---
title: "Twilio Employees Fall Victim to a Sophisticated Social Engineering Attack | DuoCircle"
description: "There are sophisticated smishing schemes threat actors have started leveraging these days; that is how Twilio described the successful smishing attack that."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/"
---

Quick Answer

On August 4, 2022, attackers stole Twilio employee credentials through a smishing campaign and accessed limited customer accounts on internal systems. Smishing is phishing delivered over SMS or other mobile messaging channels: the texts impersonated IT and pointed employees to fake login pages that captured credentials. The breach was notable because Twilio operates the Authy 2FA service, so credential theft against a security vendor amplifies downstream risk. The pattern matters more than the incident: SMS-based phishing bypasses email gateway filters, exploits the trust users place in mobile messages, and increasingly targets help desk and IT staff who hold privileged access. Defenses include phishing-resistant MFA (FIDO2 hardware keys), employee training that covers SMS lures, and monitoring for credential reuse against internal portals.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Ftwilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Twilio%20Employees%20Fall%20Victim%20to%20a%20Sophisticated%20Social%20Engineering%20Attack&url=undefined%2Fblog%2Fannouncements%2Ftwilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Ftwilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Ftwilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack%2F&title=Twilio%20Employees%20Fall%20Victim%20to%20a%20Sophisticated%20Social%20Engineering%20Attack "Share on Reddit") [ ](mailto:?subject=Twilio%20Employees%20Fall%20Victim%20to%20a%20Sophisticated%20Social%20Engineering%20Attack&body=Check out this article: undefined%2Fblog%2Fannouncements%2Ftwilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack%2F "Share via Email") 

![DuoCircle blog post image](https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0735.jpg) 

_There are sophisticated smishing schemes [threat actors](/email-security/threat-actors-abuse-linkedins-smart-links-in-evasive-email-phishing-attacks/) have started leveraging these days; that is how Twilio described the successful [smishing attack](https://tech.hindustantimes.com/tech/news/online-shopping-fraud-mobile-phones-being-targetted-in-smishing-attacks-71636638343220.html) that targeted its employees on August 4, 2022\. Read on to know how attackers targeted the programmable communication tools provider and stole employee credentials._

The US-based Cloud communications enterprise Twilio admitted a [data breach](/email-security/how-to-respond-to-an-email-security-or-data-breach/) recently, saying that the attackers stole its employees’ credentials through an SMS phishing attack (Smishing) and entered its internal systems. Twilio owns the popular two-factor authentication (2FA) platform Authy.

It released a statement over the weekend that it became aware of **unauthorized information access** to limited Twilio customer accounts using a sophisticated social engineering attack that hackers designed to steal employee credentials.

## What is Smishing?

Smishing is a phishing attack that malicious actors carry out over **mobile text messaging**, also known as [SMS phishing](https://www.crn.com/news/security/twilio-customer-data-breached-by-sms-phishing-attack). It is a phishing variant where the victims get deceived into sharing sensitive information with a malicious actor. SMS phishing can get assisted by fraudulent websites or malware. It occurs through mobile text messaging platforms and **non-SMS channels,** for example, data-based messaging apps.

Cybercriminals launch such attacks to steal the victim’s data, which they use to c**ommit cybercrimes or fraud**. Typically, it includes stealing money, from the victim or their company.

[![Smishing](https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0635.jpg)](https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0635.jpg)

## What Happened?

Twilio became aware of a sophisticated social engineering attack on August 4, 2022, that targeted a few of its customer accounts by stealing employee credentials. The attack succeeded in fooling the employees into **sharing their credentials**. The cybercriminals used the stolen credentials, gained access to Twilio’s internal systems, and accessed certain customer data. Twilio released a statement that they worked directly with the customers affected by this incident.

- Some former and current employees reported receiving texts from Twilio’s IT department.
- The text messages suggested that the employee’s schedule had changed or their passwords had expired, and they needed to **log in to a malicious URL**.
- _The URLs looked genuine as they included words like “Okta,” “Twilio,” and “SSO,” which tricked the users into clicking on the links._
- Clicking on the malicious link took the victim to an impersonated Twilio’s sign-in page.
- Additionally, the cybercriminals used sophisticated abilities to match employee names with their phone numbers.

## What Were the Results of the Breach?

Twilio stated that it is continuing its investigation and that the security and **trust of the customers** are its top priorities. Additionally, it shared the following updates:

- Twilio identified that the malicious actors accessed the data of approximately 125 Twilio customers for a limited time, and they notified all of them.
- It stated there was no evidence that hackers accessed _customer API keys, passwords, or authentication tokens without authorization._

Twilio confirmed that its information security team is working diligently to share details with impacted customers. If a customer had not received a communication from Twilio, there is no evidence of their account getting targeted in this attack. Furthermore, Twilio added that the investigation was ongoing, and if they identified any **additional impacted customers**, they would get in touch with them.

## What Steps Did Twilio Take to Control the Damage?

After confirming the incident, Twilio’s security team revoked the compromised employee accounts’ access to mitigate the attack. It engaged a **leading forensics firm** to aid the ongoing investigation.

Furthermore, Twilio said they have redesigned their security training to ensure employees remain alert for [social engineering attacks](/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/). Additionally, they issued security advisories explaining the specific tactics malicious actors utilize and instituted mandatory awareness training on such attacks.

