What is phishing?
Phishing is a social engineering attack in which the attacker tries to convince the victim to reveal sensitive information. To do this, the attacker impersonates another person or organization. They often pretend to be someone trustworthy, such as a coworker, distant family member, or employer.
Phishing attacks use various forms of electronic communication, such as emails and social media. With these, the attacker can send out malicious attachments and links to malicious sites or urge victims to take some action, such as sending personal or financial information in response to an email.
For this article, we talk about “phishing” to refer to a specific type of attack that uses forms of internet communication. However, the word can also mean a general social engineering attack that involves impersonating another person or organization without distinguishing the method of communication. In other words, phishing is also often referred to as a category of social engineering attacks that includes smishing and vishing.
What is smishing?
The term smishing combines the words “SMS” and “phishing.” In this attack, the fraudster impersonates another person to scam the victim and uses a specific form of communication: text messages.
The scammer uses tools to spoof phone numbers and impersonate someone trustworthy, such as a bank or legitimate company. They send fraudulent messages designed to persuade the victim to take action. These often have an urgent tone and warn of the consequences of not responding quickly. The messages are often accompanied by fake links leading to fraudulent sites or payment gateways aimed at stealing the victim’s sensitive data.
Learn more about what smishing is from our article about this type of cyber attack.
What is vishing?
Vishing (“voice” + “phishing”) is a type of social engineering attack carried out over phone calls. The attacker calls the victim and introduces themselves as a representative of an organization, then convinces the victim to take a specific action, such as provide personal details or enable remote control of their computer through remote control software.
Some scammers do not hide their voices at all. Others use text-to-speech software. More recently, it has also become possible for hackers to to change their voice in real time using voice AI tools and clone existing voices to impersonate others.
If you’re curious about what vishing scams look like in real life, see our examples of vishing.
Key differences between phishing, smishing, and vishing
Phishing, vishing, and smishing are similar types of attacks with a common goal. They are different in the following ways:
|Internet communication (email, messaging apps)
|Commonly seen attack tactics
|Fake links, malicious attachments, data-stealing forms
|Fake links to websites and payment gateways
|Impersonation of someone’s voice, voice cloning
|Information acquired by scammers
|Login data, personal and financial information
|Mainly personal or financial information
|Personal and financial information, gaining access to devices
|Coworkers, family members, online friends, companies, charities, banks, service providers
|Companies, charities, banks, service providers
|Government agencies, tech support, customer support, bank/company representatives
|Risk of malware infection
|Possible infection with viruses and malware such as spyware or ransomware
|Possible infection with malware targeting mobile devices
|Usually impossible to infect with malware unless a remote device control tool is installed and the scammer gains control over the device
|Strange and misspelled emails, unusual private messages, emails with suspicious attachments, URLs with errors
|Inducing a sense of urgency, requests to share information, text messages with suspicious links
|Calls from unknown numbers, requests for information, robotic and unnatural caller voice, pre-recorded messages
|Do not click links, do not download attachments, report the matter to authorities, report to the company that someone is impersonating them, monitor your accounts
|Do not click links, report the matter to authorities, report to the company that someone is impersonating them, ignore urgent alerts
|Hang up, do not give out your data, report the matter to the authorities, report to the company that someone is impersonating them, block the number
Remember that scammers use various tools to make their email addresses and phone numbers look similar or identical to the official ones used by companies. Always check senders’ email addresses and phone numbers, but don’t take them as the only indicator of their legitimacy.
Pay attention to anything that raises suspicion. Understanding the mechanisms of social engineering attacks can help you protect yourself from threats like losing money and identity theft.
How to prevent phishing, smishing, and vishing attacks
Some social engineering attacks are difficult to spot but not impossible. We’ve put together some tips to help you protect yourself from these dangers.
How to prevent phishing attacks
Here are some strategies you can use to protect yourself from phishing:
- Stay vigilant. The most important thing to protect yourself from phishing is alertness. Always double-check who the sender of a message is. Watch for typical signs that the sender is not who they say they are, such as grammatical errors, strange language, and links or email addresses with typos.
- Use third-party software. Even vigilance can sometimes fail, and some criminals carefully cover their tracks. This is the case with clone phishing, a technique in which a scammer copies the contents of a legitimate email but changes only the details, such as the links, to direct you to malicious sites. It’s worth protecting yourself with additional tools, such as antimalware software that warns you if you click on a link to a webpage with a bad reputation.
- Secure accounts. Above all, remember to protect your online accounts in case scammers manage to get your credentials. Use multi-factor authentication (MFA), which requires additional data (such as a one-time code) to log in. If you use MFA, the scammer cannot log in to your account even if they already know your login and password.
- Use a password manager. We also recommend saving passwords in password managers such as NordPass. The manager saves passwords associated with websites that you use. If you go to a fake website that closely resembles a real one, the password manager won’t fill in the login information saved for it, which should make you realize you’re in the wrong place.
See our examples of phishing attacks to learn more about spotting and avoiding phishing messages.
How to prevent smishing attacks
Worried about falling victim to smishing? Here’s how you can protect yourself:
- Don’t respond to suspicious messages. Ignore them and move on. If you suspect someone is impersonating a company, it’s worth notifying them. If the company knows about scammers, it can start an education campaign for its customers and warn them of possible scam attempts, reducing the number of victims.
- Visit the official site without clicking on the link. If there’s a link in the message, don’t click it. Instead, search for the linked site on the internet. Be wary of shortened links using Bitly, TinyURL, and similar services. Legitimate organizations don’t use them, and they almost certainly lead to fake websites.
- Block the sender’s number and delete the message. Deleting smishing messages will prevent accidental clicking on the attached link later. You can take a screenshot to report the smishing to someone later.
How to prevent vishing attacks
You can make vishing less of a threat to you by following these tips:
- Don’t answer calls from unknown numbers. If you don’t expect to be contacted, don’t answer calls from strangers.
- Use your phone features. Current smartphones have features that recognize and block spam calls based on notifications from other users. If your phone suggests a call may be dangerous, block the number.
- Pay attention to unnatural voices. Scammers can use AI to impersonate others, so pay attention if the caller sounds strange or unnatural and other voices come through from under the filter.
- Don’t give out confidential information. Employees of banks or other institutions will never ask you for your account password or similar information. If you talk to someone claiming to be an employee, but you are unsure about them – hang up and contact the institution again using the number listed on the official website.
- Do not install any software at the request of the caller. No customer service employee will ask you to install additional third-party software, such as a remote desktop tool. It’s a clear sign that someone’s trying to access your device and steal your information or money.
Want to read more like this?
Get the latest news and tips from NordVPN.