Key differences between phishing, smishing, and vishing
Phishing, vishing, and smishing are similar types of attacks with a common goal. They are different in the following ways:
| Phishing | Smishing | Vishing |
---|---|---|---|
Contact method | Internet communication (fraudulent emails, messaging apps, websites that steal data) | Fraudulent text messages | Fraudulent phone calls, VoIP |
Commonly seen attack tactics | Fake links, malicious attachments, data-stealing forms | Fake links to websites and payment gateways | Impersonation of someone’s voice, voice cloning |
Information acquired by scammers | Login data, personal and financial information | Mainly personal or financial information | Personal and financial information, gaining access to devices |
Popular “disguises” | Coworkers, family members, online friends, companies, charities, banks, service providers | Companies, charities, banks, service providers | Government agencies, tech support, customer support, bank/company representatives |
Risk of malware infection | Possible infection with viruses and malware such as spyware or ransomware | Possible infection with malware targeting mobile devices | Usually impossible to infect with malware unless a remote device control tool is installed and the scammer gains control over the device |
Red flags | Strange and misspelled emails, unusual private messages, emails with suspicious attachments, URLs with errors | Inducing a sense of urgency, requests to share information, text messages with suspicious links | Calls from unknown numbers, requests for information, robotic and unnatural caller voice, pre-recorded messages |
Recommended response | Do not click links, do not download attachments, report the matter to authorities, report to the company that someone is impersonating them, monitor your accounts | Do not click links, report the matter to authorities, report to the company that someone is impersonating them, ignore urgent alerts | Hang up, do not give out your data, report the matter to the authorities, report to the company that someone is impersonating them, block the number |
Remember that scammers use various tools to make their email addresses and phone numbers look similar or identical to the official ones used by companies. Always check senders’ email addresses and phone numbers, but don’t take them as the only indicator of their legitimacy.
Pay attention to any details that raise suspicion. Understanding the mechanisms of social engineering attacks can help you protect yourself from threats like financial loss and identity theft.
What is phishing?
Phishing is a social engineering attack in which the attacker tries to convince the victim to reveal sensitive information. To do this, the attacker impersonates an individual or organization. They often pretend to be someone trustworthy, such as a coworker, distant family member, or employer.
Phishing attacks use various forms of electronic communication, such as emails and social media. With these, the attacker can send out malicious attachments and links to malicious sites or urge victims to take some action, such as sending personal or financial information in response to an email.
A good example of a phishing attack are fraudulent emails that often land in your email’s spam box. They can include “urgent” messages that appear to be from your bank, or surprise lotteries that declare you the winner despite you never having registered for them. In both cases, the email will direct you to clicking on a suspicious link, which will likely contain malware or lead to a fake website. In these websites (which may look very similar to legit entities, such as a bank’s login page), you may receive an inquiry to provide your personal information (for example, your Social Security number or bank’s login details).
For this article, we talk about “phishing” to refer to a specific type of attack that uses forms of internet communication. However, the word can also mean a general social engineering attack that involves impersonating an individual or organization without distinguishing the method of communication. In other words, phishing is also often referred to as a category of social engineering attack that includes smishing and vishing.
What is smishing?
The term smishing combines the words “SMS” and “phishing.” In this attack, the fraudster impersonates an individual to scam the victim and uses a specific form of communication: text messages.
The scammer uses tools to spoof phone numbers and impersonate someone trustworthy, such as a bank or legitimate company. They send fraudulent messages designed to persuade the victim to take action. These often have an urgent tone and warn of the consequences of not responding quickly. The messages are often accompanied by fake links leading to fraudulent sites or payment gateways aimed at stealing the victim’s sensitive data.
Learn more about what smishing is from our article about this type of cyberattack.
What is vishing?
Vishing (“voice” + “phishing”) is a type of social engineering attack carried out over phone calls or Voice over IP (VoIP) services. The attacker calls the victim and introduces themselves as a representative of an organization, then convinces the victim to take a specific action, such as provide personal details or enable remote control of their computer through remote control software.
Some scammers do not hide their voices at all. Others use text-to-speech software. More recently, it has also become possible for hackers to to change their voice in real time using voice AI tools and clone existing voices to impersonate others. For more efficiency, some fraudsters may even engage in “robocalling” — a vishing technique where the victim engages with a trained AI bot instead of talking to an actual person. Such a tactic allows malicious actors to call hundreds of people at the same time without risking exposure.
If you’re curious about what vishing scams look like in real life, see our examples of vishing.
How to prevent phishing, smishing, and vishing attacks
Some social engineering attacks are difficult — but not impossible — to spot. Sometimes simply slowing down and double-checking is enough — the SLAM method is especially useful for that. You can also help protect yourself from phishing, smishing, and vishing by following some tips.
