{"id":8789,"date":"2025-11-07T15:42:51","date_gmt":"2025-11-07T15:42:03","guid":{"rendered":"https:\/\/www.law.georgetown.edu\/tech-institute\/insights\/remedies-for-tech-related-harms-chapter-2-2\/"},"modified":"2026-02-05T21:09:44","modified_gmt":"2026-02-05T21:09:44","slug":"tech-brief-text-based-scams-ai","status":"publish","type":"page","link":"https:\/\/www.law.georgetown.edu\/tech-institute\/research-insights\/insights\/tech-brief-text-based-scams-ai\/","title":{"rendered":"Tech Brief: Text-Based Scams &amp; AI"},"content":{"rendered":"<p><span style=\"font-weight: 400\">The purpose of this tech brief is to provide a clear, factual synthesis of a timely tech-related issue by combining technical understanding with publicly reported information. By distilling complex developments into accessible, evidence-based insights, this tech brief aims to help policymakers, researchers, enforcers, and the public get up to speed on emerging tech risks and issue areas that may require further scrutiny or oversight. This brief covers the following:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400\">Section 1: What are text-based scams? Who is responsible?\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400\">Section 2: What are the known harms and risks of text-based scams?<\/span><\/li>\n<li><span style=\"font-weight: 400\">Section 3: What is the role of \u201cAI\u201d in accelerating and expanding text-based scams?<\/span><\/li>\n<li><span style=\"font-weight: 400\">Section 4: Related policy initiatives<\/span><\/li>\n<li><span style=\"font-weight: 400\">Section 5: Open questions for AI companies, SMS marketing platforms, and third-party lead generators<\/span><\/li>\n<li><span style=\"font-weight: 400\">Section 6: Sources for case data and investigations*<\/span><\/li>\n<\/ul>\n<h2><b>Section 1: What are text-based scams? Who is responsible?\u00a0<\/b><\/h2>\n<p><i><span style=\"font-weight: 400\">\u201cDMV Final Notice: Enforcement Begins Soon. Our records indicate that as of today, you still have an outstanding traffic ticket. If you fail to pay, we will take action against you. Pay now at this link.\u201d<\/span><\/i><\/p>\n<p><i><span style=\"font-weight: 400\">\u201cYour USPS package arrived at the warehouse but could not be delivered due to incomplete address information. Please confirm your address in the link below.\u201d\u00a0<\/span><\/i><\/p>\n<p><i><span style=\"font-weight: 400\">\u201cBank Fraud Alert: Your attention is needed immediately regarding a new transaction. Please sign in here to review.\u201d<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400\">These quotes draw from just a few examples of <\/span><a href=\"https:\/\/consumer.ftc.gov\/consumer-alerts\/2025\/04\/unexpected-text-scam\"><span style=\"font-weight: 400\">real text message scams<\/span><\/a><span style=\"font-weight: 400\"> that deceptively lure individuals to hand over their sensitive information to scammers\u2013most often for financial exploitation. These text-based-scams \u2014 sometimes called \u201csmishing\u201d<\/span><span style=\"font-weight: 400\"> scams \u2014 are on the rise and continually evolving.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Scammers (who can <\/span><a href=\"https:\/\/www.wired.com\/story\/smishing-triad-scam-group\/\"><span style=\"font-weight: 400\">often be foreign actors<\/span><\/a><span style=\"font-weight: 400\">), orchestrate text scams using a number of documented methods and infrastructure.<\/span><\/p>\n<p><b>Where do scammers find data to target victims? <\/b><span style=\"font-weight: 400\">To help initiate contact with potential victims, scammers can retrieve individuals\u2019 personal information <\/span><a href=\"https:\/\/www.michigan.gov\/consumerprotection\/protect-yourself\/consumer-alerts\/scams\/security-breach-phishing-extortion\"><span style=\"font-weight: 400\">on the dark web from previous data breaches<\/span><\/a><span style=\"font-weight: 400\">, on social media, or even from <\/span><a href=\"https:\/\/www.law.georgetown.edu\/tech-institute\/insights\/the-data-broker-toolkit\/\"><span style=\"font-weight: 400\">data brokers<\/span><\/a><span style=\"font-weight: 400\">. Additionally, scammers can <\/span><a href=\"https:\/\/arxiv.org\/html\/2508.05276v1\"><span style=\"font-weight: 400\">exploit mobile network operators by using numbers on their networks<\/span><\/a><span style=\"font-weight: 400\"> or <\/span><a href=\"https:\/\/blog.smithsecurity.biz\/hacking-the-scammers\"><span style=\"font-weight: 400\">intercept traffic through malicious clone sites<\/span><\/a><span style=\"font-weight: 400\"> to help contact individuals.\u00a0<\/span><\/p>\n<p><b>How does a text-based scam work in practice?\u00a0<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><b>Entice: <\/b><span style=\"font-weight: 400\">Once scammers have the data and infrastructure needed to facilitate their schemes, they <\/span><a href=\"https:\/\/www.sentinelone.com\/cybersecurity-101\/cybersecurity\/what-is-smishing\/\"><span style=\"font-weight: 400\">establish a way to bait<\/span><\/a><span style=\"font-weight: 400\"> a victim via text under the guise of a trusted entity, like a bank, a government entity, a delivery company, or a large retailer. This can be done using familiar logos, links, or formats to establish credibility and convince a victim to take action. Scammers may\u00a0 <\/span><a href=\"https:\/\/www.crowdstrike.com\/en-us\/cybersecurity-101\/social-engineering\/spoofing-attack\/\"><span style=\"font-weight: 400\">\u201cspoof\u201d<\/span><\/a><span style=\"font-weight: 400\">\u2013or deceptively imitate\u2013the authentic phone number, email address, or website URL of a trusted entity in their messages.