As technology evolves, phishing attacks are on the rise. According to recent survey data from SlashNext, new tools such as generative AI have helped drive a 1200% increase in phishing messages over the past two years. IBM, meanwhile, notes that 75% of organizations experienced a smashing attack in 2023.
Here's what businesses should know about how phishing and smashing work, how they're similar (and different), and what users can do to reduce the risk of getting caught.
Understanding Phishing
Phishing attacks attempt to "hook" unsuspecting victims with legitimate-seeming emails that prompt them to take action. If users click on the provided link or download the attached file, they can expose personal accounts and business networks to malware, ransomware, and other digital threats.
Explanation of phishing
Email is the most common vector for phishing attacks.
The attack starts with an unsolicited message that appears to be from a legitimate source. This source could be a financial institution, online e-commerce retailer, business supplier, or even someone within the user's organization. The quality of emails varies; some are well-researched, well-crafted, and designed to target specific individuals, while others are generic messages sent to hundreds or thousands of users. No matter the quality of the content, however, the goal remains the same: Convincing users to take action.
Consider an email supposedly from the victim's financial institution. It warns that accounts have been compromised and urges users to click on a provided link to reset their password. Both the email itself and the linked webpage may look entirely above-board thanks to images, logos, and color schemes that mimic actual websites.
In fact, the linked page is a fake. If users enter their login and password data, this information is captured by attackers who then lock victims out of their accounts. From there, malicious actors may steal data, demand ransom, or use provided credentials to move laterally into business networks.
Common phishing tactics
Phishing scams use several common tactics, such as:
Email phishing
Attackers send large amounts of generic emails to many users. While success rates are low, all it takes is one click or download.
Spear phishing
Spear phishing attacks target specific users. Attackers often carry out research before crafting and sending personalized emails designed to build trust.
Whaling
Whaling targets C-suite executives. If attackers can convince CEOs, CFOs, or CIOs, to click on links or download attachments, they could gain access to high-level corporate data.
Objectives of phishing
The primary objectives of phishing are convincing users to expose sensitive information, allowing attackers to gain network access, or compelling victims to take action that harms the business or themselves, such as transferring money or sharing protected data.
For example, suppose attackers convincingly imitate a company's IT provider. In that case, they can convince users to provide their login and password details, allowing malicious actors to conduct business email compromise (BEC) attacks.
Understanding Smishing
As noted above, smishing is a type of phishing attack. Instead of using email, however, smishing relies on text messages to prompt user action.
Explanation of smishing
The term "smishing" is a portmanteau of the word "phishing" and the acronym for short message service, or SMS. While the goal of these attacks remains the same — convincing users to take action — smishing relies on mobile device messaging rather than email.
How smishing attacks work via SMS
Smishing is similar to phishing: Victims receive a text supposedly from a trusted contact or a legitimate source. If users respond to the text, attackers ask them to take action by clicking on a link or completing a specific task. For example, a text message that appears to come from the company CEO might ask a staff member to immediately share sensitive data or transfer funds to a provided email address. Because the message seemingly comes from a C-suite executive, staff are reluctant to say no.
Examples of smishing scams to be aware of
Common examples of smishing scams include:
Bank texts
Users receive an alert from their "bank" indicating that their account has been compromised and they need to reset their password.
Prize wins
Users are notified that they have won a prize or a raffle and need to click through on a link and provide their personal details.
Tax scams
Users get a message supposedly from the IRS or a federal government agency claiming they owe taxes or are under investigation and need to verify their identity.
CEO fraud
Users are sent a message from someone claiming to be the CEO (or another executive) of their organization. This supposed CEO asks recipients to transfer company funds, buy gift cards, or provide access details to corporate resources.
Objective of smishing attacks
Much like phishing, the goal of smishing attacks is convincing users to take action that puts personal or company data at risk. Consider an SMS message that warns users their Amazon account has been compromised. If attackers are convincing enough, victims may click through on links that look legitimate — think www.amaazon.com/reset rather than www.amazon.com/reset — and provide their login details. Once attackers have what they want, they log into user accounts, change passwords, and then start causing trouble. This trouble could include making purchases with saved credit card data, exfiltrating personal information, or using login/password details to compromise other sites since users often duplicate credentials across multiple services.
Differences between Smishing and Phishing
While phishing and smishing are similar, they're not the same. Both have the same objective but use different communication channels to achieve their goals.
Comparison of smishing and phishing techniques
The primary difference between phishing and smishing is how messages are sent.
Phishing attacks use emails, which provide more room for attackers to create a narrative. Emails also allow attackers to include headers, footers, images, and other pieces of digital context that make messages appear more trustworthy.
In the case of smishing, attackers are limited to text, links, and small images such as emojis. Messages that don't immediately get to the point or are too long for users to read quickly will be ignored or deleted. As a result, smishing messages often rely on common use cases for SMS texts, such as users receiving updates on package tracking, getting notifications from their bank, or being notified that accounts have been compromised.
