“Smishing Triad” Attack Explained: How a Chinese Phishing Scam Is Draining Bank Accounts (And 3 Tools to Stop It)

Disclosure: We may earn commissions from partner links. Hand-picked by CyberDudeBivash.

Origins & Scope of Smishing Triad

The Smishing Triad is a China-based cyber-fraud network that, since at least 2023, has operated large-scale phishing campaigns across more than 120 countries.  It initially used toll-bill and parcel-delivery lures, and in 2025 pivoted to directly emulate banks and payment services. 

Researchers at Silent Push report over 1 million page visits in 20 days for the Triad’s phishing infrastructure.

How the Scam Works (Step-by-Step)

1. Phishing message delivery: via SMS, Apple iMessage or Android RCS pretending to be a trusted service (e.g., toll agency, postal service, bank). 
2. Link to fake site: victim clicks and is taken to a look-alike website, asked to enter card/bank credentials or verify identity. 
3. Credential capture & misuse: The fraudsters immediately use the details — loading cards into mobile wallets or initiating bank transfers. 
4. Cash-out and laundering: The Triad uses device farms and digital wallets, selling loaded phones or moving funds through international schemes. 

Real-World Impact: Bank Drains & Wallet Loads

According to research by Brian Krebs, the Smishing Triad’s pivot into bank targeting has enabled card-info to be loaded into Apple Pay and Google Wallet at scale.  Many victims have reported unauthorized mobile-wallet charges and unseen transfers from their bank accounts following what seemed like innocuous text messages.

Because the infrastructure is modular and sold as a kit (“Lighthouse”), the group scales rapidly and targets diverse banks worldwide—including Australia, Canada, Latin America and the U.S. 

3 Tools to Stop It Right Now

• Mobile Threat Prevention Platform: Deploy a solution that inspects SMS/iMessage/RCS links, warns users of phishing domains, and blocks downloads of fake apps. Particularly valuable for employees and high-net-worth individuals.
• Hardware Key MFA (FIDO2): Move away from SMS codes. Attackers here often request your OTP or simulate it. Hardware keys dramatically reduce account takeover risk.
• Transactional Monitoring & Digital-Wallet Lock-down: Work with your bank or fintech to enable instant alerts, block mobile wallet additions until verified, and treat unusual wallet load attempts as high-risk triggers.

Implementing all three will significantly reduce the attack surface exploited by the Smishing Triad and similar operations.

Roll-out Checklist for You or Your Organisation

• Enable link-/SMS filtering on mobile devices; white-list corporate communication numbers only.
• Require hardware key MFA for all banking, payments, and high-privilege access.
• Coordinate with your banking partners to review mobile wallet setup logs and alert on suspicious wallet additions.
• Educate users: don’t trust urgent SMS about tolls, parcels or bank blocks—verify via official channels.
• Include changes in your incident playbook — “SMS phishing → credential capture → wallet loading” scenario for tabletop drills.

FAQ

Is Smishing Triad only about toll-road scams?

No. While early campaigns used toll and delivery-service lures, by 2025 the group pivoted to banks and mobile wallets—for example Apple Pay/Google Wallet loading. 

Why are mobile wallets a target?

Because once a card is loaded into a wallet controlled by the fraudster, transactions become much harder to detect/prevent, especially small tap-payments or international spends.

Can my bank stop this if they detect it?

Yes, banks can enforce wallet-load blocks, strong MFA, transaction anomaly detection—but many are still adjusting to this threat vector. Proactive user and enterprise controls help significantly.