In February 2022, the FBI warned that Americans lost over $68 million to smishing and vishing scams in a single year — and that number only counted what victims actually reported to the FBI's IC3. The real figure is almost certainly multiples higher. I've spent the last decade watching SMS-based phishing evolve from clumsy "you've won a prize" texts into sophisticated, targeted attacks that fool even security-conscious professionals. If you've landed on this page searching for smishing attack examples, you're already ahead of most people — because the first step to defending yourself is knowing exactly what these attacks look like in the real world.
This post breaks down actual smishing campaigns that cost organizations and individuals millions, shows you the anatomy of each attack, and gives you concrete steps to protect your organization and your employees today.
What Is Smishing, and Why Is It Exploding in 2022?
Smishing is phishing delivered by SMS text message. That's it. Same goal — credential theft, malware delivery, financial fraud — just a different channel. And that channel is devastatingly effective.
Here's why. Email security has gotten better. Spam filters catch a lot. But text messages? They land directly on your phone with a notification sound, and most people open them within three minutes. According to Gartner, SMS open rates hover around 98%, compared to roughly 20% for email. Threat actors know this math.
The 2022 Verizon Data Breach Investigations Report confirmed that social engineering remains one of the top attack patterns in breaches, and mobile-based phishing is a growing slice of that pie. The shift to remote work accelerated the problem — employees use personal devices for work, and those devices are now prime targets.
5 Real Smishing Attack Examples That Actually Worked
Let me walk you through five real-world smishing attack examples that caused serious damage. These aren't hypothetical. Each one exploited human trust, urgency, or curiosity.
1. The IRS Tax Refund Smish (2020–2022)
Every tax season, the IRS issues warnings about smishing campaigns impersonating the agency. In these attacks, victims receive texts like: "IRS Notice: Your tax refund of $1,892.00 is pending. Verify your identity to receive payment: [malicious link]."
The link leads to a convincing replica of the IRS website. Victims enter their Social Security numbers, dates of birth, and bank account details. The IRS has repeatedly stated it does not initiate contact via text message. Yet thousands fall for this every year because the urgency of a pending refund overrides skepticism.
The IRS issued multiple alerts about these campaigns, noting a dramatic increase during the 2021 and 2022 filing seasons.
2. USPS and FedEx Package Delivery Scams
This one exploded during the pandemic and hasn't slowed down. You get a text: "USPS: Your package has a delivery issue. Update your address here: [link]."
The link takes you to a page that looks exactly like the USPS or FedEx tracking site. It asks for your name, address, and — here's the hook — a small "redelivery fee" of $1.50. Victims enter their credit card details for what feels like an insignificant charge. The attackers then use those card details for much larger purchases or sell them in bulk on dark web marketplaces.
The U.S. Postal Inspection Service reported a massive surge in these smishing texts throughout 2021. I've personally seen clients receive dozens of these in a single week.
3. The Roaming Mantis / FluBot Campaign
Roaming Mantis is a threat actor group that deployed smishing at industrial scale across Europe and parts of North America starting in 2021. Their texts typically claimed a voicemail was waiting or a package was en route, with a link to "listen" or "track."
Clicking the link on an Android device triggered the download of FluBot malware, which could steal banking credentials, intercept multi-factor authentication codes, and spread itself by sending smishing texts to every contact in the victim's phone. On iOS, the link redirected to phishing pages designed for credential theft.
Europol coordinated a takedown of the FluBot infrastructure, but the campaign demonstrated how a single smishing text could turn a victim's phone into a weapon that attacks everyone they know.
4. Bank Account Alert Smishing
This is one of the most common smishing attack examples I encounter during security awareness training sessions. The text reads something like: "[Bank Name] ALERT: Unusual activity detected on your account. If this wasn't you, verify now: [link]."
The spoofed sender ID often looks legitimate. The landing page is a near-perfect clone of the bank's login portal. Victims enter their username and password, and in some variants, the page then asks for a one-time passcode — which the attacker uses in real time to access the real account. This is a classic adversary-in-the-middle attack that defeats basic multi-factor authentication.
The FBI's IC3 has documented thousands of complaints tied to this exact pattern. Financial institutions spend millions trying to warn customers, but the attacks keep working because they trigger fear — and fear bypasses critical thinking.
5. COVID-19 Contact Tracing Smishing
During 2020 and 2021, attackers impersonated state health departments with texts like: "You have been in close contact with someone who tested positive for COVID-19. Click here for details and testing locations."
The links led to sites that harvested personal information — names, dates of birth, Social Security numbers, and health insurance details. Some variants installed spyware. The FTC flagged numerous complaints about these scams, noting that they exploited public anxiety at a time when legitimate contact tracing was actually happening via text.
This is social engineering at its most cynical: weaponizing a public health crisis.
Anatomy of a Smishing Text: Red Flags You Should Recognize
Every smishing message shares common DNA. Once you learn to spot these patterns, the attacks lose most of their power.
- Urgency or fear: "Act now," "Your account will be suspended," "Unauthorized transaction detected."
- Unexpected sender: A short code or phone number you don't recognize, often spoofed to look local.
