In March 2025, the FBI's IC3 warned that Americans lost over $470 million to phishing and smishing schemes in the prior reporting year — and text-based attacks were growing faster than any other vector. I've personally triaged incidents where a single SMS message led to a six-figure wire transfer, a ransomware deployment, and a complete credential theft of an executive's cloud accounts. These weren't sophisticated zero-day exploits. They were text messages.
This post breaks down real smishing attack examples — the exact language, psychological tricks, and delivery methods threat actors use right now. If you're responsible for security awareness at your organization, these are the scenarios your employees need to recognize before they tap a link.
What Is Smishing and Why Is It Surging in 2025?
Smishing is phishing delivered via SMS or messaging apps instead of email. The attacker sends a text that impersonates a trusted entity — your bank, your employer, a delivery service, the IRS — and pushes you toward a malicious link or phone number. The goal is always the same: steal credentials, install malware, or trick you into sending money.
Why the surge? Three reasons. First, SMS open rates hover around 98%, compared to roughly 20% for email. Second, mobile screens truncate URLs, making malicious links harder to inspect. Third, most organizations still focus their security awareness training on email phishing and neglect text-based threats entirely.
The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. Smishing exploits that human element on the device people trust the most — their phone. If your training program doesn't cover smishing, you have a gap. A program like the cybersecurity awareness training at computersecurity.us covers SMS-based social engineering alongside email and voice threats.
7 Real Smishing Attack Examples Threat Actors Use Right Now
Below are seven categories of smishing attacks drawn from real incidents, FTC advisories, and CISA alerts. I've included the typical message text, the psychological lever the attacker pulls, and the red flags that give it away.
1. The Fake Package Delivery Notification
Typical message: "USPS: Your package has a delivery issue. Update your address to avoid return: [malicious link]"
This is the single most common smishing template in circulation. The FTC issued multiple consumer alerts about fake USPS, UPS, and FedEx texts throughout 2023 and 2024. The link leads to a credential-harvesting page that mimics the carrier's site and asks for your name, address, and credit card to pay a small "redelivery fee."
Red flags: USPS doesn't text you unless you've opted in with a specific tracking number. The URL usually ends in a random domain like usps-redelivery[.]top rather than usps.com. There's always artificial urgency — "avoid return" or "last attempt."
2. The Bank Fraud Alert
Typical message: "[Bank Name] ALERT: Unusual activity detected on your account ending 4821. If this wasn't you, reply YES or call 1-800-XXX-XXXX immediately."
This smishing attack example exploits fear. When people think their money is at risk, they act fast and think slow. Replying "YES" confirms your number is active and often triggers a follow-up call from a threat actor posing as the bank's fraud department. They then walk you through "verifying" your identity — which really means handing over your account number, SSN, and one-time passcodes that bypass multi-factor authentication.
Red flags: Legitimate bank texts never ask you to reply or call a number embedded in the text. They direct you to the number on the back of your card or in their app.
3. The IRS / Tax Refund Scam
Typical message: "IRS Notice: A refund of $3,247.00 is pending for your account. Submit your filing info to claim: [malicious link]"
CISA and the IRS have repeatedly warned about this one. The IRS does not initiate contact via text message. Ever. These ramp up every January through April but run year-round. The landing page collects Social Security numbers, filing status, and bank routing information — everything needed for identity theft and fraudulent tax filings.
Red flags: The IRS communicates via postal mail for official notices. Any text claiming to be from the IRS is fraudulent by default. See CISA's cyber threat advisories for current alerts on tax-related smishing.
4. The CEO / Boss Impersonation (Business Smishing)
Typical message: "Hey, it's [CEO's first name]. I'm in a meeting and can't talk. Can you buy five $200 gift cards for a client event? I'll reimburse you. Text me when done."
This is social engineering at its most targeted. The attacker scrapes the CEO's name from LinkedIn or the company website and texts an employee — usually in finance or admin. I've investigated cases where employees purchased thousands of dollars in gift cards and texted photos of the redemption codes to the attacker within 30 minutes.
Red flags: Any out-of-band request for gift cards is a scam. Full stop. Legitimate executives don't ask employees to buy gift cards via personal text.
5. The Multi-Factor Authentication Code Theft
Typical message: "Your verification code is 849231. If you didn't request this, your account may be compromised. Secure your account here: [malicious link]"
This is one of the more dangerous smishing attack examples because it piggybacks on a real event. The attacker has already obtained the victim's username and password — often from a data breach — and triggers a real MFA code. They then send a smishing text that looks like an account security alert, directing the victim to a phishing page where they enter the MFA code. The attacker captures it in real time and completes the login.
Red flags: If you receive an MFA code you didn't request, someone has your password. Don't tap any links. Go directly to the service's website, change your password, and review active sessions.
6. The Toll Road / Parking Violation Text
Typical message: "State Tollway: You have an unpaid toll of $6.99. Pay now to avoid a $50 late fee: [malicious link]"
The FBI's Internet Crime Complaint Center (IC3) issued a specific public service announcement in early 2024 about a wave of toll-road smishing texts targeting drivers across multiple states. The small dollar amount is deliberate — people are more likely to just pay $6.99 than investigate. The payment page harvests full credit card details.
Red flags: Toll agencies send physical invoices. The URL in these texts never matches the actual toll authority's domain. Check the FBI IC3 site for their original PSA on this campaign.
