FBI’s data is describing. The 59,271 toll scam complaints (FBI IC3, 2024). The impersonation losses that went from $405.6 million to $797.9 million in a single year (FBI IC3, 2024 & 2025). The second consecutive year that phishing and spoofing led every other crime category. These aren’t failures of existing security tools — they’re the result of a channel that existing tools don’t cover.
Detection has to happen at the message layer, at the moment a suspicious text reaches a customer, before they click. That means analyzing content, link infrastructure, and sender signals in real time — and correlating findings across customers to identify coordinated campaigns while they’re still forming.
Closing the Gap at the Moment It Matters
SMS fraud protection for banks and enterprises requires a layer that operates where the attack actually happens — inside the customer communication channel, not behind the corporate firewall.
CheckTxt analyzes suspicious messages the moment a customer receives them, scanning for brand impersonation signals, spoofed domains, urgency patterns, and sender anomalies. A plain-language verdict is returned in under 60 seconds. Findings are correlated across the entire customer base, so coordinated campaigns are identified while they’re forming — not after losses accumulate.
No app. No login. No onboarding. Customers simply forward a suspicious message and get an answer. When the next campaign targets your brand, your customers won’t have to guess — and your fraud team won’t be the last to know.
Learn more about how SMS fraud detection works or schedule a demo to see CheckTxt in action.
References
Sources: FBI Internet Crime Complaint Center, 2025 Annual Report • Federal Trade Commission, 2025 • New Jersey Cybersecurity and Communications Integration Cell (NJCCIC)
Try it yourself
The best way to understand what CheckTxt does is to try it.
- Forward a text or send a screenshot → 442-432-5898
- Forward an email or send a screenshot → [email protected]
Forward a message to CheckTxt and receive a fraud verdict in under 60 seconds.
Frequently Asked Questions
Is my company legally liable if a customer is scammed by someone impersonating our brand over text?
Regulatory expectations are shifting fast. In the UK, banks are already required to reimburse APP fraud victims. US regulators are watching closely — and 46% of Americans believe banks should reimburse scam victims regardless of fault. The liability question is no longer theoretical.
The FBI reported 59,271 toll scam complaints, it doesn't involve me or my company, why should I should care?
Toll scams are just the most documented example. The same infrastructure behind toll fraud has since expanded to impersonate banks, shipping companies, and financial institutions.
The FBI’s 2025 report shows government impersonation complaints nearly doubled year over year. Your sector is already a target — it just may not have its own named FBI category yet.
We already have fraud detection tools. Why isn't that enough?
Because your fraud detection watches transactions, not the text message that caused them.
By the time a flagged transaction reaches your team, the customer has already clicked, entered their credentials, or authorized a payment. The message that started the chain was never seen by any tool you own.
How do attackers get good enough at impersonation to fool our own customers?
AI-generated content now lets attackers replicate a bank’s exact tone, branding, and message format at scale — generating thousands of personalized variants instantly. What once required skilled social engineers now runs automatically. Your customers have no reliable way to tell the difference.