Back to all articles
Phishing
Smishing: The Twilio Case
Jun 04, 2026
Smishing is a form of phishing that uses text messages (SMS) to trick people into providing sensitive information or sending money. This phenomenon has become incredibly common worldwide. According to the zLabs smishing report, India is the most vulnerable, with 37% of its population at risk, followed by the U.S. at 16% and Brazil at 9%. This indicates that ordinary users often fall victim to well-designed attacks that exploit trust and a lack of cybersecurity knowledge.
A specific case involves Twilio, a major company providing cloud communication services. In August 2022, Twilio was first hit by a hacker group using a social engineering attack. The attackers managed to deceive several employees into providing credentials for their accounts and internal systems. With this data, the hackers gained access to sensitive systems and obtained information regarding at least 125 clients. This event highlighted weaknesses in employee training and internal controls.
In 2024, Twilio was attacked again, this time by a group called ShinyHunters. This group claimed to have stolen 33 million phone numbers from the company's systems. This breach was significantly larger than the 2022 incident and showed that previous vulnerabilities had not been fully addressed. Key failures included:
Inadequate Training: Employees were not sufficiently trained to recognize fraudulent messages.
Weak Access Control: Internal systems had poor access management and insufficient monitoring.
As a result, the attack exposed the vulnerability that tech companies face from human-centric attacks rather than just software bugs. To prevent such incidents, companies must:
Train employees specifically on phishing and smishing tactics.
Use strong passwords and mandatory Two-Factor Authentication (2FA).
Monitor systems for any suspicious activity in real-time.
Strengthen internal controls and data segmentation to limit damage during a breach.
This case demonstrates that in the modern world, data security depends not only on technology but also on employee awareness and practices. Attacks like those on Twilio can cause massive financial losses, privacy concerns, and increased risks for affected customers.
References
https://sl.bing.net/bZC1U9U7Gzk
https://learn.g2.com/most-common-phishing-attacks#bec
https://sl.bing.net/h9x5CAvxluK
https://learn.g2.com/most-common-phishing-attacks#bec
https://sl.bing.net/h9x5CAvxluK