If you’re anything like me, you used delivery more during the pandemic than before. Both getting food brought to my door and meal kit boxes mean people don’t have to mask up and go out to the grocery store. But threat actors know that, too. Recent scams take advantage of people signing up for more services, disguising their data theft as company giveaways or delivery alerts. Phishing and its SMS cousin, smishing, continue to be popular ways of gaining access to digital systems, including business email. See how smishing is changing the game in the world of food and delivery. 

What Is Smishing? 

While phishing attacks try to get you to share passwords or other personal information over email, smishing does the same by text message. For example, an attacker might send a text promising something in exchange for completing a form on a website. If the victim follows through, the attacker can collect information and possibly infect the device.

Watch Out for New and Convincing SMS Scams

Text-based scams are evolving. Where they might once have been marked by poor English or odd formatting, some attackers have learned to disguise themselves. Common text message scam tactics appeal to victims who might be expecting a shipment or may have recently completed a purchase online. The scams might propose a reward for responding or pose as an alert to some serious issue with an online account. Meal kit and grocery scams often fall under these types of attacks.

Attackers know these services are popular. Subscription services of all kinds have seen a steady increase over the last year. Entertainment and food delivery services are particularly popular. As consumer buying habits shifted, so too have takeout food choices. Meal kit subscription services, including both subscription services and grocery store-based meal solutions, saw a steady uptick in demand.

For example, one scam asked cybersecurity consultant Joseph Steinberg to leave a review for a service he didn’t use. This is just one of many variations of the review-for-a-reward smishing scam. Cybersecurity training can help users avoid such scams and protect personal data, too.

How to Stop Smishing for Employers 

Spam filters can catch some of these malicious messages, but not all. In addition to a layered approach to security, organizations should also provide their employees ongoing cybersecurity awareness training. A regular feature of such a program could include simulations that cover scenarios similar to those seen in the wild.

To be effective, cybersecurity training for employees should be engaging and relevant. It’s not a good idea to overwhelm people with every possible attack type and its gory details. However, an ongoing training program can provide useful information on novel and unique attack types. These might be relevant to employees outside of work, too. Employers can also use breach and attack simulations to help users better understand how these campaigns work.

Training like this should cover the topic of risk assessment often. Users should be taught to tell the difference between real and scam messages no matter how convincing or where they’re sent. In the case of smishing, it’s also important for users to know what to expect from the systems they use. 

Security Awareness Training and Beyond

Training users on how their work devices are supposed to function can help them be safer with connected devices at home, too. Internal systems can provide examples of just-in-time communications that provide context to interactions. And, users who know what to expect from oft-used systems may be more likely to spot odd behavior. As an employer, you can explain how the system will contact its users in new user onboarding procedures and welcome emails. If someone gets a delivery alert by text and you’ve already told them you only send alerts by email, they might be less likely to click. That will help regardless of how well-written the attacker’s text is. 

SMS scams are more than a simple annoyance for the average person; they present a very real security risk for company systems, too. Websites used in these scams can contain malware designed to exploit victim machines, which may be accessing them from corporate networks. SMS-based scams and malware campaigns range widely in terms of the intended outcome, but social engineering is always a key component. Relevant and interesting security training can help stop smishing-related dangers from making their way into your important systems.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today