Humans remain the biggest challenge in IT security. According to data from Verizon, 74% of cyber incidents in 2023 included a human element, such as clicking on a link or downloading an attachment.
While phishing is the most widely known (and widely used) type of human-enabled attack, variations such as smishing and vishing are gaining ground. Here's a look at smishing and vishing basics, differences, detection, impacts, and effective defense.
How Smishing Is Defined
The term "smishing" is a portmanteau of "phishing" and the acronym for short message service (SMS). Drop the "ph", add the "sm", and you've got smishing.
As the name implies, smishing uses text messages rather than emails to compel user action. The approach is simple: Users receive a text message from an unknown number, often claiming to be someone they know or someone they recently met at a conference or event. These messages are seemingly benign but ask users to click through on a link or download a file, which in turn compromises the mobile device.
Common tactics used in smishing attacks
There are several common tactics used in smishing, such as:
Specific target selection
Attackers may specifically seek out and select high-value targets that have access to administrative or financial functions within an organization.
Supplementary data
Smishing efforts may also use supplementary data found on public websites, such as usernames, job titles, and hobbies.
Social engineering
To encourage action, attackers use social engineering techniques that make messages seem legitimate and urgent. For example, messages may include an abundance of detail about an "undeliverable" package that piques user curiosity.
Examples of recent smishing scams
Smishing attacks are designed to compel action. Since scammers are working with a limited field for text and a limited attention span from users, these attacks are often short and to the point and crafted to create a sense of urgency.
Consider a recent smishing attack affecting drivers in Pennsylvania. Over the last few months, individuals across the state have received texts purportedly from the Pennsylvania Turnpike Commission (PTC) warning them that they have unpaid toll charges. The text contains a payment link, which is simply a gateway for attackers to steal users' financial data.
Another smishing scam making the rounds claims to be from the United States Postal Service (USPS). The texts supposedly include package tracking information and ask users to click a link for more details. If users take the bait, they're directed to a website that requires them to enter personal data — providing this data could put victims at risk of identity or financial fraud. The USPS makes it clear: While they do offer package tracking services, they will never initiate contact without customers first requesting the service.
How Vishing Is Defined
Vishing is a combination of the words "voice" and "phishing". Lose the "ph", and the "v", and you get vishing, which is the use of fraudulent calls or voicemails to trick users into providing personal or confidential information.
Techniques employed in vishing attacks
Common techniques used in vishing scams include:
Number spoofing
Attackers may spoof legitimate numbers or use local area codes to make vishing calls seem legitimate.
Voice recording
Vishing attacks may also involve attackers asking questions that victims are likely to answer with "yes", then recording this "yes" and using the recording to impersonate users.
Robo calling
In some cases, vishing attacks may leverage robo calling to "warn" users about credit card scams such as fraudulent charges, and then visit a spoofed website to "confirm" their accounts.
Real-life vishing incidents and their impact
One common vishing scam targets seniors. Victims receive a phone call from a "lawyer" or "police officer" warning that their grandchild is in trouble with the law or has been injured and needs money. Scammers provide an email address or bank account details for a money transfer and ask for hundreds or thousands of dollars. For many seniors, losing this much money can be financially devastating — attackers prey on victims' worry about their families to compel action.
Bank fraud is another example of vishing in action. In 2023, Europol arrested multiple hackers in Czechia and Ukraine for a vishing scam that spanned more than two years. Posing as bank security officers, attackers using spoofed phone numbers told victims their bank accounts were hacked and asked them to transfer funds to "safe" accounts — accounts that were owned by the attackers. In Czechia alone, the hackers stole more than $8 million from their victims.
Key Differences Between Smishing and Vishing
While smishing and vishing both attempt to trick users into taking action, their methods and risk levels are different.
Comparison of communication channels
Where smishing uses text, vishing uses voice.
SMS messages are effectively anonymous. While attackers may use spoofed numbers to mimic known contacts, the vast majority of smishing efforts face the uphill battle of convincing users they are who they say they are. As a result, smishing attackers often present themselves as part of a larger organization, such as the postal service or a collections agency.
Vishing uses voice. This allows more in-depth conversations and interactions that can help attackers get what they want. In the case of using real people to call victims, the sense of urgency instilled by speaking with a "security professional" or "police officer" can prompt victims to take immediate action. When it comes to robocalls, attackers can create warnings that sound legitimate and convince users to answer questions by providing personal data.
Different approaches used by attackers in smishing and vishing
SMS messages must be short and to the point to grab users' attention. As a result, smishing attacks don't hold back — from the first text, they're going all-in asking users to provide personal or financial data.
Vishing attackers can take more time to speak with victims and convince them to act. This might take the form of a single phone call that's convincing and worrisome, or it could span multiple calls as attackers start small and ramp up to more risky requests.
