In February 2024, the FBI warned that threat actors stole over $10 billion through internet-enabled fraud in 2023 — and SMS-based phishing, commonly called smishing, was one of the fastest-growing attack vectors cited in the FBI IC3 annual report. If you think smishing is just a nuisance text from a fake bank, you're dangerously behind. The smishing attack examples circulating right now are sophisticated, personalized, and devastatingly effective.
This post breaks down real smishing campaigns that have compromised individuals and organizations. You'll see the exact tactics attackers use, learn how to spot the red flags, and walk away with concrete steps to protect your team. If you've ever dismissed a suspicious text as harmless spam, keep reading.
What Makes Smishing So Effective in 2024
Email phishing gets all the attention. Meanwhile, SMS open rates hover around 98%, compared to roughly 20% for email. Threat actors know this. They've shifted resources toward your text inbox because it works.
Here's what actually happens: people trust their phones. When a text arrives that looks like it's from their bank, the IRS, or their employer's IT department, they react quickly. There's no spam filter parsing the message first. There's no "this message may be suspicious" banner. It just lands, and the recipient taps.
Smishing attacks also exploit the small screen. On a phone, you can't easily hover over a link to preview the URL. The truncated display hides the true destination. Attackers weaponize this limitation relentlessly.
Real Smishing Attack Examples That Caused Serious Damage
The Uber Breach: One Text, Total Compromise
In September 2022, a teenage threat actor breached Uber's internal systems. The attack started with a smishing message sent to an Uber employee. The text claimed to be from Uber IT, warning the employee that their account had been compromised and directing them to a fake login page.
The employee entered their credentials. The attacker then spammed multi-factor authentication push notifications until the employee approved one — a technique called MFA fatigue. From there, the attacker accessed Uber's Slack, Google Workspace, and internal vulnerability reports. The entire breach began with a single smishing text.
The Oktapus Campaign: 10,000 Credentials in Minutes
In mid-2022, a campaign dubbed "Oktapus" by researchers at Group-IB targeted over 130 organizations, including Twilio, Cloudflare, and Signal. The attackers sent SMS messages impersonating Okta login pages, directing employees to enter their credentials and MFA codes on convincing fake sites.
Over 10,000 credentials were harvested. The texts were simple — something like "Your Okta session has expired. Log in immediately to avoid account lockout" — followed by a malicious link. It was one of the most effective social engineering campaigns in recent history, and it was built entirely on smishing.
USPS and Delivery Scam Texts
You've probably received one yourself: "USPS: Your package could not be delivered. Schedule redelivery here." The FTC has repeatedly warned consumers about these scam texts. In 2023, the FTC reported that text-based scams led to $330 million in reported losses, with fake delivery notifications among the most common lures.
These smishing messages direct victims to credential harvesting pages that mimic USPS, FedEx, or UPS. The pages ask for personal information, credit card numbers, and sometimes install malware on the device. It's low-effort, high-reward for the attacker.
IRS and Tax Refund Smishing
Every tax season, the IRS issues warnings about smishing attacks that impersonate the agency. These texts claim the recipient is owed a refund and direct them to a fake IRS page. The real IRS does not initiate contact via text message — ever. Yet these campaigns succeed year after year because the lure of money overrides caution.
Bank Account Alert Scams
"Alert: Unusual activity detected on your account. Verify your identity immediately." I've seen this exact template used in smishing attacks impersonating Chase, Bank of America, Wells Fargo, and dozens of regional banks. The link leads to a cloned banking login page. Victims enter their credentials and sometimes their Social Security numbers. The attacker drains the account within hours.
Anatomy of a Smishing Text: Red Flags to Recognize
After reviewing hundreds of smishing attack examples, I've identified the patterns that repeat almost every time. Here's what to watch for:
- Urgency: "Act now," "Immediate action required," "Your account will be locked." Attackers need you to react before you think.
- Shortened or suspicious URLs: Bit.ly links, misspelled domains (usps-redelivery.com vs. usps.com), or unfamiliar top-level domains (.xyz, .top, .buzz).
- Generic greetings: "Dear customer" or no greeting at all. Legitimate organizations usually address you by name.
- Unsolicited requests for credentials: No legitimate company will ask you to verify your password via text.
- Too-good-to-be-true offers: "You've won a $500 gift card" or "Claim your stimulus payment."
If a text triggers any of these flags, don't tap the link. Go directly to the organization's official website or app instead.
