SMS Phishers Pivot to Points, Taxes, Fake Retailers

Security researchers warn of an active, large-scale smishing campaign by China-based phishing groups that mass-register thousands of mobile-only phishing domains and deploy phishing kits and fake e-commerce storefronts to harvest payment card data and one-time SMS codes—which the attackers use to enroll stolen cards into Apple/Google mobile wallets—targeting consumers with lures like rewards points, package redelivery, and tax refunds; the report describes scale, techniques, examples (T‑Mobile, AT&T), and recommends reporting suspicious messages to blocklists like SURBL and smishreport.com.