How Smishing Attacks Work: a true story

How Smishing Attacks Work - a true story

 “Your account has been suspended. Log in here to reactivate.” “We couldn’t deliver your parcel, click here to redeliver.” “Congratulations! You won the new iPhone 15. Follow the link to claim!"
 I would never fall for these tricks... Except I did.

Here I am, freezing my bank card in panic and Googling whether a hacker can gain access to my phone through a phone call, as they have just called me pretending to be my bank to check why their payment didn’t go through. 

I am a cyber analyst. My full-time job is to scour the web, both open and dark, for stolen credentials. Occasionally, I write a small article or two about the variety of tools bad actors use to access our personal data, ranging from ransomware attacks on large corporations that yield payments of up to $40 million to smaller, yet no less damaging, scams, including smishing, also known as SMS phishing, that target randomly selected victims. I have more than a surface-level knowledge on specific bad actor groups, individual cybercriminals and what hacking tools they favour when they conduct they daily activities. Five years in cybersecurity made me more aware (if not slightly paranoid) of what an individual armed with a computer and bad intent is capable of.

How the scam worked

Yet, as it happens, a small slip of vigilance and an unfortunate alignment of events is all that is needed for even the most attentive and anxious of us to fall victim to a common scam. I was expecting some parcels to be delivered by a widely used major parcel delivery and courier service. One of them included a relatively expensive large item that I did not want to miss or get lost. Therefore, when a text message claiming to be from said company arrived stating that I need to re-book my missed delivery, I did not for a second think that it might be anything but a helpful message designed to make my life easier. Without a single doubt, I clicked the link included in the SMS and filled out an official-looking form that requested all my information, including full name, address, phone number and card details.

Like anyone, I have missed deliveries before and had to arrange redeliveries or pickups from local collection points. Never before have I been asked for so many personal details in order to do so and it did strike me as odd; however, I was keen to receive the item I ordered and the request for a small payment of £0.79 for redelivery seemed more than reasonable (especially considering we are in a cost of living crisis with prices are going up daily). £0.79 is not a lot of money, I can afford that. I am just going to be ever so slightly annoyed at the company for adding yet another charge to their services. Click and send. Your parcel will be with you in the next 2-3 days.

Simple tricks to steal your data

I wish there was an intricate story of my realization that would fully rehabilitate my actions, however the understanding that something was wrong with the form I filled out came hours later and was not inspired by any professional insights. The first course of action was to panic. The second was to double check that the message was indeed a scam. As the delivery company used tends to update its customers via email, I checked whether there had been any communication regarding missed deliveries. As there was nothing, I then also checked the tracking number provided by the seller of the item I was expecting. This stated that it was not even out for delivery yet. Finally, I checked whether the carrier started charging for redeliveries, in case I had missed an update. This led me to the company’s official webpage flagging this type of messages as a scam and outlining how to recognize, as well as report, malicious messages or calls.

Once confirmed that I had indeed fallen victim to a smishing scam, reporting my card as compromised to my bank and ordering a new one was a priority. Luckily, most banks make this easy by adding an option in their official apps. A user is able to temporarily freeze their card, report it as stolen or compromised, as well as order a new one within minutes. Another feature I have discovered only after receiving a phone call from my attackers was that, in case of a phone call from an individual claiming to be representing the bank, some banks give you an option to ask them to use an app ID that sends a secure notification to your banking app. This notification will let you see the name of the person you are speaking to (as well as letting them confirm they are speaking to the account holder). It is useful to familiarize yourself with what options your bank provides in order to keep you safe, as this will give you the upper hand in case scammers attempt to contact you via a phone call.

Luckily for me, my error of judgement only caused me some minor inconvenience and anxiety. In the worst-case scenarios bad actors can use stolen data to purchase goods or gift cards from online retailers, set up payments, or make money by selling the details on the Dark Web marketplaces or dedicated forums. Acting fast and knowing the right steps to follow was imperative to rectifying my mistake without too much damage. 

Lessons learned

In case you fall victim to a smishing scam, here are the lessons I learned:

  • Be quick. The sooner you start taking action, the less time bad actors have to use your data.
  • Alert your bank. Freeze your current account and order a new card.
  • Although not vital, move your funds to another bank account if you have one (but never move them to an account that is not your own because a 'bank representative' tells you to, this is another common scam)
  • Change your passwords if you have provided any login credentials.
  • Alert the impersonated company of the scam so they can take necessary action.

The best tip, however, is to always be vigilant when it comes to any type of communications, even if they appear legitimate! Hackers are getting ever better at impersonating well-known and widely used companies. The signs to look out for are:

  • The sender’s phone number. Nowadays, most companies include their company name as a contact name automatically when sending messages. Additionally, it is always worth looking up the phone number that a suspicious message came from as it might have been reported as scam by other potential victims.
  • The sender’s email address (in case of an email phishing attempt). Malicious email addresses tend to include misspelled or stylized versions of the company they impersonate. Oftentimes, email addresses are entirely unrelated to the impersonated company.
  • Poor language and grammatical errors. Most companies spellcheck their messages before sending them.
  • Links within messages. If it is a legitimate communication, you will be able to access suggested services via an official app or website. It is always safer not to click the link.


The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

A Guide on Text Message Scams | White Blue Ocean
A Guide on Text Message Scams

Text message scams are a dangerous form of attack that is used against individuals and businesses alike, and are becoming increasingly common, with bad actors using a variety of tactics to trick people into giving away their personal and financial information. These scams can take many different forms and can be difficult to detect and prevent.

Read more
QR Code Scam
QR Code Scams - The New Way Cybercriminals are Targeting Victims

Cybercriminals have taken advantage of this newly popular technology by replacing trustworthy QR codes with malicious ones that infect devices or divert users to a phishing website that appear legitimate to entice users into handing over personal information.

Read more
SIAE Data Breach

News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.

Read more
Why phishing emails contain errors?

You have probably noticed that all the phishing mails are poorly written and some details may let us think they are somewhat unprofessional. Find out why.

Read more
Twitter data breach: exposed the data of 5.4 million accounts | White Blue Ocean
Twitter data breach: exposed the data of 5.4 million accounts

In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. Read more

Read more
How Bad Actors Begin

There is a clear path of progression for a bad actor to go from unknown and uninvolved, to standing shoulder to shoulder with the internet's most sophisticated criminals. In this article we attempt to answer the question of how bad actors are made.

Read more
ShinyHunters, one of the most recognised threat actors among the hacking community

Over the past year, ShinyHunters has become one of the most recognised threat actors among the hacking community, by carrying out sophisticated cyberattacks on over 40 online services across the world, and by selling the stolen information for profit.

Read more
Creeper: the first computer virus

The idea of a computer virus was first theorised by the mathematician John von Neumann in 1949, when he envisioned the possibility that a “mechanical organism”, such as a program, could reproduce itself and infect multiple hosts. The title of the first computer virus in history is attributed to a program called Creeper, created by Bob Thomas from BBN Technologies in 1971.

Read more


Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!