How Smishing Differs From Phishing and Vishing
Phishing uses email. Smishing uses SMS or text messaging. Vishing uses voice calls. All three fall under the umbrella of social engineering — manipulating human trust to steal information or access.
Smishing is arguably the most dangerous of the three right now because mobile devices lack the enterprise-grade security controls found on corporate email systems. Most organizations have invested in email filtering and phishing simulation platforms but haven't addressed SMS-based threats with the same rigor.
Why Your Organization Is a Smishing Target
If your employees carry phones — and they do — your organization is a target. Threat actors don't just target consumers. They target your finance team, your IT admins, your executives.
The Uber and Oktapus breaches prove the point. These weren't attacks against random individuals. They were precision-targeted smishing campaigns aimed at employees with privileged access. One compromised credential led to full data breaches.
Ransomware operators have also adopted smishing as an initial access vector. A 2023 Verizon Data Breach Investigations Report finding showed that 74% of all breaches involved the human element — including social engineering attacks like smishing. You can read the full report details at the Verizon DBIR page.
How to Protect Against Smishing Attacks
Train Employees to Recognize the Texts
Security awareness training is your first and most effective defense. Employees who have seen real smishing attack examples are significantly less likely to fall for them. This isn't a one-and-done effort — it requires ongoing reinforcement.
Our phishing awareness training for organizations includes SMS-based social engineering scenarios that mirror real-world campaigns like the ones described above. If your team hasn't practiced identifying smishing texts in a controlled environment, they're practicing on live threats instead.
Implement Strong Multi-Factor Authentication
MFA is critical, but not all MFA is equal. The Uber breach showed that push-based MFA is vulnerable to fatigue attacks. Move toward phishing-resistant MFA methods like FIDO2 hardware keys or passkeys. CISA has published detailed guidance on phishing-resistant MFA at cisa.gov/mfa.
Adopt a Zero Trust Approach
Zero trust assumes no user or device is trusted by default — even inside your network. If a credential is compromised via smishing, zero trust architecture limits the blast radius. The attacker might get one login, but lateral movement is blocked by continuous verification.
Deploy Mobile Device Management (MDM)
MDM solutions can filter malicious URLs on corporate devices, enforce security policies, and detect compromised devices. If your organization issues phones or allows BYOD, MDM isn't optional — it's essential.
Establish a Reporting Culture
Make it easy and safe for employees to report suspicious texts. If someone receives a smishing attempt, your security team needs to know about it immediately. That one report could prevent a dozen other employees from falling for the same campaign.
What Should You Do If You Receive a Suspicious Text?
This is the question I get asked most. Here's the answer:
- Don't tap the link. Period. Not to "see where it goes," not to "check if it's real."
- Don't reply. Replying confirms your number is active and invites more attacks.
- Forward the text to 7726 (SPAM). This reports it to your carrier.
- Report it to the impersonated organization. Banks, the IRS, and shipping companies all have fraud reporting channels.
- Delete the message. Don't let it sit in your inbox where you might accidentally tap it later.
- If you already clicked: Change your passwords immediately, enable MFA, monitor your accounts, and alert your IT security team.
Building a Smishing-Resistant Workforce
Technical controls catch a percentage of smishing attacks. But the majority still come down to whether the person holding the phone makes the right call in that moment. That's a training problem, not a technology problem.
I've watched organizations transform their security posture by committing to continuous education. The key word is continuous. A single annual training session doesn't cut it. Threat actors evolve their tactics monthly. Your training cadence needs to match.
Start with a baseline assessment. How many of your employees would tap a smishing link right now? You probably don't know — and that uncertainty is the risk. Our cybersecurity awareness training program gives you the tools to measure, educate, and improve your team's resilience against social engineering attacks, including smishing.
Smishing Is Accelerating — Your Defenses Need to Keep Up
The volume of smishing attacks has increased by over 300% since 2020 according to industry tracking data. AI-generated text makes these messages more convincing than ever. Attackers are using compromised databases to personalize their texts with your name, your bank, even your recent purchases.
The days of obvious scam texts riddled with typos are fading. Today's smishing attack examples are polished, targeted, and delivered at scale. The question isn't whether your organization will face a smishing attack. It's whether your people will recognize it when it arrives.
Every example in this post — Uber, Oktapus, fake delivery notifications, IRS scams, bank alerts — started with a single text message. The organizations that survived were the ones that had trained their people. The ones that didn't make headlines for all the wrong reasons.
Invest in your team's ability to identify and report smishing before it costs you. Because in my experience, the cost of training is always cheaper than the cost of a data breach.