7. The HR / Payroll Update Request
Typical message: "[Company Name] HR: Open enrollment begins Monday. Update your direct deposit and benefits info here: [malicious link]"
This targets employees during predictable business cycles — open enrollment, tax season, annual reviews. The link leads to a convincing replica of the company's HR portal. Victims enter their employee ID, SSN, and banking information. The attacker then redirects their payroll deposits.
Red flags: HR departments communicate through official channels — company email, internal portals, or in-person meetings. An SMS from an unknown number directing you to update payroll information should trigger an immediate call to your actual HR team. Training your staff to recognize this scenario is exactly what phishing awareness training for organizations is designed to do.
How to Identify a Smishing Text in Under 10 Seconds
Every smishing message relies on the same core playbook. Here's the rapid-assessment checklist I give to every organization I work with:
- Urgency or fear: "Act now," "your account is locked," "avoid penalties." Legitimate organizations give you time.
- Unknown sender: A short code or full phone number you haven't interacted with before.
- Suspicious URL: The domain doesn't match the organization's real website. Look for misspellings, extra hyphens, or unusual top-level domains (.top, .xyz, .info).
- Request for sensitive data: No legitimate company asks for SSNs, passwords, or credit card numbers via text.
- Too-good-to-be-true offer: Unexpected refunds, prizes, or winnings are always bait.
If a text hits even one of these criteria, don't tap the link. Go directly to the organization's official app or website.
What Happens After You Tap: The Smishing Kill Chain
Understanding the attacker's workflow makes the threat concrete for your employees. Here's the typical sequence:
Step 1: Delivery. The attacker sends bulk SMS messages using spoofed numbers or compromised messaging platforms. Tools to do this cost almost nothing on underground markets.
Step 2: The click. The victim taps the link. On mobile, the browser opens full-screen with no visible URL bar in many cases — perfect for hiding a fake domain.
Step 3: Credential harvesting. The phishing page collects whatever the attacker needs: login credentials, payment card data, MFA codes, or personal identifiers.
Step 4: Exploitation. Within minutes, the attacker uses stolen credentials to access accounts, initiate wire transfers, deploy ransomware, or sell the data on dark web markets.
Step 5: Persistence. Sophisticated actors install mobile malware via the same link, giving them ongoing access to the device's contacts, texts, and authentication apps.
The entire chain — from text received to account compromised — often takes under five minutes. That's why prevention through training matters more than detection after the fact.
The $4.88M Lesson: Why Smishing Training Isn't Optional
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a breach at $4.88 million. Phishing — including smishing — was the most common initial attack vector. For small and mid-size businesses, a single successful smishing attack can mean regulatory fines, customer notification costs, legal fees, and reputational damage that outlasts the incident itself.
The fix isn't expensive technology. It's training. Employees who have seen realistic smishing examples in a controlled environment are dramatically less likely to fall for them in the wild. Phishing simulation programs that include SMS-based scenarios close the gap that email-only training leaves wide open.
If your organization hasn't run a smishing simulation yet, start with a structured program. The phishing awareness training at phishing.computersecurity.us includes SMS-specific scenarios alongside email and voice phishing modules.
5 Organizational Defenses Against Smishing Attacks
Training is the foundation, but you need layers. Here's what I recommend to every client:
1. Deploy Mobile Device Management (MDM)
MDM solutions let you enforce security policies on employee devices — restrict app installations, flag malicious URLs, and remotely wipe compromised devices. If your employees access company data on their phones, MDM isn't optional.
2. Implement Phishing-Resistant MFA
SMS-based MFA codes are exactly what smishing attacks target. Move to FIDO2 security keys or authenticator apps with push-based approval. NIST's Digital Identity Guidelines (SP 800-63B) have explicitly flagged SMS as a less secure MFA channel since 2017. See NIST SP 800-63B for the full guidance.
3. Establish a Reporting Channel
Give employees a dead-simple way to report suspicious texts — a dedicated Slack channel, an email alias like [email protected], or a button in your MDM app. Every reported smishing attempt is intelligence you can use to warn the rest of the organization.
4. Adopt Zero Trust Principles
Zero trust means no device or user is trusted by default, even inside your network. When an attacker steals credentials via smishing, zero trust architecture limits what they can access through continuous verification, least-privilege access, and micro-segmentation.
5. Run Ongoing Security Awareness Training
One-time training doesn't work. Threat actors constantly evolve their templates. Your training needs to keep pace with quarterly simulations and updated content. A comprehensive cybersecurity awareness training program keeps smishing, email phishing, vishing, and social engineering tactics current in your team's memory.
Frequently Asked: How Do I Report a Smishing Text?
Forward the suspicious text to 7726 (which spells SPAM on most phone keypads). This reports it to your mobile carrier. You can also report it to the FTC at ReportFraud.ftc.gov and to the FBI's IC3 at ic3.gov. If the text impersonates a specific company, report it to that company's official abuse or security team as well. Then delete the message — don't tap the link, don't reply, and don't call any number included in the text.
Your Employees Are Your Last Line of Defense
Every one of these smishing attack examples bypasses firewalls, endpoint detection, and email filters entirely. They land directly in your employee's pocket. The only control that matters at that point is whether that employee recognizes the attack for what it is.
I've seen organizations with million-dollar security stacks get breached by a $0 text message. The difference between the companies that fall for it and the ones that don't is always the same: training. Consistent, realistic, scenario-based training that puts smishing front and center — not buried as an afterthought in an annual compliance deck.
Start building that muscle memory today. Your next smishing text is already queued.