Smishing and vishing are types of phishing attacks that try to lure victims via SMS message and voice calls. Both rely on the same emotional appeals employed in traditional phishing scams and are designed to drive you into urgent action. The difference is the delivery method.\u201cCyberthieves can apply manipulation techniques to many forms of communication because the underlying principles remain constant,\u201d explains security awareness leader Stu Sjouwerman, CEO of KnowBe4. \u201cLure victims with bait and then catch them with hooks.\u201dWhat is smishing?Smishing definition: Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services) on cell phones.Just like email phishing scams, smishing messages typically include a threat or enticement to click a link or call a number and hand over sensitive information. Sometimes they might suggest you install some security software, which turns out to be malware.Smishing example: A typical smishing text message might say something along the lines of, \u201cYour ABC Bank account has been suspended. To unlock your account, tap here: https:\/\/bit.ly\/2LPLdaU\u201d and the link provided will download malware onto your phone. Scammers are also adept at adjusting to the medium they\u2019re using, so you might get a text message that says, \u201cIs this really a pic of you? https:\/\/bit.ly\/2LPLdaU\u201d and if you tap that link to find out, once again you\u2019re downloading malware.What is vishing?Vishing definition: Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype. It\u2019s easy to for scammers to fake caller ID, so they can appear to be calling from a local area code or even from an organization you know. If you don\u2019t pick up, then they\u2019ll leave a voicemail message asking you to call back. Sometimes these kinds of scams will employ an answering service or even a call center that\u2019s unaware of the crime being perpetrated.Once again, the aim is to get credit card details, birthdates, account sign-ins, or sometimes just to harvest phone numbers from your contacts. If you respond and call back, there may be an automated message prompting you to hand over data and many people won\u2019t question this, because they accept automated phone systems as part of daily life now.How to prevent smishing and vishingWe\u2019re on our guard a bit more with email nowadays because we\u2019re used to receiving spam and scams are common, but text messages and calls can still feel more legitimate to many people. As we do more of our shopping, banking, and other activities online through our phones, the opportunities for scammers proliferate. To avoid becoming a victim you have to stop and think.\u201cCommon sense is a general best practice and should be an individual\u2019s first line of defense against online or phone fraud,\u201d says Sjouwerman.Although the advice on how to avoid getting hooked by phishing scams was written with email scams in mind, it applies to these new forms of phishing just as well. At root, trusting no one is a good place to start. Never tap or click links in messages, look up numbers and website addresses and input them yourself. Don\u2019t give any information to a caller unless you\u2019re certain they are legitimate \u2013 you can always call them back.It\u2019s better to be safe than sorry, so always err on the side of caution. No organization is going to rebuke you for hanging up and then calling them directly (having looked up the number yourself) to ensure they really are who they say they are.Update your awareness trainingWhile remaining on your guard is solid advice for individuals in everyday life, the reality is that people in the workplace are often careless. They may be distracted, under pressure, and eager to get on with their work and scams can be devilishly clever. What if the SMS seems to come from the CEO, or the call appears to be from someone in HR? You can toughen up your employees and boost your defenses with the right training and clear policies.Every company should have some kind of mandatory, regular security awareness training program. It can include best practices for general safety, but also define policies, such as who to contact in the event of something suspicious, or rules on how certain sensitive communications will be handled, that make attempted deceptions much easier to spot.If you do suffer any form of phishing attack, make changes to ensure it never happens again \u2013 it should also inform your security training.The majority of smishing and vishing attacks go unreported and this plays into the hands of cybercriminals. While you may be smart enough to ignore the latest suspicious SMS or call, maybe Marge in Accounting or Dave in HR will fall victim. If you have a system in place for people to report these attempted attacks, and possibly even a small reward for doing so, then it presents you with an opportunity to warn others.As phishing continues to evolve and find new attack vectors, we must be vigilant and continually update our strategies to combat it.