## How to Protect Against Smishing?

A user can keep in mind a few things that can help protect them and their organization against these attacks.

- **_Do not respond:_** Responding to text messages with “STOP” to unsubscribe can help attackers identify active phone numbers. They depend on the **user’s anxiety or curiosity over the situation**, but one can refuse to engage.
- **_Slow down if a message seems urgent:_** One should approach limited-time offers and critical account updates as red flags of possible smishing. Choose to remain skeptical and proceed carefully.
- **_Call your merchant or bank directly if doubtful:_** Legitimate institutions will never request login info or account updates via text. Furthermore, users can verify any urgent notices directly on their online accounts or by calling an official phone helpline.
- **_Avoid using any contact info or links in the message_**_:_ Instead, one can visit the official contact channels directly when possible.
- **_Check the phone number:_** Users must be careful of odd-looking phone numbers, like the 4-digit ones, which are evidence of email-to-text services. It is a common tactic that cybercriminals utilize to mask their phone numbers.
- **_Never store credit card numbers on your mobile:_** The safest way to keep financial information from getting stolen from a digital wallet is never to store it there.
- **_Use multi-factor authentication (MFA):_** Smishing actors may not find an exposed password useful if the account they want to breach requires a second “key” for verification. [Multi-Factor Authentication’s](https://www.onelogin.com/learn/what-is-mfa#:~:text=Multi%2Dfactor%20Authentication%20%28MFA%29%20is%20an%20authentication%20method%20that,access%20management%20%28IAM%29%20policy.) (MFA’s) most common variant is [two-factor authentication (2FA)](https://authy.com/what-is-2fa/), which requires a text message **verification code**.

## What are the Experts Saying?

The [Cyber Wire](https://thecyberwire.com/newsletters/privacy-briefing/4/152) received comments on the incident from several security experts.

**Jeannie Warner (Director, product marketing at Exabeam):** _“There are many commercial and public data providers offering blacklisting databases or services for potential **phishing URL/domain lookups**. However, security teams cannot identify newly-crafted phishing URLs this way. Frequently targeted industries like communication and technology providers must consider the latest [machine learning (ML)](https://www.ibm.com/in-en/topics/machine-learning) approaches which can flag a suspicious phishing URL previously undetected by the blacklist data providers.”_

**Tim Prendergrast (CEO, strongDM):** _“The Twilio breach that gave attackers access to customers’ data highlighted how crucial strong infrastructure and access management is to maintain strong security. Cybercriminals continuously look for ways into internal systems as it gives them a VIP pass into servers and databases and access to information organizations don’t want to be leaked publicly. Thus, CISOs must re-evaluate access control and visibility across infrastructure and applications.”_

**Neil Jones (Director, Cybersecurity Evangelism, Egnyte):** _“The alleged attack on [digital authentication](https://www.techtarget.com/searchsecurity/answer/What-are-the-most-common-digital-authentication-methods#:~:text=Digital%20authentication%20is%20the%20process,ways%20to%20verify%20electronic%20authenticity.) provider Twilio is a grim reminder that enterprise security programs are as strong as their weakest links. Additionally, **anti-phishing education**, cybersecurity awareness training, and restricted access to organizational data on a ‘Need to Know basis are powerful deterrents.”_

> **Erfan Shadabi (Cybersecurity Expert, Comforte AG):** _“Adopting a Zero Trust framework is the best approach to mitigate such attacks. It means assuming you are breached already, providing no implicit trust, verifying repeatedly, and providing minimal privileges after **successful authentication** and [cybersecurity](/).”_

[![data breaches](https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0835.jpg)](https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0835.jpg)

## Final Words

Many data breaches in the past few months have a common factor, human error. The Twilio attack highlights how ‘smishing’ and social engineering tactics can lead to fraudulent account access and negatively impact a brand’s reputation. It also demonstrates how users are still unaware of how today’s threat actors operate, which makes [mobile-based attacks](https://www.bleepingcomputer.com/news/security/us-govt-employees-exposed-to-mobile-attacks-from-outdated-android-ios/) more impactful to end-users. Positive trends like Zero Trust architectures, supported by data-centric protection methods (safeguarding the data rather than the borders), are the need of the hour!

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Twilio Employees Fall Victim to a Sophisticated Social Engineering Attack","description":"There are sophisticated smishing schemes threat actors have started leveraging these days; that is how Twilio described the successful smishing attack that.","url":"https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/","datePublished":"2022-08-22T16:18:15.000Z","dateModified":"2025-05-09T15:38:14.000Z","dateCreated":"2022-08-22T16:18:15.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1162,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0735.jpg","caption":"DuoCircle blog post image","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Twilio Employees Fall Victim to a Sophisticated Social Engineering Attack","item":"https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Twilio Employees Fall Victim to a Sophisticated Social Engineering Attack","item":"https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Twilio Employees Fall Victim to a Sophisticated Social Engineering Attack","description":"There are sophisticated smishing schemes threat actors have started leveraging these days; that is how Twilio described the successful smishing attack that.","url":"https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/","datePublished":"2022-08-22T16:18:15.000Z","dateModified":"2025-05-09T15:38:14.000Z","dateCreated":"2022-08-22T16:18:15.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/twilio-employees-fall-victim-to-a-sophisticated-social-engineering-attack/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1162,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/08/phishing-protection-0735.jpg","caption":"DuoCircle blog post image","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```