How a Husband Hacked the Scammers Who Targeted His Wife, Then Gave Investigators the Info He Learned

11/18/2024 08:46 AM

"I took it personally," Grant Smith tells PEOPLE. "At first I was emotionally invested, and then it kind of switched into more curiosity"

• Grant Smith, founder and president of Phantom Security Group, made it his mission to track down the group responsible for tricking his "very, very smart" and tech-savvy wife with faked U.S. Postal Service texts
• The "smishing" group that Smith cracked resulted in recovering data from more than 390,000 distinct credit cards
• Smith says the lesson here is in how ubiquitous the scammers are

Cybersecurity expert Grant Smith wasn't about to let it slide when scammers tried bilking his wife through a phony U.S. Postal Service text.

"I took it personally," Smith tells PEOPLE in an interview. "At first I was emotionally invested, and then it kind of switched into more curiosity."

Smith, the 23-year-old founder and president of Phantom Security Group, made it his mission to track down the group responsible for tricking his "very, very smart" and tech-savvy wife into releasing her personal information through a "smishing" scheme, in which fraudsters use fake messages to dupe people out of their personal information.

The smishing group that Smith cracked resulted in recovering data from more than 390,000 distinct credit cards.

"I thought about reaching out directly to the victims, but that would be kind of weird if some random [person] says your credit card details are stolen," he admits. "That's when I reached out to the authorities."

Smith also admits his 22-year-old wife, who declined to be interviewed, got a little weary of his dogged attempts to discover who had hacked her.

"I'd be digging into something at night and she'd be upset and say, 'You need to get off that,' " he says with a laugh.

Now he wants people to know that even folks well-versed in the cyber world can fall for scams like faked Postal Service texts that lure you in by saying a package cannot be delivered because they need a corrected address.

Smith says that last year around the holidays, his wife was in a rush when she received just such a message. She knew she had packages being delivered — so she quickly filled out her address and billing information on the very official-looking website.

And almost instantly she realized she'd done the wrong thing.

"Right afterwards, she had a second to think," Smith says. "I know a lot of people who have had similar things happen to them where they realized right after they hit send. But some people never realize what they did."

Smith, who recently graduated from Virginia Tech, was on winter break and decided he would try to find out who was behind the scam. It only took a few weeks to pinpoint and hack into a Chinese-language system supporting the tricksters, he says, and then a few more months to gather up the personal data that had been stolen. 

He handed his findings over to the United States Postal Inspection Service (USPIS) and an unnamed U.S. bank.

Michael Martel, a spokesman for USPIS, confirms to PEOPLE that the material provided by Smith is being used as part of an ongoing investigation.

Never miss a story — sign up for PEOPLE's free daily newsletter to stay up-to-date on the best of what PEOPLE has to offer​​, from celebrity news to compelling human interest stories. 

"Obviously, they are using the universal reach and goodwill of the Postal Service to reach everybody and we're not going to stand for that," Martel says of scams like the one that snared Smith's wife.

"I understand [Smith's] frustration and the willingness to protect a loved one, but also know the inspection service is actively pursuing these types of cases," he says.

The USPS offers tips through its website on sniffing out "smishing," but it all boils down to the basics of don't click a link you don't recognize and can't verify and always be cautious about providing personal information when someone reaches out to you.

What surprised Smith the most, he says, was when he presented his work at the DefCon Hacking Conference in August.

He asked how many in the audience had gotten one of the sham USPS text messages. He was shocked when "literally everyone" in the audience raised their hands. He looked across the crowd of experts and blurted out, "Oh s---!"

"All these people are privacy focused, they lock down their security, they know their stuff. All of them still got these text messages," Smith says. "[The hackers] were sending out hundreds of thousands of text messages a day."

He realized they weren't targeting specific people, but would send to every number they could get — and that number was about 100,000 a day globally.

"It's just a mass campaign of spraying messages to these people and a certain percentage are going to click on it," Smith says. "They don't care if you send it to junk and report it."

After his talk and a subsequent news article, Smith began getting emails from people who had been in similar situations. They thanked him for working to track down the culprits.

As for his wife, "she's very happy that all these people actually got help. I mean, she said she's proud of what I've done," Smith says. "I'm happy with that."