Most people assume that baby boomers are the ones most likely to fall victim to smishing scams. But what if it’s actually Gen X and Gen Y who are the prime targets? These generations often consider themselves highly tech-savvy—but could that very confidence be what makes them more vulnerable to SMS phishing?

Smishing can have a serious impact on both individuals and businesses. Many employees use cell phones in order to do their jobs, whether supplied by their employer or a personal device.  When someone falls for a phishing message they may be unknowingly exposing the organization to malware or a wider data breach.

Who is really more likely to fall for smishing scams?

Conventional wisdom suggests that older generations, like baby boomers and the silent generation, are most susceptible to scams like smishing. But recent data tells a different story.

"Despite their digital fluency, the younger generation’s comfort with technology may contribute to their vulnerability."

In 2021, the Federal Trade Commission found that Gen X and Gen Y (adults aged 18–59) were 34% more likely to report losing money to fraud than those aged 60 and older. Even Gen Z was shown by Deloitte to be three times more likely (https://www.vox.com/technology/23882304/gen-z-vs-boomers-scams-hacks)than boomers to fall for a scam.

Despite their digital fluency, younger generation’s comfort with technology may actually contribute to their vulnerability. According to Time, baby boomers tend to be more skeptical of unsolicited messages from banks or delivery services. They’re accustomed to doing more due diligence, while Gen X, Y, and Z are more likely to trust and act on communication via text, email, or social media.

Gen X through Z are also prime targets for bank-related smishing scams, simply because they are so accustomed to banking online. According to the FTC, bank impersonation was the most reported form of text message scam in 2022. That makes these generations especially susceptible to more sophisticated smishing attempts.

Real smishing scenarios targeting Gen X, Y, and Z

Scammers are constantly refining their techniques, making smishing attacks more convincing and difficult to detect. That’s why increasing security awareness in your organization is essential.

"The good news is that being proactive can significantly reduce the likelihood of falling for a smishing attack."

One of the most common scams seen in 2023 and 2024 was the “fake boss” text. In this scenario, an employee receives a message that appears to come from their manager, the CEO, or another leader, often claiming to be stuck in a meeting and urgently needing help. The message usually asks the employee to buy gift cards or wire money to resolve a fake emergency.

This scam preys on the employee’s desire to be helpful and to comply with perceived authority. Aside from personal financial loss,one victim reported losing $1,000 in gift cards, these attacks can also compromise sensitive company information if the victim is pressured into sharing credentials or other data.

Another high-profile example was the 2023 Scattered Spider campaign, where hackers impersonated IT staff via text messages to steal employee login credentials. Even tech companies like Twilio were affected, suffering a data breach after several employees responded to a fake password reset requests (TechCrunch).

Practical ways to reduce smishing vulnerability

The good news is that being proactive can significantly reduce the likelihood of falling for a smishing attack. Here are three practical steps individuals and organizations can take:

1. Leverage mobile security tools:

Use the built-in security features on your devices. Enable spam filtering on your phone, install a reputable security app, and make sure your operating system and apps are regularly updated. These tools can help detect and block potential smishing attempts before they reach you.

2. Adopt safe behaviors:

Even with great technology, human behavior remains the first line of defense. Employees need to be aware of the risks posed by unsolicited texts, emails, or phone calls. Encourage a culture of caution — think before you click.

To support this, companies can use targeted micro training that helps employees understand what smishing looks like, how to respond, and when to report suspicious activity. These short, focused modules empower users to act smart and stay alert.

3. Implement security awareness training:

One of the most effective tools for reducing risk is comprehensive security awareness training. Nimblr’s solution combines interactive microlearning with simulated attacks (learn more) to give employees real-world experience in recognizing phishing and smishing threats.

With evolving content that reflects current attack trends, this type of training helps build the long-term vigilance needed to protect both employees and the business.