Spam Texts in 2026: Where the Scams Went & Your Rights
Consumer Guide · Spam Texts & Robocalls

Spam Texts in 2026: Why Scam Messages Are Getting Smarter — and What You Can Do About It

Published July 17, 2026

Reported losses to old-fashioned SMS fraud are actually falling — but that is not the good news it sounds like. The scams did not go away; they moved to encrypted apps, got personalized by AI, and learned to slip past your carrier. Here is where spam texts stand in 2026, and what you can legally do when they will not stop.

Spam text messages and smishing scams on a smartphone in 2026 — SMS, iMessage, RCS, WhatsApp and Telegram

The Paradox: Losses Are Falling, But the Threat Is Growing

If you feel like you are getting fewer of the obvious, badly-spelled scam texts than you were a year or two ago, you are not imagining it. Industry analysts project that global consumer losses from traditional SMS fraud and "smishing" (phishing over text) will drop from a peak of roughly $80 billion in 2025 to about $71 billion in 2026 — an 11% decline.

That sounds like progress, and in one narrow sense it is. But it does not mean scammers are giving up. It means the plain-SMS channel has gotten harder to abuse at scale — so the most organized fraud operations have migrated somewhere the filters cannot follow. The volume of dumb, high-blast spam is shrinking. The precision of the dangerous stuff is rising. For everyday phone users, that is the trade-off worth understanding.

How Big Is the U.S. Spam Text Problem?

The numbers are hard to fully picture, but a few figures capture the scale of text-based fraud in the United States:

• The Federal Trade Commission (FTC) has reported consumers losing roughly $470 million to text-initiated scams in a single year — about five times the total from four years earlier.
• Combined losses to scam robocalls and robotexts have approached $2 billion.
• The FTC has put the median loss for a text-scam victim around $1,000 per incident.
• Text messaging is now the single most common vector for mobile phishing, and security researchers report that scam texts get clicked at meaningfully higher rates than scam emails — mobile inboxes have high open rates and little screening.

The raw traffic is staggering. U.S. text-spam volume has been estimated in the billions of unwanted messages every month, even though wireless carriers say they now block or label tens of billions of spam and scam robotexts and robocalls each year before they ever reach a phone. Robocall volume alone has hovered around 50 billion a year for half a decade. The filters are working overtime — and the flood keeps coming.

Why Texting Became the Scammers' Favorite Channel

The shift toward scam texting follows a simple reality: texting is where our attention is. Survey after survey shows messaging has become the default way Americans communicate, with the large majority of adults texting or using messaging apps multiple times a week across every age group. A majority also say messaging has replaced phone calls to some degree, and almost nobody has stopped texting entirely.

That near-universal reliance on text is exactly what makes it such fertile ground for fraud. A message that lands in the same thread as your doctor, your bank and your family carries an unearned sense of legitimacy. Scammers know it, and they have followed the audience — which is why "your package could not be delivered," "your toll is unpaid," and "unusual activity on your account" texts have become the background noise of modern phone life.

AI Made Scam Texts Cheap, Fast, and Convincing

For years, the easiest way to spot a scam text was the writing: awkward grammar, odd phrasing, generic "Dear Customer" openings. Generative AI has erased that tell. Researchers now estimate that the great majority of social-engineering and phishing campaigns lean on AI in some form, and that a task that once took a human many hours of research and copywriting can be automated down to minutes and pennies per message.

The consequences show up in the click rates. A peer-reviewed study found that fully automated, AI-written spear-phishing messages performed roughly on par with campaigns crafted by human experts — and far better than generic scam blasts. A large share of people who fell for these messages said it was the personalization — a real name, a real detail — that made them trust it.

The bad news for defenders is that you can no longer rely on "it looks sloppy" as your filter. The good news is that the underlying trick has not changed: the message still wants you to click a link or hand over a code. That is the behavior to guard, no matter how clean the writing looks.

Behind the scenes, the criminal tooling has become industrialized. "Phishing-as-a-service" kits — sold like ordinary software subscriptions — can stream the login details, card numbers and one-time passcodes you type straight to an attacker in real time, sometimes fast enough to load a stolen card into a mobile wallet within minutes. That is why the six-digit code your bank texts you (an SMS one-time passcode, or OTP) is such a prized target: it is often the last thing standing between an attacker and your account.

The Migration to iMessage, RCS, WhatsApp & Telegram

Here is the structural story behind the falling SMS-loss numbers. As U.S. carriers cracked down on unregistered mass texting, sophisticated phishing operations — including kits that security researchers have publicly named, such as Darcula and Lucid — moved their delivery onto Apple iMessage and the newer RCS (Rich Communication Services) standard, and onto over-the-top apps like WhatsApp and Telegram.

The reason is technical, not accidental. iMessage, RCS and WhatsApp are end-to-end encrypted. That is genuinely good for your privacy — but it also means your carrier physically cannot read the contents of those messages to filter them. A network-level spam filter that blocks a known scam link over ordinary SMS is blind to the same link inside an encrypted "blue bubble." Attackers exploit that gap to deliver phishing links that never touch a filterable SMS channel at all.

