How a Husband Hacked the Scammers Who Targeted His Wife, Then Gave Investigators the Info He Learned (Exclusive)

Mar. 15, 2025

Grant Smith presents a panel on how he hacked the scammers.Photo:youtube

youtube

Cybersecurity expert Grant Smith wasn’t about to let it slide when scammers tried bilking his wife through a phony U.S. Postal Service text.

“I took it personally,” Smith tells PEOPLE in an interview. “At first I was emotionally invested, and then it kind of switched into more curiosity.”

Smith, the 23-year-old founder and president of Phantom Security Group, made it his mission to track down the group responsible for tricking his “very, very smart” and tech-savvy wife into releasing her personal information through a “smishing” scheme, in which fraudsters use fake messages to dupe people out of their personal information.

The smishing group that Smith cracked resulted in recovering data from more than 390,000 distinct credit cards.

“I thought about reaching out directly to the victims, but that would be kind of weird if some random [person] says your credit card details are stolen,” he admits. “That’s when I reached out to the authorities.”

Smith also admits his 22-year-old wife, who declined to be interviewed, got a little weary of his dogged attempts to discover who had hacked her.

“I’d be digging into something at night and she’d be upset and say, ‘You need to get off that,’ ” he says with a laugh.

Smith, who lives in Andover, Mass., says that last year around the holidays, his wife was in a rush when she received just such a message. She knew she had packages being delivered — so she quickly filled out her address and billing information on the very official-looking website.

And almost instantly she realized she’d done the wrong thing.

“Right afterwards, she had a second to think,” Smith says. “I know a lot of people who have had similar things happen to them where they realized right after they hit send. But some people never realize what they did.”

Grant Smith.courtesy grant smith

courtesy grant smith

Smith, who recently graduated from Virginia Tech, was on winter break and decided he would try to find out who was behind the scam. It only took a few weeks to pinpoint and hack into a Chinese-language system supporting the tricksters, he says, and then a few more months to gather up the personal data that had been stolen.

He handed his findings over to the United States Postal Inspection Service (USPIS) and an unnamed U.S. bank.

Never miss a story — sign up forPEOPLE’s free daily newsletterto stay up-to-date on the best of what PEOPLE has to offer​​, from celebrity news to compelling human interest stories.

“Obviously, they are using the universal reach and goodwill of the Postal Service to reach everybody and we’re not going to stand for that,” Martel says of scams like the one that snared Smith’s wife.

“I understand [Smith’s] frustration and the willingness to protect a loved one, but also know the inspection service is actively pursuing these types of cases,” he says.

The USPS offers tips throughits websiteon sniffing out “smishing,” but it all boils down to the basics of don’t click a link you don’t recognize and can’t verify and always be cautious about providing personal information when someone reaches out to you.

Grant Smith submitting his findings this past summer at DEF CON.youtube

What surprised Smith the most, he says, was when he presented his work at theDEF CON hacking onferencein August.

He asked how many in the audience had gotten one of the sham USPS text messages. He was shocked when “literally everyone” in the audience raised their hands. He looked across the crowd of experts and blurted out, “Oh s—!”

“All these people are privacy focused, they lock down their security, they know their stuff. All of them still got these text messages,” Smith says. “[The hackers] were sending out hundreds of thousands of text messages a day.”

He realized they weren’t targeting specific people, but would send to every number they could get — and that number was about 100,000 a day globally.

“It’s just a mass campaign of spraying messages to these people and a certain percentage are going to click on it,” Smith says. “They don’t care if you send it to junk and report it.”

After his talk and a subsequent news article, Smith began getting emails from people who had been in similar situations. They thanked him for working to track down the culprits.

As for his wife, “she’s very happy that all these people actually got help. I mean, she said she’s proud of what I’ve done,” Smith says. “I’m happy with that.”

source: people.com