Text-Based Scams and AI (www.law.georgetown.edu)

A new tech brief synthesizes how text-based scams (“smishing”) operate, why they’re worsening, and the growing role of AI in scaling them. It outlines the attack flow — harvest data (from breaches, data brokers, social media), craft deceptive texts that spoof trusted senders, create urgency (delivery failures, bank fraud, ticket fines, “pig butchering” romance/investment cons), and harvest credentials or money via fake websites or phone numbers. Harms are large and rising: the FTC reports U.S. losses from smishing reached $470M in 2024 (up from $86M in 2020), while broader internet fraud cost Americans billions (FBI IC3 and FTC figures). Consequences include unauthorized charges, identity theft, long-term exposure of personal data on the dark web, malware installs (spyware, ransomware), and use of compromised devices in botnets — with older adults increasingly exposed. Technically, scammers exploit a complex ecosystem: data brokers and social platforms for leads; hosting, DNS and URL shorteners for fake sites; VoIP/SMS aggregators, spoofing, SIM farms and “SMS blasters” to send mass texts and evade filters; and payment processors/crypto platforms to move funds. AI accelerates this by generating highly personalized, fluent messages at scale, automating A/B testing and social-engineering workflows, and producing content that can evade simple filters. The brief underscores cross‑sector accountability (AI vendors, carriers, SMS platforms, lead generators, and payment facilitators) and raises open questions about detection, provenance, rate limits, and regulation to curb AI-enabled smishing.