- Suspicious link: Shortened URLs (bit.ly, tinyurl), misspelled domains (usps-deliveryupdate.com), or domains that don't match the claimed sender.
- Request for personal data: No legitimate organization asks for passwords, SSNs, or credit card numbers via text.
- Too-good-to-be-true offers: Prize winnings, unexpected refunds, exclusive deals requiring immediate action.
Train yourself to pause whenever a text creates an emotional reaction. That emotional trigger is the attack itself.
Why Smishing Bypasses Your Existing Security Stack
Most organizations have invested in email security: secure email gateways, DMARC, DKIM, anti-phishing filters. But SMS messages bypass all of it. Your corporate email filters don't touch text messages on your employees' phones.
This gap is exactly why threat actors are pivoting to smishing. The 2022 Verizon DBIR emphasizes that the human element is involved in 82% of breaches. Smishing targets the human, not the technology — and it does so on a device where people have their guard down.
Even organizations that run phishing simulation programs often focus exclusively on email. If your security awareness program doesn't include smishing scenarios, you're leaving a massive gap in your defenses.
How Smishing Leads to Ransomware and Data Breaches
A smishing text might seem like a small-time scam, but it's often the entry point for much larger attacks. Here's the chain I've seen play out multiple times:
Step 1: Employee receives a smishing text impersonating IT support. It says their VPN credentials need to be updated.
Step 2: Employee clicks the link and enters their corporate username and password on a phishing page.
Step 3: Attacker uses those stolen credentials to log into the corporate VPN.
Step 4: Attacker moves laterally through the network, escalates privileges, and deploys ransomware.
This isn't theoretical. The Lapsus$ group, which made headlines in early 2022 for breaching major technology companies, used social engineering techniques including SMS-based attacks to gain initial access. Credential theft via smishing can be the first domino in a multimillion-dollar data breach.
How to Protect Your Organization from Smishing
Knowing what smishing looks like is necessary but not sufficient. Here's what I recommend organizations actually do.
Deploy Security Awareness Training That Covers SMS Threats
Your employees need to see realistic smishing attack examples in a controlled environment before they encounter them in the wild. Classroom-style awareness training that only covers email phishing isn't enough anymore. You need a comprehensive cybersecurity awareness training program that addresses the full spectrum of social engineering — email, SMS, voice calls, and more.
Run Phishing and Smishing Simulations
Simulated attacks are the single most effective way to change employee behavior. When someone falls for a simulated smishing text, they remember it. That moment of "I got caught" builds muscle memory that no PowerPoint ever will. Look into phishing awareness training for organizations that includes simulated attack campaigns across multiple channels.
Implement Zero Trust Architecture
Assume every access request is potentially compromised. Zero trust means verifying every user, every device, and every session — regardless of whether the request comes from inside or outside your network. Even if an attacker steals credentials via smishing, zero trust controls like conditional access policies and continuous authentication can stop them from getting further.
Enforce Phishing-Resistant MFA
Basic SMS-based multi-factor authentication can be defeated by smishing attacks that capture one-time codes in real time. Move to phishing-resistant MFA methods: hardware security keys (FIDO2/WebAuthn), push notifications with number matching, or certificate-based authentication. CISA's MFA guidance is an excellent resource for implementing stronger authentication.
Establish a Clear Reporting Process
Make it dead simple for employees to report suspicious texts. A dedicated email address (e.g., [email protected]) or a one-click reporting button in your security tools removes friction. The faster your security team knows about a smishing campaign targeting your employees, the faster you can warn everyone else.
Use Mobile Device Management (MDM)
For company-owned or BYOD devices, MDM solutions can block known malicious URLs, prevent installation of unauthorized apps, and enforce security policies. This adds a technical layer that complements your training efforts.
What Should You Do If You Receive a Smishing Text?
This is the question I get asked most often. Here's the straightforward answer:
- Don't click the link. Period. If you think it might be legitimate, open a browser yourself and navigate directly to the company's official website.
- Don't reply. Replying confirms your number is active and invites more attacks.
- Report it. Forward the text to 7726 (SPAM), which is the reporting number used by major U.S. carriers. Report it to your IT security team if it's work-related.
- Delete it. Once reported, remove the message.
- If you already clicked: Change any passwords you may have entered. Enable MFA immediately. Run a security scan on your device. Contact your bank if you shared financial details. Notify your security team.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2021 Cost of a Data Breach Report put the global average cost of a breach at $4.24 million, with the United States averaging $9.05 million. A significant percentage of those breaches started with social engineering. Many started with something as simple as a text message.
The organizations that avoid these costs aren't the ones with the biggest security budgets. They're the ones that train their people relentlessly, test them with realistic simulations, and build security cultures where reporting a suspicious text is rewarded, not punished.
Smishing isn't going away. Threat actors follow the path of least resistance, and right now, that path runs straight through the text messages on your employees' phones. The smishing attack examples in this post represent patterns that repeat daily — new lures, same mechanics.
Your move is simple: train your people, test your defenses, and make it easy to report the attacks that inevitably arrive. Start with a solid foundation of security awareness training and layer in targeted phishing simulation programs that reflect the real threats your organization faces — including the ones that arrive by text.