Be Informed About Smishing and Vishing

An urgent voicemail message from the tax department. A text message from Microsoft tech support warning you about a problem with your computer. A caller asking you to confirm your mailing address and credit card number so you can collect your free prize. A text message requesting your confirmation of an Amazon shipment.

These are all examples of smishing and vishing cyberattacks. The phone has become one of the most popular contact methods for cybercriminals. Cybercriminals know that we are never far from our smartphones and that we find it very challenging to ignore the ping of a text message or buzz of an incoming phone call.

Both smishing and vishing rely on social engineering to trick victims to give up personal and confidential information. Using convincing and often urgent language, cybercriminals manipulate victims into giving up information such as their bank account and credit card details, passwords, social insurance number, date of birth, and mailing address.

Victims are convinced they’re doing the right thing by providing this information. After all the caller is telling them that they face criminal prosecution from the tax department if they don’t confirm their bank account details. And the text message promising delivery of a free prize says the offer will expire in one hour without the bank account details required to process the prize.

It’s important to understand that cybercriminals target both individuals and organizations with strategic smishing and vishing attacks. Often cybercriminals send spear phishing emails first to collect information that is then used to deliver personalized text messages and phone calls.

What is Smishing?

Smishing is a cybercrime that uses manipulative text messages to steal confidential personal and corporate information from people.

Using urgent and compelling language, the text message may threaten the victim with severe consequences if they don’t take action or convince the victim that they’re helping the sender by providing the requested information.

Cybercriminals are taking advantage of text messages because they know how frequently people check their phones. Consider these recent SMS marketing statistics:

  • 98% of all text messages are read and opened.
  • 90% of all text messages are read within three minutes.
  • Text messages have a 209% higher response rate than emails, phone calls, and Facebook messages.

To make things easier for cybercriminals, people simply are not aware of smishing cyberattacks. This lack of awareness creates a dangerous scenario where victims do not think twice about tapping embedded links, providing information, or responding to the texting cybercriminal.

What is Vishing?

Vishing is a cybercrime that uses the phone to steal personal confidential information from victims. Often referred to as voice phishing, cybercriminals use savvy social engineering tactics to convince victims to act, giving up private information and access to bank accounts.

Often cybercriminals will tailor their vishing calls and messages to the time of the year or to a hot news story. For example, during tax season, criminals leave messages pretending to be from the IRS. And during the COVID-19 pandemic, cybercriminals called people promising vaccines and testing kits, if they provided their bank account information and mailing address.

Vishing, like smishing is used to steal from both individuals and organizations. A cybercriminal may research a company on LinkedIn and on the company website, collecting details about the leadership, employee details, and who is traveling or attending a conference. With this information, the cybercriminal makes a series of strategic phone calls and voicemails that convince an employee to transfer funds on behalf of their manager who is travelling and cannot access the network.

How To Protect Your Organization and Employees from Smishing and Vishing Attacks

It’s easy to overlook the threat risk of smishing and vishing since there is a high focus on phishing, spear phishing, malware, and CEO fraud. However, smishing and vishing attacks are a common attack vector for cybercriminals who target organizations and their employees.

These statistics on smishing and vishing from a global 2020 survey of organization security leaders and employees reveal how important it is to raise awareness of these cyber threats:

  • 49% of employees answered I Don’t Know to the question: What is Smishing?
  • 53% of employees answered I Don’t Know to the question: What is Vishing?
  • 84% of surveyed CISOs and security leaders received corporate smishing attacks.
  • 83% of surveyed CISOs and security leaders received corporate vishing attacks.

To protect your organization and employees from smishing and vishing attacks, do the following:

  • Take advantage of security awareness training that uses real-world examples of smishing and vishing attacks to reinforce how cybercriminals use text messaging and phone calls to commit cyber fraud.
  • Make it easy for employees to report smishing and vishing attacks to you and your team.
  • If you have a BYOD policy, it’s important to have strict rules around app updates, password protection, Wi-Fi connectivity, and following recommended remote and mobile device cyber security best practices.
  • Use phishing simulations to measure and monitor employee awareness of cyber fraud threats. Use this information to customize your security awareness training and campaign to address areas where your employees need additional education.

Remember, your employees are your first line of defense against smishing and vishing attacks. Focus on giving your employees security awareness training that is relatable, modern, and relevant. When your employees understand how smishing and vishing happen and the ramifications of a successful smish or vish attack, they are more likely to be alert to threats.

Download our Cyber Fraud Prevention Kit for the latest information, resources, and simulations that can help you and your employees stay protected from smishing, vishing, phishing, and other cyber fraud attack methods.

6 Ways You Can Recognize Smishing and Vishing Attacks

*This is for employees

We know that it can be hard to stay up to date with the latest cyberattack methods and threats. And this is why we want you to be able to recognize smishing and vishing attacks.

Cybercriminals use convincing text messages, voicemails, and phone calls to trick people into providing personal and professional confidential information. Like phishing, this information is then used to steal and harm.

When you receive a text message, voicemail, or phone call from someone you do not know, please remember these six signs of smishing and vishing attacks:

  1. Never respond to a text message from someone you do not know. Do not tap any embedded attachments, URLs, or images.
  2. Remember that the tax department, local hospital, police, or bank will never call and leave a threatening voicemail demanding you act or face criminal prosecution. If you are concerned, use the official website for the organization to find contact information and send an email about the voicemail or phone call.
  3. Be on the lookout for text messages and phone calls that use convincing, forceful, or urgent language. Cybercriminals try to prey on the basic human instincts of trust, fear, greed, and wanting to help to convince people to provide personal information.
  4. Never ever give out your bank account, credit card, or password details. No legitimate company asks for these from you over the phone or through a text message.
  5. Remember that no one from our company will call you and ask you to transfer money, email personnel files, or provide your personal bank account information. When in doubt, hang up or ignore the text message, and contact your IT/support team.
  6. Do not respond to emails or social media messages asking for your phone number. This is the first step in a strategic phishing/smishing/vishing attack. Report this to your IT/support team.

We want you to think twice. Read the text message carefully. Listen to the caller or voicemail critically. Pay attention to signs of social engineering. Hang up. Do not respond to the text message.

Remember, that fear is a common tactic with smishing and vishing – the cybercriminal attempts to scare you into acting. Be aware of threats about criminal prosecution, jail time, freezing of accounts, or loss of healthcare benefits.

To learn more about smishing and vishing, read the cyberpedia pages:



Cybersecurity Hub

Cyber Security Hub : Access Exclusive Cyber Security Content

Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.