How to prevent phishing attacks
Here are some strategies you can use to prevent phishing:
- Stay vigilant. The most important thing to protect yourself from phishing is alertness. Always double-check who the sender of a message is. Watch for typical signs that the sender is not who they say they are, such as grammatical errors, strange language, and links or email addresses with typos, which could be a sign of typosquatting. If you’re thinking about attacks on your organization, you can also consider having a phishing simulation.
- Use third-party software. Even vigilance can sometimes fail, and some criminals carefully cover their tracks. This is the case with clone phishing, a technique in which a scammer copies the contents of a legitimate email but changes only the details, such as the links, to direct you to malicious sites. It’s worth protecting yourself with additional tools, such as anti-phishing or anti-malware software that warns you if you click on a link to a webpage with a bad reputation.
- Secure accounts. Above all, remember to protect your online accounts in case scammers manage to get your credentials. Use multi-factor authentication (MFA), which requires additional data (such as a one-time code) to log in. If you use MFA, the scammer cannot log in to your account even if they already know your login and password.
- Use a password manager. We also recommend saving passwords in password managers such as NordPass. The manager saves passwords associated with websites that you use. If you go to a fake website that closely resembles a real one, the password manager won’t fill in the login information saved for it, which should make you realize you’re in the wrong place.
See our examples of phishing attacks to learn more about spotting and avoiding phishing messages.
How to prevent smishing attacks
Worried about falling victim to smishing? Here’s how you can protect yourself:
- Don’t respond to suspicious messages. Ignore them and move on. If you suspect someone is impersonating a company, it’s worth notifying someone there. If the company knows about scammers, it can start an education campaign for its customers and warn them of possible scam attempts, reducing the number of victims.
- Visit the official site without clicking on the link. If a link appears in the message, don’t click it. Instead, search for the linked site on the internet. Be wary of shortened links using Bitly, TinyURL, and similar services. Legitimate organizations don’t use them, and they almost certainly lead to fake websites.
- Block the sender’s number and delete the message. Deleting smishing messages will prevent accidental clicking on the attached link later. You can take a screenshot to report the SMS phishing to someone later.
How to prevent vishing attacks
You lessen the threat of vishing by following these tips:
- Don’t answer calls from unknown numbers. If you don’t expect to be contacted, don’t answer calls from strangers.
- Use your phone features. Current smartphones have features that recognize and block spam calls based on notifications from other users. If your phone suggests a call may be dangerous, block the number.
- Pay attention to unnatural-sounding voices. Scammers can use AI to impersonate others, so pay attention if the caller sounds strange or unnatural and another voice comes through from under the filter.
- Don’t give out confidential information. Employees of banks or other institutions will never ask you for your account password or similar information. If you talk to someone claiming to be an employee, but you are unsure about them — hang up and contact the institution again using the number listed on the official website.
- Do not install any software at the request of the caller. No customer service employee will ask you to install additional third-party software, such as a remote desktop tool. It’s a clear sign that someone’s trying to access your device and steal your information or money.
What to do if you become a victim of phishing, smishing or vishing scams
If you accidentally click on a phishing link or get coaxed into a vishing scam, it’s important to act as quickly as possible. Timely reaction can help you prevent identity theft or financial loss, but keep in mind that even with a quick reaction, the damage may already be done. Here’s what you should do immediately after suffering a phishing, smishing, or vishing attack:
- Change your password. This part is crucial. If you have given away your login information, change your password immediately to regain control of the compromised account. If you have two factor authentication enabled, do not approve any unauthorized changes. Otherwise, you’ll lose access to your account.
- Report an incident to the relevant authorities. This is the next step after changing your password. Report the attack to authorities that oversee such incidents, such as the local police department’s cybersecurity division or the Federal Trade Commission (FTC). Depending on where you live, the relevant authorities will differ (for example, the FTC in the US, the NCSC in the UK, or the ACSC in Australia). Therefore, you should double-check these agencies in advance, even if you haven’t suffered a phishing, smishing, or vishing attack.
- Contact your bank. If you open a phishing email and click on a link, chances are that scammers may have enough information to steal your identity and gain access to your bank account. Informing your bank about the phishing attack will let its fraud team keep a close eye on your bank account and prevent suspicious or unauthorized changes (such as money transfers, withdrawals, or changes in account details).
- Conduct a security scan. Phishing links may not always be about luring out money. Some of them contain malware that can infect your computer without your knowledge. That’s why it’s always a good idea to scan your computer for potential malware, especially if you have clicked on a suspicious link. Regular safety scans are a valuable precaution that can detect and prevent malicious activity before scammers can do significant damage.
Online security starts with a click.
Stay safe with the world’s leading VPN