How smishing and phishing target different communication channels
The key difference between smishing and phishing is the communication channel used.
Phishing attacks rely on email. Standard attacks send thousands (or tens of thousands) of generic messages to users. While the vast majority of these messages will never reach their target or be deleted before they're opened, all it takes is one successful download or click-through for attackers to steal data or gain account access.
Smishing attacks depend on texts. While users expect to receive a mix of legitimate and spam emails in their inboxes, they're often more protective of their mobile devices — if they don't directly give out their number, they're immediately suspicious of any incoming message. As a result, SMS attacks are typically more focused: They ask for a specific action or response up-front and with minimal additional context.
Unique risks and vulnerabilities associated with each
Phishing and smishing each carry unique risks and vulnerabilities.
When it comes to phishing, the sheer volume of emails received by users increases the risk of an attack slipping through the cracks. Even if victims recognize that an email isn't legitimate after opening it, a single misclick could put personal or company data at risk. Phishing can also lead to what's known as "daisy chain" attacks. These occur when attackers use stolen credentials to access other accounts that have the same (or similar) login details. For example, many users repeat the same email address and password across multiple sites, giving attackers an advantage.
While smishing attacks are less likely to succeed, they carry the risk of potential mobile device compromise. Consider a user who clicks through on a tax scam and downloads malicious code. With access to a victim's phone, attackers could send SMS messages or emails to contacts, scrape data from mobile applications, or prevent users from accessing their devices.
Responding to Smishing and Phishing Incidents
When smishing or phishing incidents happen, how users respond can make all the difference.
Immediate steps to take if you suspect a smishing or phishing attack
If you suspect that you've clicked on a malicious link or downloaded a malicious attachment, reporting is the first step. For business accounts, this means contacting IT security teams with the details of what happened and which accounts may be compromised. In the case of personal financial or e-commerce websites, users should check to see if they've been locked out of their accounts. If not, they should immediately change their passwords. If so, they should report the compromise to customer service.
How to minimize the impact of a successful attack
The most effective way to minimize the impact of successful attacks is with complete transparency. The longer users wait to report phishing attacks, and the fewer details they give about attacks, the better for cybercriminals. In many cases, users are worried that complete reporting could put their position or job at risk, but the longer attackers have access to accounts undetected, the more damage they can do.
For organizations, this means creating a security culture that makes incident reporting the first priority.
Recovering from identity theft and restoring compromised accounts
One common consequence of phishing and smishing attacks is identity theft. If cybercriminals gain access to accounts, they can steal and exfiltrate personal data such as medical, financial, and employment records. Using this data, they may be able to create fake accounts with credit card companies, e-commerce retailers, or government agencies.
Recovering from identity theft means reporting the compromise to all relevant parties. For example, in the case of credit card account compromise, victims should notify the bank that issued their card, the credit card company, and credit monitoring agencies such as Experian and TransUnion. They should also request that compromised accounts be closed and deleted, and then create new accounts using more secure passwords.
Protecting Yourself from Smishing and Phishing Attacks
While it's impossible to completely eliminate the chance of successful smishing and phishing attacks, users can reduce their risk by protecting their personal information.
Best practices for safeguarding personal information
Several practices can help safeguard personal information.
First is the use of email security tools that block suspicious emails from reaching inboxes. While options for SMS are more limited, work is underway on AI tools capable of detecting spam messages.
Next, users should limit the amount of personal information they share with others and provide online account services. When it comes to personal information sharing, there's a simple rule: The less, the better.
Users can also reduce risk by taking the time to verify that websites or senders are legitimate before sharing data. This best practice could include checking websites to ensure they are secure — meaning the site address begins with "https:" — or calling a sender directly to verify their identity.
Using LastPass as Smishing and Phishing Prevention
LastPass can help prevent smishing and phishing.
Using strong passwords and multi-factor authentication
Strong passwords and multi-factor authentication (MFA) can reduce the risk of account compromise. Better passwords make it harder for attackers to brute force their way into secure accounts, and requiring additional authentication factors means that login and password details aren't enough for attackers to compromise accounts.
The LastPass password generator helps avoid weak passwords and ensures that passwords aren't repeated, while LastPass MFA keeps user accounts safe even if common credentials are compromised.
Proactive monitoring
Phishing and smishing attacks redirect users to compromised websites. With LastPass proactive monitoring, passwords won't autofill on unrecognized sites, helping prevent unintentional compromise.
Ease of password management
With the LastPass vault, users can store passwords, payment information, and personal data securely. No one has access to this vault except you — not other users, not LastPass, and not attackers.
Security tips
Phishing and smishing aren't static threats. With the LastPass Resource Center, you're better prepared to navigate the changing world of cyber risks.
No smish, no phish — stay safer with LastPass. Start your free trial today.
