What are Smishing, Phishing and Vishing? How are they different?

Have you ever received strange emails, texts or calls asking for money, your personal information or you clicked on some shady links to get some work done? Chances are some scammers are trying to lure you in using phishing, smishing or vishing techniques.

But how do you know which of these problems you're getting yourself into, and how can you avoid falling into their traps?

Phishing, Smishing and Vishing

Before diving into the details, here's an overview of what each scam entails:

 What is phishing?

What are Smishing, Phishing and Vishing? How are they different? Picture 1

Phishing attempts are often made via email. Scammers use email because it is easy to spoof the "From" address and make the email look like it was sent from a bank, a famous store, a government agency, etc. They often send messages based on things that people are likely to receive emails about, such as banking, Amazon orders, package tracking notifications from UPS or FedEx, or password reset requests from Facebook or Gmail.

Of course, your first reaction is to think: "Oh no, I better check that out!" So you click on the link provided to process it immediately. But that link doesn't take you to the actual website. Instead, it will take you to a fake login page that the scammers have created, and as soon as you enter your login details, they will have full access to your account. Next, they will change your passwords, drain your bank account, or steal your identity.

What are Smishing, Phishing and Vishing? How are they different? Picture 2

 What is smishing?

What are Smishing, Phishing and Vishing? How are they different? Picture 3

Smishing is a scam sent via text message to your phone instead of email to your inbox. The word comes from combining the words "SMS", meaning Short Message Service (text message) and "phishing".

Smishing messages use all kinds of tricks to get you to click on links or give up sensitive details. The messages often appear legitimate, like they're sent from your bank, friend, or company you use, and include embedded links to click through. If you clicked on that link and submitted your login information, you have become a victim of a scam.

What are Smishing, Phishing and Vishing? How are they different? Picture 4

In another case, a malicious SMS message could indicate that you have unexpectedly won a prize or lottery. To receive the "bonus", you need to pay a small fee, call a number, or click on a link that asks for personal information (including a password). This prize does not exist and compromised account details could allow scammers to drain your bank balance.

 A similar type of scam is a message claiming someone has won the lottery and wants to share their winnings with you. As expected, they provide instructions to click on the link or provide personal information for reassurance.

So why text and not email? According to Gartner, more people read and respond to messages - about 98% compared to just 20% for email. Because we are constantly glued to our phones, smishing has a higher chance of success.

What is vishing?

What are Smishing, Phishing and Vishing? How are they different? Picture 5

Vishing is "voice phishing" and refers to scams conducted through phone calls. This is like receiving a phishing email, except the attacker calls you directly with a recorded or in-person interaction instead of reaching out digitally.

Vishing uses various Social Engineering strategies to try to fool you. A common Vishing attack technique is to claim a scary emergency like your Social Security number was used fraudulently or you owe money to the IRS. This causes the victim to fear or panic, making them more likely to comply when the scammer says they need personal information to help resolve the situation. The story in thread X below is a typical situation:

What are Smishing, Phishing and Vishing? How are they different? Picture 6

Another trick visher uses is "caller ID spoofing" to make the call look like it's coming from a legitimate company, government agency, or local number. Bad actors may have collected pieces of your information from past data breaches, so the content sounds more convincing when they call, in order to gain your attention and trust. Friend.

Now, one of two things happens.

1. The victim will be met with an automated voice system that asks the victim to enter their credit card, debit card, or other banking details, along with their PIN and other personally identifiable information.
2. Initially, when the victim hangs up to call the bank, the scammer will stop this. This keeps the line open and connected to the scammer. The victim may then hear a spoofed dial tone, followed by the scammer "answering" the phone. Next, they pose as bank employees, asking victims to provide details for later use or to transfer money from one account to a new "safe" account.

Unfortunately, economic loss through vishing attacks remains a legal gray area, with banks arguing that victims must bear some legal responsibility to aggressively protect their interests. them, despite the concerted efforts of the scammers.

 How to detect Phishing, Smishing and Vishing scams

You can equip yourself with some strategies to mitigate the impact of these scams. They are easy to remember and will save you time and money.

1. Double check the caller's phone number, email address, or text or instant message source. This number may have been spoofed to look like an official source.
2. Even if the number appears legitimate, always use another phone line when you're asked to call another number back. This avoids "don't hang up" scams. Use the number from a recent bank statement or look up your bank's main customer service number online.
3. Never give anyone your banking information over the phone, no matter how adamant they are. Your bank won't ask you for any identifying details, especially your PIN, the security number on the back of your card, or even your card's expiration date.
4. Never transfer money to another account at the behest of a random caller. Your bank will never ask you to do this. Likewise, they won't send a courier to your house to pick up your checkbook. There is no official organization that does this unless you are caught under a warrant from the IRS.
5. Be extremely wary of unusual messages from your bank or another trusted institution. Unless you have previously agreed with your bank that SMS contact is acceptable, it will not happen.
6. Likewise, be wary of any links included in any SMS messages. Shortened links can take you anywhere, and there's little way to know what happens when that link is clicked.
7. Hang up when you receive threatening calls demanding immediate payment. Real companies wouldn't make baseless threats out of the blue.
8. Never pay unknown callers using irreversible means such as gift cards, cryptocurrency or bank transfers. These payment methods do not provide you with protection against fraud.
9. Trust your instincts. If an email, text, or call seems suspicious or "too good to be true," consider it a phishing attempt.

Above all, be vigilant. If you're not sure, just hang up. If it's a suspicious email or text, ignore it.

Kareem Winters

Update 16 January 2024