A Single Text Message Cost One Company $15 Million

In 2022, Twilio disclosed that attackers used SMS phishing — smishing — to trick employees into surrendering their credentials. The threat actors sent text messages impersonating the company's IT department, directing staff to a fake login page. That single campaign compromised over 130 organizations connected to Twilio's ecosystem. If you think smishing only targets grandparents clicking on fake bank alerts, think again.

I've investigated dozens of incidents where a text message was the initial attack vector. These aren't sloppy scams with obvious typos anymore. Today's smishing attack examples look indistinguishable from real alerts sent by banks, delivery services, and even your own employer's IT team. And they're surging — the FBI's IC3 received a record number of phishing and smishing complaints, with losses exceeding $18.7 billion in 2024 alone according to the FBI IC3 2024 Annual Report.

This post breaks down real smishing attack examples, explains the mechanics behind each one, and gives you concrete steps to protect yourself and your organization.

What Is a Smishing Attack, Exactly?

Smishing is phishing delivered via SMS or text message instead of email. The attacker sends a message designed to create urgency — a package delivery problem, a suspicious login, an unpaid toll — and includes a malicious link or phone number. The goal is always the same: steal credentials, install malware, or trick you into sending money.

What makes smishing especially dangerous is trust. People are conditioned to trust text messages more than emails. Research from Gartner shows SMS open rates hover around 98%, compared to roughly 20% for email. Threat actors know this, and they exploit it ruthlessly.

7 Real Smishing Attack Examples You Need to Recognize

1. The Fake Delivery Notification

This is the most common smishing template in circulation. You receive a text claiming to be from USPS, FedEx, or UPS: "Your package cannot be delivered. Update your address here: [malicious link]." The link leads to a credential harvesting page that mimics the real carrier's website.

The U.S. Postal Inspection Service has issued repeated warnings about this exact scheme. During peak holiday seasons, these messages spike dramatically. I've seen corporate employees click these links on company phones, exposing enterprise credentials stored in mobile browsers.

2. The Bank Fraud Alert

"ALERT: Unusual activity detected on your account ending in 4829. Call 1-800-XXX-XXXX immediately or your account will be locked." The phone number connects to a threat actor posing as a bank representative who walks you through "verification" — which means handing over your full account number, PIN, and social security number.

This social engineering technique is devastatingly effective because it combines two psychological triggers: fear and urgency. Wells Fargo, Bank of America, and Chase have all published customer advisories specifically about these smishing campaigns.

3. The Toll Road Scam

Starting in late 2024 and accelerating into 2026, a massive smishing campaign has impersonated toll services like E-ZPass and SunPass. The texts claim you owe a small unpaid toll — usually $3 to $12 — and direct you to a phishing site to pay. CISA and the FBI both issued public advisories about this campaign. The small dollar amount is intentional — people pay it without thinking, and the attackers capture their credit card details.

I've personally received three of these in the past six months. The landing pages are nearly pixel-perfect replicas of real toll authority websites.

4. The MFA Verification Code Trick

This is the smishing attack that keeps security professionals up at night. An attacker initiates a login to your account, triggering a real multi-factor authentication code sent to your phone. Then they text you (or call you) posing as the service's security team: "We detected a suspicious login attempt. Please share the verification code we just sent to confirm your identity."

If you share that code, you've just handed them the keys. This technique was central to the Twilio breach and the broader Scatter Swine/0ktapus campaign that compromised companies across the tech industry.

5. The CEO or Boss Impersonation

"Hey, this is [CEO name]. I'm in a meeting and can't talk. Can you buy five $200 gift cards for a client event and text me the codes? Will reimburse you today." This business smishing variant is a form of business email compromise (BEC) adapted for SMS. The Federal Trade Commission has documented this gift card scam pattern extensively at FTC.gov.

These attacks target employees who have their leadership team's names publicly visible on LinkedIn or the company website. The threat actor doesn't need to hack anything — just a phone number and a name.

6. The Tax Refund or Government Impersonation

"IRS Notice: Your tax refund of $3,247.00 has been approved. Submit your direct deposit information to receive funds: [link]." The IRS has stated repeatedly that they do not initiate contact via text message. Yet these smishing campaigns surge every year from January through April, and the credential theft they enable leads to full identity fraud.