It gets more dangerous when the scammer already knows something about you. When criminals buy personal data harvested from corporate breaches — names, booking references, account numbers — they can send a WhatsApp or iMessage that cites your real hotel reservation or your real bank, sailing past every instinct that would flag a generic "Dear Customer" text. Breach data has surged in recent years, giving fraud operations an almost limitless supply of targeting material. The defense against this can no longer live only in the network; it has to live on your device and in your habits.

What Changed Legally: The One-to-One Consent Rule Was Struck Down

On the regulation side, 2025 brought a major setback for consumers. The U.S. Court of Appeals for the Eleventh Circuit, in Insurance Marketing Coalition Ltd. v. FCC, struck down the FCC's "One-to-One Consent Rule."

That rule was designed to close what regulators call the "lead generator loophole." It would have required marketers using automated dialing or texting systems to get your consent one seller at a time, and barred comparison-shopping sites from using a single checkbox to sign you up for messages from dozens of affiliated brands. Any resulting text would also have had to be "logically and topically" related to the site where you gave consent.

The court held that the FCC had exceeded its authority under the Telephone Consumer Protection Act (TCPA). Because the statute does not define "prior express consent," the court applied the ordinary, common-law meaning — a clear statement of willingness to receive a communication — and concluded the FCC could not layer its "one-to-one" and "topically related" requirements on top of it. In plain terms: under the ruling, a single checkbox can still legally sign you up for marketing from many companies at once, and the loophole that feeds a lot of "how did they get my number?" texting reopened at the federal level.

States have started filling the gap with their own laws, creating a patchwork. Texas expanded its definition of "telephone solicitation" to explicitly cover text messages and tied violations to its deceptive-trade-practices law. Virginia now requires businesses to honor a text opt-out for years after you send it. And federal rules still matter: the FCC requires senders to honor an opt-out made by "any reasonable method" — not just the word "STOP" — and to process it within 10 business days.

How Carriers Are Fighting Back: A2P 10DLC

While the courts limited the FCC, the phone companies took matters into their own hands at the network level — and this is a big reason the plain-SMS scam channel got harder to abuse. Major U.S. carriers now block essentially all unregistered "application-to-person" (A2P) business texting sent over standard 10-digit numbers (the industry calls this "10DLC").

This is not a gentle throttle — unregistered business texts simply do not get delivered. To send commercial texts, a business has to register its brand and its campaigns with a central registry, disclose what it will send, and stay out of prohibited categories. Carriers run real-time filters that compare live traffic against the approved samples, and messages that drift from the registered template, use public link-shorteners, or spread volume across many numbers to dodge filters ("snowshoeing") get blocked automatically. Legitimate senders now have to show verifiable proof of opt-in — including consent boxes that are unchecked by default and clear instructions on how to stop.

The upshot for you: the boring, high-volume marketing spam that used to pour through generic numbers is much easier to stop now. That is precisely why the serious criminals moved to the encrypted apps described above.

Even Political Texts Are Getting Filtered

One category worth calling out, because so many people ask about it: political campaign texts. They have long enjoyed favorable treatment — exempt from the national Do Not Call list, and often sent through "peer-to-peer" tools where a human technically presses send, sidestepping the TCPA's automated-dialing rules. That is how campaigns blast millions of fundraising and get-out-the-vote texts without prior consent.

That model is now colliding with the same forces reshaping commercial texting. Political senders using standard business numbers face registration and vetting that can take weeks. And, crucially, modern phones ship with "filter unknown senders" features that quietly shunt messages from numbers not in your contacts into a separate folder — no notification, no badge. Adoption has been enormous, especially among younger users, and a large share of people never open that filtered folder at all. For campaigns that lean on small-dollar text fundraising, that silent filtering is estimated to cost tens of millions of dollars — a preview of how much the "unknown sender" wall is reshaping every kind of mass texting.

On the enforcement side, a congressional committee has pressed carriers to strengthen fraud prevention, a multistate group of state attorneys general has pursued the "gateway" carriers accused of letting illegal robocall and robotext traffic onto U.S. networks, and the FCC has ordered providers along the call path to block traffic that is highly likely to be illegal. The pressure is real, but it is a game of whack-a-mole — which is why your own defenses still matter most.

How to Protect Your Phone Right Now

While the legal system catches up, here is the short, practical list that actually cuts down the chaos in your messaging app.