Understanding the varying levels of risk associated with each
While both vishing and smishing pose risks, the level of risk varies by attack approach.
As a general rule, vishing attacks are more successful among older adults who are familiar with phone calls and voice communications. Consider the senior scam listed above. These campaigns are often more effective because their target audience is more receptive — younger generations may not even pick up the phone if it rings.
Smishing attacks, meanwhile, can be broadly applicable, given the number of packages now ordered online and the number of bank transactions carried out digitally. Even tech-savvy users may be fooled if text messages appear legitimate, and may take action before double-checking the legitimacy of unexpected texts.
Recognizing and Preventing Smishing and Vishing Attacks
The better users are at recognizing these attacks, the better the chances of preventing serious damage or compromise.
Identifying common signs of smishing and vishing attempts
The most common sign of both smishing and vishing attempts is urgency. Attackers want victims to act now — before they have time to think about what's happening or talk about the request with other people or IT teams.
In practice, this means looking out for any message, voice, or text, that demands action to fix an "urgent" issue or solve a "security" problem. The more urgent the message, the more likely the attack — while it's possible that problems are legitimate, users are always better served by stopping to think, check, and communicate before taking any action.
Best practices for protecting personal and sensitive information
Two best practices can help protect personal and sensitive information.
The first is simple: Keep private information private. Don't share personal data with anyone, even if the need appears urgent. If users don't provide data, there's nothing for attackers to leverage. If SMS or phone messages seem legitimate, users can follow up to confirm.
Next is taking a zero-trust approach: Never trust, always verify. This means that when users receive a text message or phone call, they should consider it a potential attack rather than assuming it's a legitimate request. By taking a naturally defensive stance, users are predisposed to look at SMS or voice messages more critically, rather than acting on emotion.
Educating yourself and your organization to stay vigilant
Smishing and vishing attacks evolve over time. Text messages may now take the form of toll road fines, parking ticket reminders, package delivery notifications, or warnings that credit cards have been compromised.
Vishing attacks, meanwhile, are changing to include voice and video — sometimes using real people and in some cases using AI — to further confuse users and convince them to take action.
The Impact of Smishing and Vishing on Individuals and Businesses
Humans are social creatures. We're predisposed to respond politely when someone says hello or help out if we can lend a hand. Attackers take advantage of this subconscious sociability to create opportunities for compromise. If successful, there are significant consequences for businesses and individuals.
Real-world consequences of falling victim to smishing or vishing
If individuals fall victim to smishing or vishing attacks, several consequences are possible.
For example, providing personal information to scammers can result in identity theft, which may lead to the creation of new credit card accounts or tax fraud. Giving attackers financial data, meanwhile, may allow them to lock users out of financial accounts or drain these accounts dry.
Financial and reputational risks for businesses
Smishing and vishing also pose risks for businesses.
First are financial risks. For example, if smishers can convince staff that messages are coming from the CEO or other executives, they could trick victims into sharing financial data or making large-value money transfers.
Being duped by vishing or smishing attacks, meanwhile, can cause customers to lose trust in a company's ability to secure critical data, in turn damaging its reputation and potentially causing revenue loss.
Steps to mitigate the damage caused by successful attacks
If attacks are successful, the first step in mitigating the damage is reporting the problem to relevant authorities.
In the case of business, this may include IT teams, managers, and federal or industry agencies that require breach notifications. Individuals may need to report smishing or vishing compromises to their financial providers, government agencies such as the IRS, and should also contact credit monitoring companies to monitor for any fraudulent activity.
Safeguarding Against Smishing, Vishing, and Other Cyber Threats
While it's not possible to completely eliminate cyber risk, companies and individuals can take steps to safeguard data and networks.
Importance of using strong, unique passwords for online accounts
First, it's critical to use strong and unique passwords for online accounts, and regularly change these passwords every 3 to 6 months. Passwords should be a combination of letters, numbers, and symbols, and should be at least 8 characters long. Users should always avoid easily guessed passwords such as "password", "pas3word", or "12345678".
Implementing multi-factor authentication for added security
Multi-factor authentication (MFA) can also help enhance security. MFA requires users to provide another authentication "factor" in addition to usernames and passwords. These factors might include a fingerprint, a one-time SMS code, or a physical token such as a USB key. Implementing MFA means that even if attackers obtain login information, they won't be able to access user accounts.
Leveraging password managers like LastPass
It's also worth leveraging password managers such as LastPass. These managers act as a secure repository for all user password data, and the LastPass password vault is only accessible by password owners. In addition, passwords will not autofill on sites that are not recognized, helping lower the risk of accidental compromise on spoofed websites.
See how LastPass can help. Start your free trial today.
