SMS Phishing in 2026: Trends, Tactics, and How to Stay Safe

Our team analyzed over 50,000 phishing SMS messages intercepted by NSAI between October 2025 and January 2026. Here are the key findings.

Top Attack Vectors

1. Delivery Service Impersonation (38%)

Still the #1 vector. Scammers impersonate Nova Poshta, Ukrposhta, DHL, and FedEx:

"Ваша посилка №20450981 затримана на митниці. Сплатіть мито: https://nova-p0shta.link/pay"

The trick: victims are often expecting a real delivery and click without thinking.

What changed in 2026: attackers now use shortened URLs that redirect through multiple domains, making them harder to block. We've seen chains of 3-4 redirects before reaching the phishing page.

2. Banking Alerts (27%)

Fake security notifications from PrivatBank, Monobank, and international banks:

"Monobank: виявлено підозрілу транзакцію на 4,890 грн. Підтвердіть або заблокуйте: mono-secure.cc/verify"

New trend: messages now include the last 4 digits of a real-looking card number to appear more convincing.

3. Government Service Fraud (18%)

Impersonation of Diia (Ukraine's e-government app), tax authorities, and social services:

"Дія: Вам нараховано соціальну виплату 6,500 грн. Для отримання підтвердіть дані: diia-gov.site"

Spike during: pension payment dates, tax filing deadlines, and military mobilization waves.

4. Crypto & Investment Scams (12%)

Fake airdrops, "guaranteed profit" schemes, and pump-and-dump groups:

"Binance Airdrop: Claim 500 USDT. Limited time. Connect wallet: binance-drop.io"

5. Other (5%)

Prize notifications, fake surveys, romance scams, job offers.

Seasonal Patterns

Period	Dominant Vector	Trigger
Oct-Nov	Delivery scams	Holiday shopping (Black Friday, 11.11)
Dec-Jan	Donation fraud	New Year charity, military support
Jan-Feb	Government fraud	Tax season, social payments
Year-round	Banking alerts	No seasonal pattern

Attack Sophistication

Low Effort (60%)

Bulk SMS with obvious tells: typos, wrong sender names, .xyz domains. Caught by our Stage 3 pattern matching instantly.

Medium Effort (30%)

Correct grammar, realistic domains (registered recently), sometimes using compromised real phone numbers as sender IDs. Requires entity extraction + domain verification.

High Effort (10%)

Targeted messages using victim's name, real tracking numbers (from breached databases), or deep-faked voice messages. These often need LLM analysis for reliable detection.

How NSAI Detects These

Each incoming message goes through our 4-stage pipeline:

1. Hash cache — catches reused mass-SMS immediately
2. Known scam DB — matches against 200K+ confirmed phishing messages
3. 5,000+ patterns — catches delivery, banking, and government impersonation
4. LLM ensemble — handles novel, sophisticated attacks

Detection rate for SMS phishing: 99.1% (as of February 2026 benchmark).

Practical Tips

1. Never click links in unexpected SMS — go directly to the official app or website
2. Check the sender — real Nova Poshta uses NovaPoshta, not +380XXXXXXX
3. Verify with the service — call the official number, check the app
4. Forward to @NoScamAIbot — get an instant AI verdict
5. Report to cyber police — helps the entire community

Our Data

We publish anonymized threat statistics monthly. If you're a researcher or journalist, contact us for data access.

Check a suspicious message → | API for developers →