7. The Job Offer Scam

With remote work normalized, smishing messages offering high-paying work-from-home jobs have exploded. "Amazon is hiring remote workers — $45/hr, no experience needed. Apply here." The link leads to a form that collects your Social Security number, bank routing information, and a copy of your driver's license — everything needed for identity theft.

Why Smishing Works Better Than Email Phishing

I get asked this constantly: if people know about phishing, why does smishing still work? Three reasons.

First, mobile screens hide context. On a desktop, you can hover over a link and see the full URL. On a phone, the link is shortened or truncated. You can't easily inspect where it leads before tapping.

Second, SMS bypasses corporate email filters. Your organization may have invested in sophisticated email security, but personal text messages hit devices that sit inside your network perimeter. There's no spam filter catching these before your employees see them.

Third, speed and proximity. Texts feel personal and immediate. When a message says your bank account is compromised, the instinct is to act first and think later. That two-second window of panic is all a threat actor needs.

How to Identify a Smishing Message in 30 Seconds

This section answers the question security-aware users ask most: "How can I tell if a text message is a smishing attack?"

  • Check the sender. Legitimate companies send from short codes or verified numbers, not random 10-digit phone numbers or emails-to-SMS addresses.
  • Inspect the link without clicking. Long-press (don't tap) any link to preview the URL. If the domain doesn't match the company's actual website, it's malicious.
  • Look for urgency language. "Act now," "your account will be locked," "immediate action required" — these are pressure tactics, not how real organizations communicate.
  • Verify independently. If a text claims to be from your bank, open your banking app directly or call the number on the back of your card. Never use the number or link in the text.
  • Watch for small financial requests. The toll scam and similar schemes use tiny amounts because victims perceive low risk. The real goal is capturing your payment details.

What Organizations Should Do Right Now

Train for SMS-Based Social Engineering, Not Just Email

Most security awareness programs focus almost entirely on email phishing. That's a blind spot. Your employees carry company credentials on their personal phones. A smishing attack on a personal device can compromise your corporate network in minutes.

Enroll your team in phishing awareness training that covers smishing and social engineering tactics. Simulations that include SMS-based scenarios build recognition skills your staff actually needs in 2026.

Implement Zero Trust Principles

Stop assuming any device or user is trustworthy by default. A zero trust architecture limits the blast radius when a smishing attack succeeds. If an employee's credentials are stolen, network segmentation and continuous verification prevent the attacker from moving laterally.

Enforce Phishing-Resistant MFA

Traditional SMS-based MFA codes are the exact thing smishing attackers target. Move to FIDO2 security keys or passkeys wherever possible. These methods can't be intercepted or shared through a social engineering call. NIST's Digital Identity Guidelines at NIST SP 800-63-4 provide detailed implementation guidance.

Build a Reporting Culture

Make it easy and safe for employees to report suspicious texts. If someone clicks a smishing link, the worst outcome isn't the click — it's that they stay silent because they're embarrassed. You need a reporting mechanism that triggers immediate credential resets and device scans. Comprehensive cybersecurity awareness training should normalize reporting as a core security behavior, not a sign of failure.

Monitor for Brand Impersonation

If you run a business with customers, attackers are impersonating you via smishing right now. Use domain monitoring services to detect typosquatted domains used in SMS campaigns. Alert your customers proactively when campaigns are active.

The Smishing Threat Isn't Slowing Down

The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. Smishing exploits that human element on the most personal device your employees carry. As ransomware groups increasingly use initial access brokers who specialize in credential theft via smishing, the link between a single malicious text and a full-scale data breach has never been more direct.

I've watched organizations invest six figures in endpoint detection and network monitoring while completely ignoring the SMS vector. That's like installing a vault door on your office while leaving the parking garage elevator unlocked.

Every one of the smishing attack examples above succeeded because someone wasn't trained to recognize it. That's fixable. But it requires treating mobile phishing with the same seriousness you give email threats, deploying phishing simulations that reflect real-world SMS tactics, and building a security culture where every employee understands they're a target — not just the IT team.

The next smishing text is already queued up in a threat actor's bulk messaging platform. The only variable is whether your people recognize it or fall for it.