The Text Message That Cost One Company $15 Million

In 2022, threat actors hit Twilio with an SMS-based social engineering attack that compromised employee credentials and exposed data for over 160 customers. The attack didn't involve a sophisticated zero-day exploit. It started with a text message pretending to be from IT, telling employees their passwords had expired. That's it. A text message.

Smishing — SMS phishing — has exploded because it works. The FBI's Internet Crime Complaint Center (IC3) has tracked a massive surge in phishing and smishing complaints, with losses running into hundreds of millions annually. If you're searching for smishing attack examples, you're already ahead of most people. Understanding what these attacks actually look like is the fastest way to stop them.

I've spent years training organizations to recognize these threats, and I can tell you: the texts are getting disturbingly good. Let me walk you through the real-world examples your employees need to see.

What Is a Smishing Attack, Exactly?

A smishing attack is a phishing attack delivered via SMS or text message instead of email. The threat actor sends a message designed to create urgency, fear, or curiosity — then directs you to a malicious link or tricks you into calling a spoofed number. The goal is almost always credential theft, financial fraud, or malware installation.

According to the Cybersecurity and Infrastructure Security Agency (CISA), smishing is a growing subset of social engineering that exploits the trust people place in their mobile devices. We're conditioned to respond quickly to texts. Attackers know this.

6 Real Smishing Attack Examples You Need to Recognize

1. The Package Delivery Scam

"USPS: Your package could not be delivered. Update your address here: [malicious link]"

This is the most common smishing attack example in circulation. The link leads to a fake USPS, FedEx, or UPS page that harvests your name, address, and credit card number. During the 2023 holiday season, the U.S. Postal Inspection Service issued multiple warnings about these texts flooding phones nationwide.

2. The Bank Fraud Alert

"[Bank Name] ALERT: Unusual activity detected on your account. Verify your identity immediately: [malicious link]"

I've seen this one fool people who actually bank with the institution being spoofed. The timing is random, but when it hits the right person, they panic and tap. The link loads a pixel-perfect replica of their bank's login page. Once they enter credentials, the attacker has everything they need to drain accounts.

3. The IRS/Tax Refund Lure

"IRS Notice: You have a pending tax refund of $1,384.00. Claim now before it expires: [malicious link]"

The IRS has stated repeatedly that it does not initiate contact via text message. Yet every tax season, this smishing attack example catches thousands of victims. The FTC has documented phishing and smishing as a consistently top fraud category. The fake page typically asks for Social Security numbers, bank routing numbers, and personal details.

4. The Corporate IT Password Reset

"[Company] IT: Your VPN credentials expire today. Reset now to maintain access: [malicious link]"

This is the exact type of message used in the Twilio breach. It targets employees specifically and often includes the company name, making it feel legitimate. If your organization doesn't have multi-factor authentication in place, a single compromised credential can give an attacker access to your entire network. This is where zero trust architecture becomes critical — never trust, always verify, regardless of the source.

5. The CEO or Boss Impersonation

"Hey, it's [CEO name]. I'm in a meeting and can't talk. I need you to buy $500 in gift cards for a client. I'll reimburse you. Text me when done."

This smishing variant blends with business email compromise (BEC) tactics. The attacker spoofs or uses a burner number and adds the executive's name for credibility. The FBI IC3's 2023 Internet Crime Report documented over $2.9 billion in losses from BEC schemes, many of which started with a simple text or message.

6. The Multi-Factor Authentication Bypass

"Your verification code is 847291. If you did not request this, reply STOP to secure your account."

This is an advanced smishing attack example that's on the rise. The attacker is actively trying to log into your account in real time and needs your MFA code. They send you a fake "security" text hoping you'll reply with the code or tap a link that captures it. Some variants use voice phishing (vishing) in parallel — calling you moments later pretending to be your bank's fraud department and asking you to "read back the code for verification."

Why Smishing Works Better Than Email Phishing

Text messages have a 98% open rate. Emails hover around 20%. That alone tells you why threat actors are pivoting hard to SMS.

But there's more. On a phone screen, you can't easily hover over a link to inspect it. URLs get shortened. Sender IDs can be spoofed trivially. And people treat texts as more personal and trustworthy than email — they're used to getting legitimate alerts from banks, shipping companies, and employers via SMS.

In my experience, most security awareness programs focus almost exclusively on email phishing. That leaves a massive blind spot. If your organization's training doesn't include smishing scenarios, you're defending yesterday's battlefield.

How to Spot a Smishing Attack Before You Tap

Here's a quick-reference checklist I give every organization I train:

  • Unexpected urgency. "Act now," "expires today," "immediate action required" — legitimate companies rarely force split-second decisions via text.
  • Unfamiliar or shortened links. If you can't see the full domain, don't tap it. Go directly to the company's website or app instead.
  • Requests for credentials, codes, or personal data. No legitimate organization will ask for your password, SSN, or MFA code via text.
  • Generic greetings. "Dear Customer" or no name at all. Your bank knows your name.
  • Mismatched sender numbers. A "bank alert" from a 10-digit personal number is a dead giveaway.

When in doubt, don't reply. Don't tap the link. Contact the organization directly using a number you find on their official website or on the back of your card.

The Training Gap That Lets Smishing Through

The Verizon 2024 Data Breach Investigations Report found that 68% of confirmed breaches involved a human element — phishing, social engineering, stolen credentials, or simple mistakes. Smishing is a direct attack on that human element, and most employees have never been trained to handle it.

Running phishing simulations via email is standard practice at this point. But how many organizations run smishing simulations? Almost none. That's a problem.

If you're looking to close this gap, I'd recommend starting with a structured phishing awareness training program for organizations that includes SMS-based scenarios alongside traditional email phishing tests. You can also build a foundational understanding across your team with our cybersecurity awareness training course that covers social engineering, credential theft, and ransomware prevention.

Speed matters. Here's the immediate response protocol:

  • Disconnect from the internet. Turn on airplane mode to prevent data exfiltration or further communication with the attacker's server.
  • Change your passwords. Start with the account that was targeted. Use a different device if possible.
  • Enable or re-verify MFA. If the attacker compromised your credentials, MFA may be your last line of defense.
  • Scan your device. Run a reputable mobile security scan to check for malware.
  • Report the message. Forward smishing texts to 7726 (SPAM) and report to the FTC at ReportFraud.ftc.gov.
  • Notify your IT/security team. If this was a corporate-targeted attack, your security operations center needs to know immediately.

Smishing Isn't Going Away — Your Defenses Need to Evolve

Every smishing attack example I've shared above is actively in use right now. Variants evolve weekly. Threat actors use AI to generate more convincing messages, automate sending at scale, and personalize texts using data from previous breaches.

Your technical controls — spam filters, mobile device management, zero trust policies — are essential. But they'll never catch everything. The last line of defense is always the person holding the phone.

Train your people. Test them with realistic simulations. Show them real smishing attack examples so they recognize the patterns before they become the next data breach statistic. That's not just good advice — it's the difference between a deleted text and a compromised organization.