• United States




Smishing and vishing: How these cyber attacks work and how to prevent them

Aug 09, 20195 mins

As scammers aim to manipulate people into handing over sensitive data, phishing attacks are expanding into new channels and growing even more sophisticated.

Smishing and vishing are types of phishing attacks that try to lure victims via SMS message and voice calls. Both rely on the same emotional appeals employed in traditional phishing scams and are designed to drive you into urgent action. The difference is the delivery method.

“Cyberthieves can apply manipulation techniques to many forms of communication because the underlying principles remain constant,” explains security awareness leader Stu Sjouwerman, CEO of KnowBe4. “Lure victims with bait and then catch them with hooks.”

What is smishing?

Smishing definition: Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services) on cell phones.

Just like email phishing scams, smishing messages typically include a threat or enticement to click a link or call a number and hand over sensitive information. Sometimes they might suggest you install some security software, which turns out to be malware.

Smishing example: A typical smishing text message might say something along the lines of, “Your ABC Bank account has been suspended. To unlock your account, tap here:” and the link provided will download malware onto your phone. Scammers are also adept at adjusting to the medium they’re using, so you might get a text message that says, “Is this really a pic of you?” and if you tap that link to find out, once again you’re downloading malware.

What is vishing?

Vishing definition: Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype.

It’s easy to for scammers to fake caller ID, so they can appear to be calling from a local area code or even from an organization you know. If you don’t pick up, then they’ll leave a voicemail message asking you to call back. Sometimes these kinds of scams will employ an answering service or even a call center that’s unaware of the crime being perpetrated.

Once again, the aim is to get credit card details, birthdates, account sign-ins, or sometimes just to harvest phone numbers from your contacts. If you respond and call back, there may be an automated message prompting you to hand over data and many people won’t question this, because they accept automated phone systems as part of daily life now.

How to prevent smishing and vishing

We’re on our guard a bit more with email nowadays because we’re used to receiving spam and scams are common, but text messages and calls can still feel more legitimate to many people. As we do more of our shopping, banking, and other activities online through our phones, the opportunities for scammers proliferate. To avoid becoming a victim you have to stop and think.

“Common sense is a general best practice and should be an individual’s first line of defense against online or phone fraud,” says Sjouwerman.

Although the advice on how to avoid getting hooked by phishing scams was written with email scams in mind, it applies to these new forms of phishing just as well. At root, trusting no one is a good place to start. Never tap or click links in messages, look up numbers and website addresses and input them yourself. Don’t give any information to a caller unless you’re certain they are legitimate – you can always call them back.

It’s better to be safe than sorry, so always err on the side of caution. No organization is going to rebuke you for hanging up and then calling them directly (having looked up the number yourself) to ensure they really are who they say they are.

Update your awareness training

While remaining on your guard is solid advice for individuals in everyday life, the reality is that people in the workplace are often careless. They may be distracted, under pressure, and eager to get on with their work and scams can be devilishly clever. What if the SMS seems to come from the CEO, or the call appears to be from someone in HR? You can toughen up your employees and boost your defenses with the right training and clear policies.

Every company should have some kind of mandatory, regular security awareness training program. It can include best practices for general safety, but also define policies, such as who to contact in the event of something suspicious, or rules on how certain sensitive communications will be handled, that make attempted deceptions much easier to spot.

If you do suffer any form of phishing attack, make changes to ensure it never happens again – it should also inform your security training.

The majority of smishing and vishing attacks go unreported and this plays into the hands of cybercriminals. While you may be smart enough to ignore the latest suspicious SMS or call, maybe Marge in Accounting or Dave in HR will fall victim. If you have a system in place for people to report these attempted attacks, and possibly even a small reward for doing so, then it presents you with an opportunity to warn others.

As phishing continues to evolve and find new attack vectors, we must be vigilant and continually update our strategies to combat it.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author