We at vali.now often analyze real-world incidents to highlight risks in social engineering attacks. The 2023 breach at Retool serves as a clear example of how SMS-based phishing can escalate into significant compromises.
The Retool Incident (2023)
Attackers targeted Retool employees with SMS messages posing as IT team communications about payroll issues. One employee clicked a malicious link, landing on a fake page that captured credentials. The attackers then used a deepfaked voice call to obtain an MFA code, adding their device to the employee’s Okta account. This granted persistent access.
A key escalation factor was the employee’s use of Google Authenticator’s cloud sync feature, introduced in April 2023. It allowed attackers to access synced OTPs, bypassing the “something you have” MFA factor. They ultimately compromised 27 cloud customer accounts, primarily in the cryptocurrency sector, leading to password resets and financial losses, including approximately $15 million stolen from one customer.
This incident aligns with tactics used by the group known as Scattered Spider (UNC3944), noted for sophisticated phishing and voice impersonation.
The Twilio Incident (2022)
A similar case occurred in 2022 with Twilio. Attackers sent SMS messages to employees, impersonating IT and warning of password expirations or schedule changes, with links containing terms like “Okta” or “SSO.” Compromised credentials provided access to internal systems, affecting a limited number of customers (around 163 reported). This was part of the broader 0ktapus campaign targeting over 130 organizations.
Similarities:
- Both began with targeted SMS phishing to steal credentials.
- Attackers combined SMS with follow-up social engineering (voice calls in Retool; persistent phishing in Twilio).
- Both exploited Okta environments and MFA weaknesses.
- Attributed to overlapping actors (Scattered Spider/0ktapus).
Differences:
- Retool involved voice deepfaking and exploited Google Authenticator cloud sync for OTP access.
- Twilio focused more on broad SMS campaigns without reported voice deepfakes, leading to supply-chain impacts on downstream customers.
We note that the Retool and Twilio incidents illustrate enduring risks from SMS- and voice-based social engineering, as seen in tactics employed by Scattered Spider (or: UNC3944).
This group remained active through mid-2025, including sophisticated impersonation, push bombing, and SIM swapping. Attacks targeted retail (e.g., UK incidents in April-May 2025), insurance, and other sectors, often involving ransomware variants like DragonForce.
Social engineering continues as a leading initial access vector, accounting for 36% of incident response cases from May 2024 to May 2025 per Unit 42 data, with phishing dominant. MFA bypass techniques, such as token replay, featured in notable incidents.
To mitigate these threats in business environments, we recommend phishing-resistant MFA (FIDO2 hardware keys or passkeys), strict help desk verification, disabling OTP cloud sync, and regular employee training on unsolicited urgent requests. Proactive measures and threat intelligence monitoring are essential for resilience.
If in Doubt: vali.now
Your best defense is healthy skepticism. If something seems just a little off or a bit too good to be true – it probably is. Your best option is to forward the details to help@vali.now. Our cybersecurity professionals have been recognizing and fighting off such attacks for decades. Your first case (up to one hour of research) on our side is free, with affordable rates after that. You’ve got nothing to lose and you might just prevent catastrophic losses by reaching out.
Pingback: Understanding IMSI Catchers and Mobile Security Risks - vali.now