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><b>Establish urgency or fear: <\/b><span style=\"font-weight: 400\">Next, a scam text message instigates urgency or fear in the recipient by highlighting, for instance, an unpaid bill that will go to collections, or a problem with an incoming package delivery. <\/span><a href=\"https:\/\/www.cloudflare.com\/learning\/access-management\/smishing\/\"><span style=\"font-weight: 400\">Messages can include links that, when clicked, trigger<\/span><\/a>\u00a0<span style=\"font-weight: 400\">a fake web page or email message opening, or dial a number. Otherwise, messages can include text that requests the recipient to actively visit a specific URL, or contact a specific email address or phone number. <\/span><span style=\"font-weight: 400\">The web pages or further communications that result can ask for the recipient to provide sensitive information, like credit card information, or personal information like date of birth, physical address, and email address.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><b>Exploit: <\/b><span style=\"font-weight: 400\">After a victim inputs their sensitive personal or financial information into a malicious web page or communicates it via email or phone to scammers, this data can be later used to exploit them in some way\u2013for example, via identity theft or money transfers.<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.ftc.gov\/news-events\/data-visualizations\/data-spotlight\/2025\/04\/top-text-scams-2024\"><span style=\"font-weight: 400\">According to the Federal Trade Commission (FTC)<\/span><\/a><span style=\"font-weight: 400\">, the most common text-based scams in 2024 involved scammers impersonating:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The <\/span><a href=\"https:\/\/www.uspis.gov\/news\/scam-article\/smishing-package-tracking-text-scams\"><span style=\"font-weight: 400\">U.S. Postal Service<\/span><\/a><span style=\"font-weight: 400\"> or other shipping entities, warning that a recipient\u2019s package was delayed or could not be delivered;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">A prospective employer or talent recruiter notifying a recipient that they would like to connect about an open position\u2013<\/span><a href=\"https:\/\/consumer.ftc.gov\/consumer-alerts\/2025\/08\/how-spot-avoid-task-scams\"><span style=\"font-weight: 400\">often a repetitive \u201ctask\u201d job opportunity<\/span><\/a><span style=\"font-weight: 400\">;<\/span><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/www.cnet.com\/personal-finance\/banking\/is-that-text-message-from-your-bank-legit-how-to-detect-and-avoid-sms-phishing-scams\/\"><span style=\"font-weight: 400\">A financial services entity<\/span><\/a><span style=\"font-weight: 400\">, warning that a recipient\u2019s account indicates fraudulent activity or has otherwise been compromised;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/www.fcc.gov\/consumer-governmental-affairs\/how-spot-and-avoid-toll-road-payment-scam-texts\"><span style=\"font-weight: 400\">State transportation agencies<\/span><\/a><span style=\"font-weight: 400\">, warning a recipient that they have outstanding toll or ticket fees;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/www.cnbc.com\/2025\/04\/25\/odd-text-wrong-number-messages-new-scam-payday-hackers.html\"><span style=\"font-weight: 400\">A \u201cwrong number\u201d text sender<\/span><\/a><span style=\"font-weight: 400\">, who often introduces a friendly or romantic overtone to an ensuing text conversation, and then later invites the recipient to an investment opportunity (these are often called <\/span><a href=\"https:\/\/www.staysafeonline.org\/articles\/what-is-pig-butchering-and-how-to-spot-the-scam\"><span style=\"font-weight: 400\">\u201cpig butchering&#8221; scams<\/span><\/a><span style=\"font-weight: 400\">)\u00a0<\/span><\/li>\n<\/ul>\n<p><b>Who is responsible for text-based scams?<\/b><\/p>\n<p><span style=\"font-weight: 400\">Text-based scams involve multiple layers of actors. Scammers can use various digital and online services, and also messaging hardware to support their schemes.<\/span> <span style=\"font-weight: 400\">While this is not an exhaustive list, here are some of the actors that can enable these scams:\u00a0<\/span><\/p>\n<ol>\n<li><b>Scammers themselves<\/b><span style=\"font-weight: 400\"> \u2013 These are the operational individuals or entities who are directly executing a scam campaign.\u00a0<\/span>\n<ul>\n<li><span style=\"font-weight: 400\">For example: They may directly design, launch, and manage targets for scam campaigns using a number of tools. They may craft text messages, collect and aggregate phone numbers, send scam links, and collect data or money.