The Most Spoofed Brands in SMS Phishing: Protect Your Business in 2025

Every day, over 3.5 billion phone users receive spam text messages, many of which impersonate trusted brands like Amazon, Microsoft, or major banks. These SMS phishing (smishing) scams exploit the trust people place in familiar names to steal sensitive information.

The impact of these attacks is alarming. Victims often face financial losses, stolen identities, and exposure to confidential business data. In smishing attacks, the median loss reported by victims was $1,000 in 2022. Cybercriminals craft convincing messages, such as fake delivery updates or urgent account alerts, to trick users into clicking malicious links or providing personal details.

This blog will uncover the most commonly spoofed brands in SMS phishing attacks, explain why these brands are targeted, and provide steps businesses can take to protect themselves from these growing threats.

What is SMS Phishing (Smishing)?

Smishing is a type of phishing scam delivered through SMS messages. These messages often impersonate trusted brands, misleading recipients into clicking malicious links or sharing sensitive information like passwords or financial details.

Why is SMS such a common method for attackers? It has a 90% open rate, with most messages being read within the first three minutes. This immediacy creates a sense of urgency, making recipients more likely to respond without verifying the message's authenticity.

To learn more about how smishing operates, check out our guide on what smishing is and how to protect yourself against it.

Why Cybercriminals Target Specific Brands for SMS Phishing Attacks

Cybercriminals don’t choose brands randomly. Their targets are strategic:

Table 1: Key Reasons Cybercriminals Target Specific Brands for SMS Phishing

The Most Spoofed Brands in SMS Phishing Attacks

Cybercriminals carefully select trusted brands for SMS phishing (smishing) campaigns to exploit their familiarity, credibility, and frequent interactions with users. These brands are not chosen at random—hackers target them because they are widely recognized, and people often receive legitimate messages from them. This increases the chances of a victim trusting and interacting with a fake message. Let’s break down the most impersonated brands, why they are targeted, and the tactics hackers use.

According to Keepnet, the following brands were the most impersonated in smishing attempts:

Amazon

Amazon leads the list with 38% of smishing attempts. The company’s massive global customer base and frequent transactional communications make it a prime target for cybercriminals. Hackers exploit legitimate-looking notifications, such as:

• Order Confirmations: “Your order could not be processed. Click here to update your payment details.”
• Shipping Updates: “Your package is delayed. Track it here.”

These messages prey on users' expectations of regular updates, making the fake links appear credible. Once clicked, victims are redirected to malicious websites that steal personal or payment information.

Apple

Apple accounts for 17% of smishing attacks, reflecting its strong association with user accounts, passwords, and financial data. Apple’s ecosystem, including iCloud, Apple Pay, and App Store, stores sensitive personal details, making it a lucrative target for hackers. Common smishing tactics include:

• Fake Account Alerts: “Your Apple ID has been locked due to suspicious activity. Verify here.”
• Password Reset Requests: “We’ve detected an unauthorized login. Reset your password now.”

These messages direct users to convincing phishing sites mimicking Apple’s secure login pages, where credentials are harvested.

HMRC (UK Tax Authority):

HMRC is impersonated in 15% of smishing attempts, making it one of the most spoofed government entities. Hackers rely on the fear and urgency associated with tax-related communications to manipulate victims. Common smishing schemes include:

• Refund Notifications: “You are eligible for a £500 tax refund. Claim it here.”
• Payment Warnings: “Your tax payment is overdue. Pay now to avoid penalties.”

The sense of urgency drives victims to click malicious links leading to fake payment portals designed to steal financial information or infect devices with malware.

PayPal

PayPal is targeted in 12% of smishing attempts due to its role in facilitating online payments and storing sensitive financial details. Hackers exploit the high volume of legitimate account alerts PayPal users receive. Typical smishing messages include:

• Transaction Alerts: “Unusual activity detected. Confirm this transaction here.”
• Account Verification Requests: “Your account has been restricted. Verify your identity now.”

These messages often direct recipients to fake PayPal login pages where hackers steal credentials and gain access to their accounts.

USPS

With 11% of smishing attacks, USPS scams are especially effective due to the high volume of e-commerce and package deliveries. Hackers exploit users’ reliance on tracking updates and delivery notifications by sending messages like:

• Delivery Issues: “Your package could not be delivered. Update your address here.”
• Shipping Fee Notices: “Additional postage is required to release your package. Pay here.”

The fraudulent links redirect victims to phishing sites that steal payment information or personal details.

FedEx

FedEx-related smishing makes up 7% of attacks, often targeting users during peak shipping seasons like holidays. These scams mimic FedEx’s legitimate delivery notifications to trick recipients into clicking malicious links. Common examples include:

• Tracking Updates: “Your package is out for delivery. Track it here.”
• Undelivered Packages: “We couldn’t deliver your package. Confirm your address now.”