Never click the link. No matter how urgent the text sounds — your bank, a delivery, a toll agency — do not tap an unsolicited link. If you think an alert might be real, open the company's official app or type its website in yourself and check there.
Do not reply to obvious scams. Replying "STOP" to a real, recognized sender is fine. Replying to an unknown scam only confirms your number is live, which can get it kept or sold to other scammers.
Turn on your phone's built-in filter. On iPhone, open Settings > Apps > Messages and enable "Filter Unknown Senders." On Android, turn on "Spam protection" in the Messages app settings. Unknown senders get silenced automatically.
Forward spam to 7726. Copy a scam message and forward it to the short code 7726 (it spells "SPAM"). That reports the sender to your carrier's real-time filters at no cost.
Move off SMS codes for your important accounts. Because attackers specifically hunt for texted one-time passcodes, switch your bank and email logins to an authenticator app or a hardware security key where you can, instead of SMS verification.

Your Rights Under the TCPA

The legal reform picture is messy, but your individual rights against real, identifiable senders are still meaningful. Under the Telephone Consumer Protection Act (TCPA), a legitimate company or registered marketing campaign has to stop texting you once you revoke consent. The FCC requires senders to honor an opt-out sent by any reasonable method — a reply, an email, a phone call — and to process it within 10 business days.

So if you clearly told a genuine, identifiable business to stop, and its automated texts keep coming, that can be a violation of federal and state law. The practical move is simple: keep dated screenshots of your opt-out and of the messages you received afterward. That record is what turns "annoying" into "actionable."

If a company keeps texting after you opted out, you can review whether your situation qualifies and explore your options through the Open Class Actions TCPA Spam Text Messages investigation. It is a free way to check your eligibility and join other consumers pushing back against unwanted automated texting. For a step-by-step walkthrough of what to document, our companion guide on what to do when you replied STOP but still get texts covers the details.

The Bottom Line

Mobile messaging abuse in 2026 is best understood as an arms race. Carriers won a real battle over plain SMS with mandatory registration and aggressive filtering — which is why the reported loss figures are dipping. But the most capable fraud operations responded by moving to encrypted apps the network cannot filter, arming their messages with AI and breach data, and hunting for the codes that protect your accounts.

That means the center of gravity for defense has shifted from the network to you: your habits, your device settings, and stronger login methods. And when the sender is a real company crossing a legal line rather than an anonymous overseas scammer, the TCPA still gives you a way to fight back. The technology keeps changing; the two rules that protect you do not — do not click, and do not give away the code.


Frequently Asked Questions

Are spam texts getting worse or better in 2026?

It depends on how you measure it. Reported losses to traditional SMS fraud are projected to fall in 2026 because carriers now block most unregistered mass-texting traffic. But the scams did not stop — they moved to encrypted channels like Apple iMessage, RCS, WhatsApp and Telegram, and they became more personalized with the help of AI. So the raw volume of basic spam is dropping while the quality and precision of the dangerous messages is rising.

Why are scammers moving from SMS to iMessage, RCS and WhatsApp?

Those channels are end-to-end encrypted, which means the phone companies cannot read the message content to filter it. Carrier spam filters that block known scam links on regular SMS cannot see inside an encrypted iMessage or WhatsApp chat, so scammers use those apps to slip phishing links past the network. When they also have your name or other details from a data breach, the message looks even more legitimate.

Should I reply STOP to a spam text?

Only reply STOP to a sender you recognize — a real store, bank or service you actually signed up with. Replying STOP to an obvious scam just confirms your number is active and monitored, which can lead to more messages. For unknown scam texts, do not reply at all: delete the message, and forward a copy to 7726 (SPAM) so your carrier can flag the sender.

What is the One-to-One Consent Rule and why does it matter?

It was an FCC rule meant to close the "lead generator loophole" by requiring companies to get your consent one seller at a time, instead of letting a single checkbox on a comparison-shopping site sign you up for texts from dozens of marketing partners. In early 2025 the U.S. Court of Appeals for the Eleventh Circuit struck the rule down, finding the FCC had gone beyond its authority under the Telephone Consumer Protection Act. That reopened the bundled-consent loophole at the federal level, though several states have passed their own tougher texting laws.

Can I do anything legally if a company keeps texting after I said STOP?

Possibly. Under the Telephone Consumer Protection Act (TCPA), a legitimate marketer must stop texting once you revoke consent, and the FCC requires senders to honor an opt-out made by any reasonable method within 10 business days. If a real, identifiable company keeps sending automated texts after you clearly opted out, that can violate federal and state law. Keep dated screenshots of your STOP requests and the messages you received afterward, and you can review your options through the Open Class Actions TCPA Spam Text Messages investigation.


Sources

Federal Trade Commission — Consumer Protection Data Spotlights
FCC — Stop Unwanted Robocalls and Texts
NIST SP 800-63B — Digital Identity / Authentication Guidelines (restricted authenticators)
U.S. Court of Appeals for the Eleventh Circuit — Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277


About This Page

OpenClassActions.com is a consumer news and information website, not a law firm. This article is general information about the spam-text landscape and consumer protections — it is not legal advice, and it does not create an attorney-client relationship. Statistics are drawn from public agency reports, court records, and published security research; for any specific situation, consult a qualified attorney.

For more class actions keep scrolling below.

More on Spam Texts, Robocalls & Your TCPA Rights