Introduction
The Smishing Triad has become one of the most widely spread and immensely trafficked/organized cybercrime syndicates active in 2024–2025 with high volume smishing (text message phishing) attacks and fraud on the global Postal/Logistics/Financial Service Providers. Smishing Triad uses more advanced techniques/tools than other commonly known cybercriminals/APTs to carry out the smishing crimes. While the majority of APTs have a traditional espionage motive operating in this manner, the Smishing Triad is more of a hybrid operation with its primary focus being on financially-based gains versus just a state-sponsored agenda as the majority of the industry has been historically associated with. Because of its focus on making massive amounts of money by scamming consumers through attempts to take advantage of the customer’s trust in public service brand names (e.g., USPS – United States Postal Service; India Post, Egypt Post, etc.) that were originally established in the East Asian region (i.e., China to Southeast Asia) but have now expanded globally to encompass virtually every region throughout the Middle East and North America, as well as every country in between.
Identity and Motivation
The Smishing Triad is considered to have a transnational cybercriminal affiliation and is based out of China and Southeast Asia with affiliates located in the UAE, Egypt and India. Although the group does not receive funding directly from state sponsors, the methods of operation and structure of the Smishing Triad group have many similarities to those of APT groups, which indicates that there is a high level of coordination among these groups within the operational space.
The year 2022, with a dramatic increase in its global activity by the mid-2024 period.
The main intention of the Smishing Triad is to profit from the harvesting of credentials on a large scale for use in payment fraud and identity theft, with the selling of such data for profit (in the form of laundering it on darknet marketplaces) being a secondary motivation for the group.
Tactics, Techniques, and Procedures (TTPs)
Initial Access and Lures
The Smishing Triad sends text messages pretending to be legitimate postal and banking organizations and include links to malicious websites. The messages are usually related to package deliveries, tax refunds, or bank verification and after being clicked on will send the victim(s) to a fake website where their personal information, such as credit cards, Personal Identification Numbers (PINs), and One-Time Passwords (OTPs) will be captured.
Infrastructure and Tooling
The Smishing Triad is involved with the underground economy through the creation and distribution of kits that replicate USPS (United States Postal Service), India Post, Dubai Police, and Egypt Post, to name a few. These kits are networked using Telegram bots and transmit real-time information from the victim(s) back to the operator.
Malware & Payloads
In addition to using smishing to conduct basic phishing, the Smishing Triad has included APK (Android Package Kit) disguised as Package Tracking Applications. These APKs contain info-stealers that can gain access to victim’s SMS messages, contacts, and stored credentials; thus, enabling SIM Swapping and multi-factor authentication (MFA) bypass attacks.
Persistence & Monetization
The Smishing Triad uses stolen information to create databases and sells access to these databases on Telegram and on the dark web. The group has also been linked to the recruitment of money mules and the laundering of stolen assets through cryptocurrencies in regions including the UAE and Egypt.
Notable Operations (2024–2025)
- Jan 2024 — USPS Smishing Campaign: 180,000+ U.S. residents were targeted in a phishing scheme impersonating US Postal Service via text messages to obtain payment info through shipping fee verification.
- May 2024 — India Post Scam: A vast scheme in India where users were sent text messages with links to cloned pages which stole Aadhaar information and payment information.
- Aug 2024 — UAE Police Impersonation Scheme: The Dubai Police were impersonated, and recipients received emails and text messages about fines and penalties to lure them into providing their banking info.
- Nov 2024 — Egypt Post & Financial Sector Attacks: A campaign targeting Egypt’s banking and postal sector; Server infrastructure connected to Hong Kong-based servers as per DarkAtlas reporting.
