Email Security

    Vishing vs. Phishing vs. Smishing: All You Need to Know

    Three different attack methods, all with the same end goal - to get you to divulge personal information.


    Key Points

    • A classic phishing scam involves sending a fraudulent email to a recipient to get them to click a malicious link to divulge sensitive data.
    • Vishing is similar to phishing, except that the scam execution is through a voice call instead of email.
    • Smishing is a take on the word 'phishing,' but exploitation happens through SMS, encouraging you to click a malicious link that can install a virus, malware, or other damaging software. 

    Phishing attacks are one of the most common ways cyberattackers target businesses to illegally access personal data and financial information. Roughly 15 billion spam emails are sent to email accounts worldwide daily. In 2021, around 83% of businesses reported experiencing phishing attacks1. If your company has so far escaped the perils of a phishing attack, it may only be a matter of time. 

    However, it is not just the sheer weight of numbers that makes phishing attacks dangerous. Cyberattackers are also developing more sophisticated ways of targeting businesses through various communication channels. While many may be aware of generic phishing scams, you and your employees might not be mindful of other types of similar scams, such as vishing and smishing. 

    Don't let the odd names fool you. These are genuine threats that have cost businesses billions of dollars. As time goes by, cybercriminals' tactics are becoming more sophisticated. 

    Before we take a closer look at vishing and smishing, it might be a good idea to examine how a phishing scam works. 

    A classic phishing scam involves sending a fraudulent email to a recipient to get them to click a malicious link to divulge sensitive data. These scams can range from simple and obvious to complex and deceitful, like sending emails from spoofed email addresses or even going as far as creating duplicate websites to trick a victim into giving away vital personal information. 

    So, how do smishing and vishing differ?

    What Is Vishing, and How Does it Differ from Phishing and Smishing Attacks? 

    Simply put, vishing is similar to phishing, except that the scam execution is through a voice call, hence the name. Instead of sending an email to try and trick recipients into clicking links or inputting data, cyberattackers will make a phone call and speak directly to the intended victim. Often, they have already collected sensitive data through email, a fake website, or another such data breach. The cybercriminals will then call and use this confidential information to establish trust and secure a one-time password (OTP) or other two-factor authentication (2FA) code.

    The voice on the other end of the call may ask you to provide further personal information, such as your name and address. The bad actors may even record you giving verbal confirmations to access other financial accounts. Additionally, the cyberattackers on the line may send you an SMS or email where they might prompt you to input sensitive information for their malicious use.

    So, that's phishing vs. vishing, but what about smishing? Again, smishing is a take on the word 'phishing,' but exploitation happens through SMS. These are generally similar to phishing scams over email, encouraging you to click a malicious link that can install a virus, malware, or other damaging software. 

    Smishing scams may take the form of an urgent request to pay for the delivery of a package or to confirm a large bank transaction. As a result, organizations should ensure their employees are well trained and keep their guard up.

    How to Protect Yourself Against Vishing and Smishing Scams 

    In order to protect your business against phishing, vishing, and smishing attacks, there are a few primary security principles employees should be encouraged to follow:

    • Never click on links from sources you can't verify – emails and messages from outside the organization. 
    • Never give out personal information to anyone contacting you unsolicited – this includes people who claim to be from respected institutions, like a bank.
    • Don't answer calls or texts from numbers you do not recognize.

    Common Vishing and Smishing Tactics 

    There are several common vishing tactics that cyberattackers use. These include: 

    • Wardialing – The use of automated calling to target specific area codes to collect victims' data.
    • VoIP – Using VoIP devices makes it much easier for cybercriminals to disguise who they are and from what geographic location they are calling. 
    • I.D. Spoofing – Cyberattackers will use fraudulent identity credentials designed to look like trusted authority figures. 
    • Dumpster Diving – Cybercriminals often collect numbers by going through trash outside public buildings.

    What to Do If You Think You've Been the Victim of a Vishing or Smishing Scam

    If you believe you are the target of a phishing, vishing, or smishing scam, you should take certain timely measures to protect yourself or your business. Measures can include:

    • Freezing credit
    • Personal privacy scans
    • Identity theft protection measures
    • Change of address or information alerts
    • Account monitoring

    Acting quickly to freeze assets, or set up alerts, can help minimize any damage. 

    How to Protect Yourself and Your Business Against Vishing Attacks

    As mentioned above, following basic security practices, such as not clicking links from unverified sources or fielding communications from numbers you do not recognize, is an excellent place to start. However, to implement these practices, it may be a good idea to set up security awareness training for your organization. 

    Security training should be ongoing rather than a one-shot deal, as cybercriminals constantly update their level of attack sophistication. Carrying out phishing simulations can help determine just how valuable proper training is for your workforce. 

    Organizations should also ensure their endpoint protections (antivirus and anti-malware) solutions are in place and up to date. No matter how well trained your employees are or how secure your procedures are, phishing, vishing, and smishing attacks can get through. When this happens, you need to know how protected you are and how to limit the spread of the attack.

    Are There Any Other Phone Scams People Should Understand?

    In addition to vishing and smishing, there are several other phone scams that you should be aware of, including investment scams promising high returns with minimal risk, government grant scams, and even charity scams. Generally, the same security rules should apply to all of the above. Employees should be encouraged not to answer unsolicited calls, emails, and texts from numbers they do not recognize. Moreover, they should never give away financial or sensitive data without proper due diligence beforehand. 

    The Bottom Line: Vishing vs. Phishing vs. Smishing

    Of all phishing emails, around 25% make their way into people's inboxes and recipients open about 30% of those. 

    In 2021, about 59.4 million people in the U.S. lost money to vishing scams, and cybercriminals sent over 87 billion spam SMS messages to U.S. phones.

    As we’ve discussed, phishing, vishing, and smishing attacks should be a serious concern for businesses of all shapes and sizes.

    With a comprehensive and ongoing security awareness program, and effective training for employees, spotting the tell-tale signs of any scam can be simple.



    1 Phishing attack statistics 2022 (

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page