Hackers leverage the widespread use of FedEx for online shopping deliveries, creating urgency to engage with the scam.

Netflix

Netflix is targeted in 5% of smishing campaigns. Hackers exploit the platform’s subscription-based model, where disruptions to account access or payment processing can cause immediate concern. Smishing messages typically include:

• Payment Issues: “Your subscription payment failed. Update your billing information now.”
• Account Suspension: “Your account has been suspended. Reactivate it here.”

Victims are led to fraudulent login or payment pages where hackers steal credentials or financial data. See our smishing statistics research to learn more about smishing facts and trends.

Why Hackers Target These Brands in Smishing Attacks

Hackers target these brands in smishing attacks because they exploit specific characteristics that make their scams convincing and effective:

1. Global Trust and Familiarity

Brands like Amazon, Apple, and Netflix are globally recognized and widely trusted. Users are less likely to question messages from these companies, assuming they are legitimate because of their reputation.

2. Frequent and Expected SMS Communication

Brands such as Amazon, FedEx, and USPS often send legitimate SMS notifications for orders, deliveries, or account updates. Hackers exploit this by mimicking real messages, making fake ones appear normal and trustworthy.

3. Access to Sensitive Financial Information

Brands like PayPal and Apple are closely tied to payments and personal data. Smishing messages often claim issues like unauthorized transactions or account suspension, prompting users to share login details or financial information.

4. Creating a Sense of Urgency or Fear

Hackers use urgency to pressure victims. Messages like “Your tax refund is waiting” (HMRC) or “Your package is undeliverable” (FedEx, USPS) push users to act quickly without questioning the message’s authenticity.

By leveraging trust, routine interactions, and emotional triggers, these smishing campaigns become highly persuasive, leading to higher success rates for hackers.

Real-World Consequences of Spoofing in SMS Phishing

In August 2022, Twilio, a company providing SMS services, was targeted in a smishing attack using brand spoofing. Cybercriminals posed as Okta, a trusted IT provider, and sent fake text messages to Twilio employees.

The messages claimed their sessions had expired and included a link to a fake login page that looked exactly like Okta’s real site. At least one employee entered their credentials, giving the attackers access to sensitive customer data, including addresses, payment details, and email information.

The breach went unnoticed for four days, allowing attackers to steal a large amount of data. Twilio later worked with mobile providers to block the malicious links. This attack shows how brand spoofing can trick even tech-savvy organizations.

Learn how to prevent spoofing attacks on our blog post: Understanding and Preventing Spoofing in Cybersecurity

How to Protect Your Organization Against SMS Phishing Attacks

Defending against SMS phishing requires a combination of employee awareness, practical testing, and secure communication practices. Here’s how your organization can stay protected:

1. Employee Training

Train employees to recognize and respond to smishing attempts. Use tools like Security Awareness Training to educate staff on spotting fake messages, malicious links, and impersonation tactics. Regular training builds a vigilant and informed workforce.

2. Simulation Tools

Evaluate your organization’s readiness with realistic phishing tests. Tools like the Phishing Simulator and Smishing Simulator allow you to replicate real-world attacks and identify vulnerabilities in employee responses.

3. Secure Practices for Consumers and Employees

• Always verify suspicious messages by contacting the brand or service provider directly through official channels.
• Avoid clicking on unverified links or providing sensitive information, such as login credentials or financial details, via SMS.
• Report smishing attempts to your IT department or security team to take immediate action.

To learn more about how to secure your business against Smishing statistics.

Minimize Smishing Risks with the Keepnet Human Risk Management Platform

The Keepnet Human Risk Management Platform provides organizations with advanced tools to effectively combat smishing and brand spoofing, equipping teams with the skills and insights needed to mitigate risks.

1.Security Awareness Training

Educate employees to recognize and respond to smishing attacks through Security Awareness Training. This module delivers real-world lessons on identifying fraudulent messages, especially those leveraging spoofed brands.

2. Comprehensive Monthly Training Plan

Keepnet’s structured training calendar provides a targeted approach to addressing key security risks throughout the year. Each month is dedicated to a specific risk, combining phishing simulations with contextual education to enhance understanding and vigilance.

For example:

• January focuses on information security basics, using sensitive information campaigns to educate employees on safeguarding critical data.
• June tackles malware threats with an online security campaign, teaching employees how to identify malicious software.

This proactive approach ensures employees stay ahead of potential threats, fostering a culture of security awareness.

3. Engaging Quarterly Awareness Activities

To ensure retention, Keepnet incorporates interactive learning tools into its quarterly plans. These tools—such as quizzes, posters, and simulations—are tailored to reinforce critical security behaviors.

For instance:

• In January, employees participate in password security training using phishing and smishing simulations, complemented by quizzes and infographics.
• By March, ransomware risks take center stage with interactive visuals and ransomware phishing scenarios to test employee readiness.

