Phishing, smishing, vishing: These threats don’t always require hackers to use sophisticated
software. Learn how to recognize these social engineering attacks and stay safe online.
Phishing, vishing, and smishing are similar types of attacks with a common goal. They are
different in the following ways:
Remember that scammers use various tools to make their email addresses and phone numbers look
similar or identical to the official ones used by companies. Always check senders’ email
addresses and phone numbers, but don’t take them as the only indicator of their legitimacy.
Pay attention to any details that raise suspicion. Understanding the mechanisms of social
engineering attacks can help you protect yourself from threats like financial loss and{‘ ‘}
identity theft.
Phishing is a{‘ ‘}
social engineering attack in
which the attacker tries to convince the victim to reveal sensitive information. To do this,
the attacker impersonates an individual or organization. They often pretend to be someone
trustworthy, such as a coworker, distant family member, or employer.
Phishing attacks use various forms of electronic communication, such as emails and social
media. With these, the attacker can send out malicious attachments and links to{‘ ‘}
malicious sites or urge
victims to take some action, such as sending personal or financial information in response to
an email.
A good example of a phishing attack are fraudulent emails that often land in your email’s spam
box. They can include “urgent” messages that appear to be from your bank, or surprise
lotteries that declare you the winner despite you never having registered for them. In both
cases, the email will direct you to clicking on a suspicious link, which will likely contain
malware or lead to a fake website. In these websites (which may look very similar to legit
entities, such as a bank’s login page), you may receive an inquiry to provide your personal
information (for example, your Social Security number or bank’s login details).
For this article, we talk about “phishing” to refer to a specific type of attack that uses
forms of internet communication. However, the word can also mean a general social engineering
attack that involves impersonating an individual or organization without distinguishing the
method of communication. In other words, phishing is also often referred to as a category of
social engineering attack that includes smishing and vishing.
The term smishing combines the words “SMS” and “phishing.” In this attack, the fraudster
impersonates an individual to scam the victim and uses a specific form of communication: text
messages.
The scammer uses tools to spoof phone numbers and impersonate someone trustworthy, such as a
bank or legitimate company. They send fraudulent messages designed to persuade the victim to
take action. These often have an urgent tone and warn of the consequences of not responding
quickly. The messages are often accompanied by fake links leading to fraudulent sites or
payment gateways aimed at stealing the victim’s{‘ ‘}
sensitive data.
Learn more about what smishing is from
our article about this type of cyberattack.
Vishing (“voice” + “phishing”) is a type of social engineering attack carried out over phone
calls or Voice over IP (VoIP) services. The attacker calls the victim and introduces themselves as a
representative of an organization, then convinces the victim to take a specific action, such
as provide personal details or enable remote control of their computer through remote control
software.
Some scammers do not hide their voices at all. Others use text-to-speech software. More
recently, it has also become possible for hackers to to change their voice in real time using
voice AI tools and clone existing voices to impersonate others. For more efficiency, some
fraudsters may even engage in “robocalling” — a vishing technique where the victim engages
with a trained AI bot instead of talking to an actual person. Such a tactic allows malicious
actors to call hundreds of people at the same time without risking exposure.
If you’re curious about what vishing scams look like in real life, see our{‘ ‘}
examples of vishing.
{SHORTCODES.blogRelatedArticles}
Some social engineering attacks are difficult — but not impossible — to spot. Sometimes simply
slowing down and double-checking is enough — the{‘ ‘}
SLAM method is especially useful for
that. You can also help protect yourself from phishing, smishing, and vishing by following
some tips.
Here are some strategies you can use to{‘ ‘}
prevent phishing:
is alertness. Always double-check who the sender of a message is. Watch for typical signs
that the sender is not who they say they are, such as grammatical errors, strange language,
and links or email addresses with typos, which could be a sign of{‘ ‘} typosquatting.
criminals carefully cover their tracks. This is the case with{‘ ‘} clone phishing, a technique in
which a scammer copies the contents of a legitimate email but changes only the details, such
as the links, to direct you to malicious sites. It’s worth protecting yourself with
additional tools, such as{‘ ‘} anti-phishing
{‘ ‘}
or anti-malware software that warns you if you click on a link to a webpage with a bad
reputation.
case scammers manage to get your credentials. Use{‘ ‘} multi-factor authentication (MFA)
, which requires additional data (such as a one-time code) to log in. If you use MFA, the
scammer cannot log in to your account even if they already know your login and password.
managers such as{‘ ‘} NordPass
. The manager saves passwords associated with websites that you use. If you go to a fake
website that closely resembles a real one, the password manager won’t fill in the login
information saved for it, which should make you realize you’re in the wrong place.
See our{‘ ‘}
examples of phishing attacks to
learn more about spotting and avoiding phishing messages.
suspect someone is impersonating a company, it’s worth notifying someone there. If the
company knows about scammers, it can start an education campaign for its customers and warn
them of possible scam attempts,
reducing the number of victims.
the message, don’t click it. Instead, search for the linked site on the internet. Be wary of
shortened links using Bitly, TinyURL, and similar services. Legitimate organizations don’t
use them, and they almost certainly lead to fake websites.
messages will prevent accidental clicking on the attached link later. You can take a
screenshot to{‘ ‘} report the SMS phishing{‘ ‘}
to someone later.
contacted, don’t answer calls from strangers.
and{‘ ‘} block spam calls
{‘ ‘}
based on notifications from other users. If your phone suggests a call may be dangerous,
block the number.
impersonate others, so pay attention if the caller sounds strange or unnatural and another
voice comes through from under the filter.
institutions will never ask you for your account password or similar information. If you
talk to someone claiming to be an employee, but you are unsure about them — hang up and
contact the institution again using the number listed on the official website.
service employee will ask you to install additional third-party software, such as a remote
desktop tool. It’s a clear sign that someone’s trying to access your device and steal your
information or money.
If you{‘ ‘}
accidentally click on a phishing link
{‘ ‘}
or get coaxed into a vishing scam, it’s important to act as quickly as possible. Timely
reaction can help you prevent identity theft or financial loss, but keep in mind that even
with a quick reaction, the damage may already be done. Here’s what you should do immediately
after suffering a phishing, smishing, or vishing attack:
login information, change your password immediately to regain control of the compromised
account. If you have two factor authentication enabled, do not approve any unauthorized
changes. Otherwise, you’ll lose access to your account.
changing your password. Report the attack to authorities that oversee such incidents, such
as the local police department’s cybersecurity division or the Federal Trade Commission
(FTC). Depending on where you live, the relevant authorities will differ (for example, the
FTC in the US, the NCSC in the UK, or the ACSC in Australia). Therefore, you should
double-check these agencies in advance, even if you haven’t suffered a phishing, smishing,
or vishing attack.
{‘ ‘}
and click on a link, chances are that scammers may have enough information to steal your
identity and gain access to your bank account. Informing your bank about the phishing attack
will let its fraud team keep a close eye on your bank account and prevent suspicious or
unauthorized changes (such as money transfers, withdrawals, or changes in account details).
money. Some of them contain malware that can infect your computer without your knowledge.
That’s why it’s always a good idea to scan your computer for potential malware, especially
if you have clicked on a suspicious link. Regular safety scans are a valuable precaution
that can detect and prevent malicious activity before scammers can do significant damage.
The post Phishing vs. smishing vs. vishing: Key differences and prevention first appeared on NordVPN.
