When ‘Oprah’ Smished Me: Smishing and AI-Driven Phishing Risks

October is Cybersecurity Awareness Month, a time when individuals and organizations reflect on the growing threats in our digital world. Cyberattacks are no longer confined to corporate servers or complicated malware; they increasingly arrive on the devices we carry in our pockets. 

One of the most deceptive threats is smishing — phishing via SMS text messages. Unlike emails that may get caught in spam filters, text messages often slip through unchallenged, preying on our trust in the immediacy of communication.

I learned this lesson firsthand the day I got “smished” by someone claiming to be Oprah.

The smishing incident

One evening, I received a text message that immediately caught my attention. The message claimed: “Oprah is doing her biggest giveaway!” It included a voucher number and a link to a website (oprahstoday[.]com). 

For a moment, I paused. The message carried the weight of familiarity. After all, who doesn’t know Oprah? The phrasing tapped into nostalgia for her famous giveaways, making the scam appear almost believable to the average person.

That pause was all the attacker would have needed. 

Curiosity pulled me toward the link, though fortunately, my skepticism kicked in before I clicked. I later analyzed that the website was a carefully designed phishing page built to steal personal information. It was a classic example of social engineering — exploiting trust, curiosity, and urgency to trick individuals into compromising themselves.

Understanding smishing

Smishing works because text messages feel more personal and trustworthy than emails.

The mechanics are simple: attackers send fraudulent messages to entice victims into clicking a link, downloading malware, or providing sensitive information. Once engaged, the victim may unknowingly hand over credentials, banking information, or access to corporate systems.

Smishing attacks often exploit urgency (“Claim your prize before it expires!”) or authority (“Your bank account has been locked; click here to verify”). 

In my case, the scammers exploited familiarity — leveraging Oprah’s brand recognition to try and lower my defenses.

The rise of AI-powered phishing

As alarming as my “Oprah” experience was, today’s threats are evolving even faster. With artificial intelligence, attackers can now generate highly personalized, convincing phishing and smishing messages. AI can scrape data from social media, identify personal interests, and create messages that look eerily authentic.

For example, instead of a generic text about a celebrity giveaway, an AI system could generate a smishing message tailored to your city, your workplace, or even your recent online purchases. This precision dramatically increases the chances that someone will fall for the scam.

Furthermore, AI can replicate writing styles, allowing attackers to mimic official communication and create convincing images and videos, thereby blurring the line between real and fraudulent messages.

Key considerations for protection

From my experience and from observing the growing sophistication of phishing campaigns, I have identified several key steps individuals and organizations should consider.

• Pause before clicking: Take a moment to question the legitimacy of a message, especially one with a link or a request for money. This is often the best first defense.
• Verify the source: If a text claims to be from your bank, boss, or even Oprah, verify it through official channels. Do not trust phone numbers or URLs provided in the message.
• Train regularly: Organizations should conduct regular security awareness training, teaching employees to recognize suspicious patterns and report them quickly.
• Use security tools: Many mobile carriers and security apps offer spam and phishing filters. Keeping devices updated with security patches also reduces the risk of malicious links.
• Be aware of AI threats: As AI-driven phishing becomes mainstream, skepticism is no longer enough. Individuals must assume that attackers may know personal details and craft highly realistic lures. This makes layered security — technical tools, user awareness, and organizational policies — more essential than ever.

Looking back, my “Oprah giveaway” experience could have ended very differently if I had clicked through. 

Cybersecurity Awareness Month is an opportunity to share stories like this so others can learn to pause, question, and protect themselves against evolving threats.

Smishing is only one branch of phishing, but it is one of the most prevalent due to our dependence on mobile devices. Combined with AI’s ability to personalize and automate attacks, the threat landscape is shifting rapidly. 

What saved me in that moment was awareness, and that is exactly what this month is all about. Cybersecurity is often portrayed as a technical battle fought with firewalls and intrusion detection systems. But the truth is, it begins with human awareness. My brush with a smishing attack pretending to be Oprah highlighted how easily trust and familiarity can be exploited. 

As attackers adopt AI to make their scams more convincing, we must redouble our efforts in education, vigilance, and proactive defense.

Let my story serve as a reminder: no one is immune. The best protection starts with awareness, skepticism, and a commitment to thinking before we click.

As AI makes phishing more convincing, defenders are fighting back too. Read how Proofpoint is rolling out agentic AI cybersecurity solutions to meet the challenge.