All Categories
Smishing Attacks — "The Package That Never Shipped"
SMS-based social engineering and OTP bot attacks that bypass 2FA
Smishing Attacks — "The Package That Never Shipped"
A fraud analyst's guide to SMS-based social engineering and OTP bot attacks
The Story: When Delivery Anxiety Becomes Data Loss
Sunday 15:12 PST, Seattle. Student Lena Davis gets an SMS: USPS: Parcel #9045881 on hold. Pay $1.95 redelivery fee ➜ usps‑parcel‑verify.com. She pays; a robo‑call asks her to read back her bank‑OTP. Five minutes later $2 400 in electronics ship to a reshipper.
Timeline (Evidence + Failures)
| Phase | Time | Channel | Lena's Action | Attacker Goal | Control Failure / Evidence |
|---|---|---|---|---|---|
| Contact | 15:12 | SMS | Clicks link | Steal card + phone | New short code spoof "USPS" |
| Exploit | 15:13 | Web | Enters PAN + address | Capture PAN + PII | Domain 24 h old w/ "usps" |
| Exploit | 15:14 | Voice bot | Reads 6‑digit OTP | Beat 3‑DS OTP | VoIP bot captures code |
| Cash‑out | 15:16 | Store | Uses OTP, buys $2.4 k | CNP fraud | Ship to reshipper |
Mermaid — SMS + OTP Bot
Loading diagram...
Core Concepts (Plain English)
| Term | Meaning | Analogy |
|---|---|---|
| Smishing | Phishing via SMS. | Fake delivery text. |
| OTP bot | Robo‑call/SMS stealing codes. | Automated con artist. |
| 3‑D Secure | Card OTP step online. | Extra checkout PIN. |
| A2P shortcode | 5‑6‑digit bulk SMS number. | Company text gateway. |
| Reshipper | Address forwarding stolen goods. | Drop box for crooks. |
Beginner Definitions
| Term | Simple Definition | Why It Matters |
|---|---|---|
| SMS gateway | Service that sends bulk text messages. | Smishers rent these for campaigns. |
| Spoofed sender | Fake "from" name on texts. | Makes SMS appear from USPS/FedEx. |
| Card-not-present | Online purchase without physical card. | Higher fraud risk than in-person. |
Why OTP Bots Beat SMS 2FA
- Code still to victim phone → bank sees right device.
- Robo voice claims fraud verification → compliance.
- Relay in <5 s, beating expiry.
- Telegram markets sell turnkey bots.
Technical Deep Dive: OTP Bot Mechanics
- Setup phase: Attacker registers smishing domain (
usps-parcel-verify.com) - SMS blast: Sends delivery fee messages to thousands of phone numbers
- Data harvest: Victim enters card details + phone number on fake site
- Real-time abuse: Bot immediately uses card for high-value purchases
- 3-D Secure trigger: Merchant bank sends OTP to victim's phone
- Social engineering call: Bot calls victim claiming "fraud verification"
- OTP theft: Victim reads 6-digit code to "bank representative"
- Transaction completion: Bot submits OTP, purchase approved
Technical artifacts to hunt:
index=sms source="shortcode" message="USPS*redelivery*" | stats count by hour
Look for burst SMS patterns and new domain registrations containing courier keywords.
Signals (What to Look For)
| Source | Indicator |
|---|---|
| SMS GW | Burst parcel‑fee smish from new short code. |
| Domain intel | Reg age <48 h + "usps" keyword. |
| Telephony | Robo‑calls <10 s to OTP victims. |
| Card net | 3‑DS approval then high‑risk spend. |
Professional Investigation Framework
When you encounter smishing campaigns in your organization, here's your systematic response plan:
Immediate Response (First 10 Minutes)
- Block the domain - Add smishing URL to corporate web filtering immediately
- Alert payment team - Notify finance of potential card fraud targeting employees
- Document the campaign - Preserve SMS content, timing, and phone numbers
- Employee warning - Send internal alert about active smishing campaign
Investigation Priorities
- Campaign scope: Determine how many employees received similar messages
- Infrastructure analysis: Examine smishing domains, SMS gateways, and hosting
- Financial impact: Assess if any employee cards were compromised
- OTP bot detection: Look for patterns of short calls following SMS delivery
Investigation Team Coordination
Key investigation priorities:
- IT security team for domain analysis and employee device scanning
- Finance team for employee card monitoring and fraud detection
- Legal team for law enforcement coordination if employee data compromised
- HR team for employee communication and awareness enhancement
Employee Communication Protocol
What to say to staff: "We've identified an active SMS phishing campaign targeting delivery notifications. Never enter payment information from text message links, even if they appear to be from legitimate courier services."
What NOT to say:
- "Don't fall for obvious scams" (creates blame culture)
- "These attacks are easy to spot" (discourages future reporting)
Common Red Flags
- Tiny "redelivery fee" ask.
- Hyphen‑verify domain.
- Robo‑call right after OTP SMS.
One‑line Mitigation: Use passkeys/app‑based auth; never read OTP codes to calls.
Impact & Stats (Verified Links)
- 45 % of mobile phish via SMS — SlashNext 2024.
- 900 % rise in OTP‑bot ads 2024 — Resecurity 2025.
- $330 M global losses delivery smish 2024 — Europol 2025.
Key Takeaways
Beginner: Legit companies never call asking for SMS codes.
Analyst: Correlate parcel smish ➜ robo‑call ➜ CNP spend chain.
The next and final module provides a comprehensive glossary of social engineering terms from A-Z.
Ready to master the complete social engineering vocabulary? The glossary module provides definitions for every term you'll encounter in fraud investigations.
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.