Phishing is one of the most common social engineering attack methods used by threat actors. It involves using deceptive communication to trick individuals into divulging sensitive information, like login credentials, or taking actions they shouldn’t, such as paying a fraudulent invoice. Phishing scams typically generate a feeling of urgency to provoke victims into responding quickly.
The term “phishing” originally referred to email as the mode of communication for attacks. Today, however, about 40% of phishing campaigns extend beyond email. Phishing now includes multiple vectors, including voice call (vishing), SMS (smishing), and QR codes (quishing). Some threat actors focus on specialized targets, for example launching credential phishing attacks or crypto phishing scams.
While there are many types of phishing, this article will focus on the differences between email phishing, vishing, and smishing.
What is vishing?
Vishing involves a cybercriminal using voice communication to trick the victim into divulging sensitive information or performing an action like making an unauthorized payment. Vishing is usually done over the phone. The scammer often spoofs the caller ID to make the call appear legitimate.
Some criminals target well-known corporations, impersonating high-level executives to trick employees into doing something they shouldn’t. For example, the scammer might persuade the victim to send a payment to an unauthorized account or enable remote access to company systems for unauthorized users.
Real-world vishing example: The extortion group ShinyHunters has recently been targeting multi-national companies, launching vishing attacks against employees with the goal of breaching Salesforce CRM instances and downloading customer data. Once breached, the group usually threatens companies with leaking their data unless they pay a ransom. According to BleepingComputer, one company has already paid 4 Bitcoins (the equivalent of $400,000) to prevent the leak of their data.
What is smishing?
Smishing is a method of phishing done through text messaging. Smishing and vishing are similar in that cybercriminals usually mask their phone numbers to make communications appear as though they are from legitimate sources.
Smishing attacks come in many forms. For example, some involve text messages with links that trigger malware downloads that steal data directly from victims’ phones. Others have links to fake forms or websites designed to obtain sensitive information like victim’s credentials or credit card numbers.
Real-world smishing threats: Two smishing campaigns have surged in recent months, both powered by Darcula Suite, a Phishing-as-a-Service (PhaaS) platform. PointyPhish involves SMS messages warning victims that their reward points, e.g., airline, retail, banking, will expire soon. TollShark sends text messages that appear to come from road toll authorities. The messages warn victims that they have outstanding bills and fines. Both campaigns send victims to fake websites that steal payment details.
How phishing, vishing, and smishing differ
The main difference between vishing, smishing and phishing scams is the communication method used to carry them out.
- Phishing: Communication is via email. Scammers typically send massive volumes of emails to cast a wide net for victims. Emails often contain malicious links or infected attachments.
- Vishing: The main mode of communication is phone, but some scammers may use pre-recorded robocalls, VoIP, or voicemail messages. An increasing number of criminals use AI voice clones to fool victims.
- Smishing: Communication is via SMS/text messages. Smishing scams typically involve tools like Robotext to spoof phone numbers and send text messages in bulk.
Email phishing vs. vishing vs. smishing: a quick overview
| Email phishing | Vishing | Smishing | |
|---|---|---|---|
| Name origin | Phishing * | Voice phishing | SMS phishing |
| Communication method | Phone, robocall, VoIP, voicemail | SMS/text message | |
| Tools used | Links and attachments that trigger malware downloads Links to fake forms and websites Phishing kits PhaaS platforms | Spoofing services to mask caller ID Calls may come from a real person or pre-recorded robocall Voicemail Messages Some scammers use deepfake audio | SMS spoofing services Bulk SMS sender tools Malicious URLs Links to fake forms and websites Phishing kits PhaaS platforms |
| Example scenario | A fraudster sends a tech company employee a fake vendor invoice to trick them into making a payment to a fraudulent account. | A scammer calls saying they are from Microsoft tech support, and they need remote access to the victim’s computer to remove a virus. | A victim receives a text message asking them to click on a malicious link to confirm delivery of a FedEx package. |
| Defenses | Use built-in email spam filters Use email security protocols like SPF, DKIM, DMARC Implement phishing-resistant MFA or passwordless authentication Train employees to look for signs of phishing emails like misspellings, incorrect URLs, feeling of urgency in the message | Teach employees to identify signs of vishing like unsolicited calls, fear tactics and urgent requests, poor phone quality Advise everyone to: Be suspicious of caller IDs — Scammers can spoof phone numbers Don’t answer calls from numbers you don’t recognize Before returning a call, verify that the number and caller are legitimate | Require encryption, anti-virus software on all connected devices Work with mobile phone providers to detect and block SMS phishing messages Implement phishing-resistant MFA or passwordless authentication Train employees to watch out for smishing red flags like suspicious links, urgent requests to verify sensitive information |
* Phishing has become the umbrella term for various types of phishing scams
Defending your business against phishing attacks
Any one of your employees could become a target for determined cybercriminals. However, you can defend against phishing attacks by implementing the tools highlighted in the table above. You’ll also need a dark web monitoring tool to detect leaked data before cybercriminals leverage it. However, education is your best defense against phishing. The more your employees understand about phishing scams, the less likely they will fall victim to them.