This multi-layered approach not only educates but also reinforces real-world application, making employees better prepared to handle threats.

4. Tailored Training Content for Every Organization

Keepnet’s flexibility sets it apart, offering organizations access to various training providers. This allows businesses to select the formats and styles that resonate most with their workforce, ensuring maximum engagement and learning outcomes.

Whether employees prefer gamified experiences or traditional formats, Keepnet enables organizations to deliver training that suits their unique culture.

5. Outcome-driven Metrics That Drive Results

One of the standout features of Keepnet’s solutions is their ability to provide outcome-driven metrics that reflect real improvements in security behavior and culture. These measurable results demonstrate the effectiveness of Keepnet’s programs in combating cyber threats. Key metrics include:

• Phishing Risk Score: Reduce risky behaviors by up to 95%, creating a safer digital environment.
• Click-Through Rate: Achieve a 92% reduction in phishing link clicks, lowering your exposure to threats.
• Reporting Rate: Boost employee reporting of suspicious activity by 92%, enabling faster responses.

Organizations can visualize these results through Keepnet’s intuitive dashboards, which track engagement, training completion rates, and overall risk reduction. This transparency helps companies continually improve their security posture.

Additionally, Keepnet’s Human Risk Management Platform leverages the Protection Level Agreement (PLA) to guarantee that your security awareness program will achieve clear, measurable outcomes. The PLA sets specific goals, such as reducing the number of employees clicking on phishing links or increasing the rate of suspicious activity reports. By holding the program accountable to these benchmarks, the PLA ensures that your training efforts deliver real, impactful results, making your organization safer and more secure.

Check out Keepnet security awareness training for more information.

6. Smishing Simulator with Spoofed Brand Templates

The Smishing Simulator enables organizations to test employee responses using realistic templates based on commonly spoofed brands like Amazon, PayPal, and Apple. These scenarios improve employees' ability to detect and avoid smishing attacks. See example smishing templates you can use for security awareness training:

Unlike generic training programs, Keepnet’s Smishing Simulator allows organizations to replicate region-specific threats, such as fake tax refund alerts from HMRC in the UK or phishing scams targeting financial services in the US. These customized SMS phishing simulations enhance employee preparedness for real-world scenarios.

Read our step-by-step guide to learn how to create an SMS phishing simulation campaign.

Also, watch the video below to get more details about how to launch SMS phishing campaigns.

7. Human Risk Scoring and Reporting

Track employee behavior during smishing simulations with Human Risk Scoring, using outcome-driven metrics to identify vulnerabilities and improve smishing awareness training strategies.

Read our blog on Human Risk Scoring to learn more.

Keepnet’s SMS & Voice Phishing Simulations replicate real-world attacks, such as fake refund requests and discount scams, helping employees recognize and avoid smishing threats.

By focusing on specific vulnerabilities, Human Risk Scoring ensures:

• Tailored training for employees prone to smishing threats.
• Data-driven improvements in overall security posture.

Keepnet’s Human Risk Scoring empowers businesses to proactively reduce smishing risks and create a security-aware workforce.

8. Keepnet Advanced Reporting

Keepnet’s Advanced Reporting provides organizations with detailed, actionable insights into employee behavior during smishing simulations. Using Human Risk Scoring, it identifies high-risk employees and departments by analyzing metrics such as phishing link clicks, reporting rates, and training completion.

The interactive dashboards allow security teams to:

• Visualize Vulnerabilities: Track risky behaviors and assess which teams or individuals need additional training.
• Tailor Training Programs: Customize awareness strategies based on data to address specific weaknesses.
• Measure Progress Over Time: Monitor improvements in phishing awareness and overall security posture.

For leadership, Executive Reports summarize key findings like high-risk users and departments, helping them make informed decisions to support strategic initiatives. These tools, combined with realistic smishing simulations, empower organizations to proactively mitigate risks and strengthen their defense against phishing threats.

9. Threat Intelligence Sharing

Stay informed about the latest phishing trends, including brand spoofing tactics, with Threat Sharing Platform. Use these insights to proactively enhance your organization's defenses.

For further details, read our blog on what Threat Intelligence Sharing is and learn how it can help you mitigate SMS Phishing risks.

Keepnet’s Threat Intelligence Sharing Platform keeps organizations informed about the latest phishing tactics, including smishing campaigns targeting top brands. This real-time intelligence helps businesses stay one step ahead of cybercriminals and reinforces their proactive defense strategies.

With the rise of smishing attacks targeting trusted brands, businesses need more than awareness—they need actionable tools and measurable results. Keepnet’s Human Risk Management Platform combines cutting-edge phishing simulations, advanced reporting, and AI-powered training to empower organizations against evolving threats.