Recent Developments
By late 2024, the Smishing Triad is evolving to include artificial intelligence-based phishing tool automation, which utilizes botnets and SMS gateways to enable an organized crime group to target millions of localized scam messages per day. The methods of operation of the Smishing Triad point to an increase in the creation of localized scams based upon the language, currency, and institutions of the target country. To illustrate this, in November 2024, the joint efforts of DarkAtlas and Resecurity identified a number of domain names registered using a large number of domains that mimic the postal and financial portals of countries. The domains included phishing URL addresses that had similar URLs to the official Egypt Post and UAE Telecom URLs. The associated findings related to Smishing Triad demonstrated that the scam was part of a larger network of over 70 active domains that are hosted in Asia and Europe.
Moreover, the phishing kit(s) of the Smishing Triad include JavaScript-based anti-bot tools to evade functional automated security scanning techniques, and the growing use of this method represents a substantial development in the collaboration of organized crime networks through the development of such tools and ways to sell the tools on the dark web.
Target Profile
- Primary Sectors: The Smishing Triad’s primary target sectors include Postal Services, Logistics, Financial Institutions, Telecommunications, and Public Services Portals.
- Target Regions: The Geographical Target Locations of the Smishing Triad include the Middle East (UAE, Egypt), South Asia (India, Bangladesh), East Asia, and North America (notably, scams targeting the USPS).
- Victim Demographics: The primary victim profiles include individual consumers, small business owners, and delivery customers who are often the most vulnerable to these types of mobile-based lure attacks.
Strategic Impact
The size and sophistication of the operations conducted by the Smishing Triad suggest that we are witnessing a paradigm shift in the way cybercriminals operate. They are capitalizing on the growing overlap between organized fraud and APT-style precision targeting and utilizing both technological vulnerabilities and human psychology to do so.
In Egypt and the UAE, the Smishing Triad’s attacks disrupted postal payment services and also led to thousands of compromised accounts being taken over within the financial networks of those two countries. In India, the Smishing Triad’s campaigns have enabled the group to harvest sensitive KYC and Aadhaar linked data at a national scale. In the U.S., the spoofed USPS campaigns have eroded citizen trust in government official communications.
The evolution of the Smishing Triad from a regional player in the fraud world to a globally-networked syndicate raises concerns about the trend of phishing-as-a-service (PhaaS) downtown commoditization. The Smishing Triad has developed an ecosystem in which they provide ‘turnkey’ solutions for local criminal affiliates to launch large-scale scams, leveraging the shared infrastructure model.
Countermeasures and Defensive Insights
To reduce the impact of Smishing’s campaigns, organisations and consumers must employ a multi-layered defence approach:
- Telecom-level Filtering: Use SMS filtering and anti-spoofing tactics to identify known phishing patterns.
- Threat Intelligence Sharing: Financial institutions and postal entities should share their Indicators of Compromise (IOCs) across geographies by developing cooperative frameworks.
- Brand Protection: Monitor and remove (takedown) domains that pretend to be a government agency or public institution.
- User Awareness Campaigns: Train users to recognise fraudulent messages and navigate away from clicking on unverified links.
- Mobile Security Enforcement: Educate users to only download applications from verified stores, and enforce the use of mobile endpoint detection tools.
- Dark Web Monitoring: Monitor leaked databases for consumer information that has been compromised, which will enable organisations to respond quickly to the threat of identity theft.
Conclusion
Conclusion The Smishing Triad documents the ongoing evolution of cybercrime syndicates in a mobile sphere that combines scale, automation and social engineering techniques targeting developed and emerging markets equally. Their activities provide an example of how ‘phishing’, the act of sending fraudulent emails, has gone from a single scam, to being ‘phishing’ on an industrial scale with reach globally.
As law enforcement agencies and Cyber Security continue to work together, it is anticipated that the tactics employed by the Triad will continue to evolve with a focus on AI-assisted targeting, cryptocurrency obfuscation, and the use of affiliate models across different regions. To adequately combat these adaptable criminal organisations, there must be proactive development of threat intelligence, a coordinated response between Governments on a global scale, and a strong culture of digital vigilance among all end users.
You can download and review the sheet for all the details!