\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li><b>Infrastructure providers<\/b><span style=\"font-weight: 400\"> \u2013 These are the entities that supply or offer tools, platforms, or other infrastructure that scammers can exploit. Examples include:\u00a0<\/span>\n<ul>\n<li><b>Data brokers <\/b><span style=\"font-weight: 400\">can<\/span> <span style=\"font-weight: 400\">harvest, aggregate, and sell large volumes of personal and behavioral data from diverse sources such as breached databases, scraped websites, marketing APIs, and mobile applications. This information allows scammers to identify and target potential victims with precision, enriching lead lists with phone numbers, location data, and demographic profiles.<\/span><\/li>\n<li><b>Social media companies<\/b><span style=\"font-weight: 400\">, like traditional data brokers, collect large volumes of personal information that scammers exploit to identify and target potential victims.<\/span><\/li>\n<li><b>Hosting providers <\/b><span style=\"font-weight: 400\">deliver the infrastructure used to deploy scam web pages and phishing portals. These sites are where victims may be tricked into entering personal or sensitive information like demographic details, passwords, or financial details.\u00a0<\/span><\/li>\n<li><b>VoIP or SMS texting aggregators<\/b><span style=\"font-weight: 400\"> are services that help businesses send large numbers of calls or texts through online systems. Scammers can use these tools to send out thousands of fake messages or spoof their phone numbers so their messages look like they are coming from a trusted source.\u00a0<\/span><\/li>\n<li><b>DNS providers <\/b><span style=\"font-weight: 400\">let people register and manage website domain names. Scammers can use these services to create fake websites that appear legitimate, tricking victims into visiting and sharing sensitive information.\u00a0<\/span><\/li>\n<li><b>Message generators<\/b><span style=\"font-weight: 400\"> are tools that can use AI to automatically create text that sounds convincing. Scammers can misuse these systems to quickly produce large numbers of personalized or realistic messages.\u00a0<\/span><\/li>\n<li><a href=\"https:\/\/www.wired.com\/story\/sms-blasters-scam-texts\/\"><b>SMS blasters<\/b><\/a> <span style=\"font-weight: 400\">function like fake cell tower devices that trick nearby phones into connecting with them rather than legitimate networks. These devices allow scammers to send out texts in bulk that can bypass typical network scam filters.\u00a0<\/span><\/li>\n<li><a href=\"https:\/\/www.wired.com\/story\/sim-farm-new-york-threatened-us-infrastructure-feds-say\/\"><b>SIM farms<\/b><\/a> <span style=\"font-weight: 400\">are hardware devices that can hold numerous SIM cards at once from different mobile providers and exploit VoIP to send texts in bulk.\u00a0<\/span><\/li>\n<li><b>Other infrastructure entities include but are not limited to: <\/b><span style=\"font-weight: 400\">URL shorteners, cloud and web hosting, hacked accounts, and disposable phone numbers.<\/span> <span style=\"font-weight: 400\">Similarly, scammers can use physical burner phones or SIMs, or prepaid phones to get ahold of cheap, temporary phone numbers for use in their schemes.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><b>Messaging platform operators <\/b><span style=\"font-weight: 400\">\u2013 These are the operators who manage messaging or social platforms. <\/span>\n<ul>\n<li>Examples include: WhatsApp, Telegram, SMS carriers, Google messages, etc.<\/li>\n<\/ul>\n<\/li>\n<li><b>Financial facilitators<\/b><span style=\"font-weight: 400\"> \u2013 These are the entities who handle the movement of money from a victim to scammers.<\/span>\n<ul>\n<li><span style=\"font-weight: 400\">Examples include: Payment processors, crypto exchanges, etc.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>The purpose of this tech brief is to provide a clear, factual synthesis of a timely tech-related issue by combining technical understanding with publicly reported information. By distilling complex developments [&hellip;]<\/p>\n","protected":false},"author":18544,"featured_media":0,"parent":7881,"menu_order":3,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_price":"","_stock":"","_tribe_ticket_header":"","_tribe_default_ticket_provider":"","_tribe_ticket_capacity":"0","_ticket_start_date":"","_ticket_end_date":"","_tribe_ticket_show_description":"","_tribe_ticket_show_not_going":false,"_tribe_ticket_use_global_stock":"","_tribe_ticket_global_stock_level":"","_global_stock_mode":"","_global_stock_cap":"","_tribe_rsvp_for_event":"","_tribe_ticket_going_count":"","_tribe_ticket_not_going_count":"","_tribe_tickets_list":"[]","_tribe_ticket_has_attendee_info_fields":false,"footnotes":"","_tec_slr_enabled":"","_tec_slr_layout":""},"class_list":["post-8789","page","type-page","status-publish","hentry"],"acf":[],"ticketed":false,"_links":{"self":[{"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/pages\/8789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/users\/18544"}],"replies":[{"embeddable":true,"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/comments?post=8789"}],"version-history":[{"count":39,"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/pages\/8789\/revisions"}],"predecessor-version":[{"id":9281,"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/pages\/8789\/revisions\/9281"}],"up":[{"embeddable":true,"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/pages\/7881"}],"wp:attachment":[{"href":"https:\/\/www.law.georgetown.edu\/tech-institute\/wp-json\/wp\/v2\/media?parent=8789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}