Smishing and Vishing: 2022’s Hot Attack Vectors


The new year has ushered in a wave of cybercrime as employees continue to toggle between home offices and the workplace. Rates of smishing (text message phishing) and vishing (voice phishing) have increased exponentially, affecting small and large companies alike.

As cybercriminals are well aware, many products are being deployed to filter phishing emails before they reach their intended target. Instead of attempting to disguise their emails, bad actors aim to evade these defenses by embedding links in text messages to get victims to click.


To Avert Smishing Attacks:

  • Carefully inspect any text message from an unknown number or particularly from a short code. (Short codes are widely used in automated services and considered the fastest and most convenient way for businesses to send and receive SMS or text messages.)

  • Even if the text message says “text ‘stop’ to stop receiving messages,” never reply.

  • Messages from stores or banks may be spoofed so if there is a call to action, look up that company’s customer service number from its official website and contact them to validate the message you received.

  • Don’t click on any links in messages. Smishing attacks are a game of emotional manipulation. All scammers need to do is pique your interest enough to get you to click on a link—then the damage is done.


Telltale Signs You’ve Been Hit:

· Unsuspected memory usage

· Phone heating up excessively

· Pop-up messages while using your smartphone web browser


Vishing occurs when a perpetrator uses phone calls to obtain personal information from their target, often impersonating people that the target trusts, such as an executive at their company. While vishing attacks come in many varieties, most use the same basic principles. Social engineers often combine several principles to increase believability and effectiveness.


To Avert Vishing Attacks Lookout For:


Authority the scammer impersonates someone in power that the victim is less likely to question like the CEO of their company. Studies have shown figures of authority can make people do things they would not typically do under other circumstances. There is nothing wrong with asking the person to confirm their identity.


Trust is similar to authority, however there is less of a power difference, such as someone from the IT department. Never give information over the phone unless 100% confident that the person is who they say they are.


Scarcity/Urgency is used to create a timer or stress for the target. Bad actors state that the matter must be resolved immediately, so the target does not stop to consider the request or the consequence of their actions. This red flag signals the need to stop and reflect on the request.


Intimidation can take two forms: general or specific. General intimidation is usually accomplished by describing a bad scenario that would happen if the target does not comply, such as paychecks not being disbursed on time. Specific intimidation is more like blackmail; the target will be harmed, or their secret will be revealed.


Social Proof occurs when the scammer says the target’s co-worker or friend has done the same thing. Often the social engineer can combine this with scarcity/urgency by claiming their typical contact cannot be reached, but this must be done now.


Liking is simply getting on the good side of the target. Bad actors pretend to have a similar interest or a friend in common. Another example could be that the social engineer promises something of value in exchange for the target’s help.


Training employees on how to combat social engineering, smishing and vishing campaigns is a proven defense against cybercrime.


Click here to learn more about Insite’s customized security training programs.