Quick Links

Key Takeaways

  • Phishing, smishing, and vishing are all techniques used by hackers to scam individuals and steal their personal information and money.
  • Phishing involves email scams, smishing uses text messages, and vishing uses phone calls.
  • To avoid falling victim to these scams, carefully inspect sender addresses, links, and requests, confirm the legitimacy of texts before clicking on links or calling numbers, and hang up and call back using an official number if a call seems suspicious.

Do you ever get weird emails, texts, or calls asking for money, your personal information, or that you click some shady links to get something done? Chances are some scammer is trying to bait you with phishing, smishing, or vishing techniques.

But how can you tell when you come across any of these, and how can you avoid getting caught in their traps?

Phishing vs. Smishing vs. Vishing

Before we dive into the nitty-gritty details, here's an overview of what each scam entails:

Phishing

Smishing

Vishing

Definition

Scams sent via email

Phishing scams sent via SMS

Phishing scams carried out over phone calls

Goal

Steal your login credentials, financial information, or other personal data

Steal your login credentials and financial information, or download malware onto your device

Trick you into revealing personal info over the phone or gaining remote access to accounts

Example

An email asking you to click a link to confirm a deposit or win a monetary gift

An SMS text asking you to click a link and verify your account information

A call from the IRS, bank, or other legitimate establishments falsely claiming that you owe money or need to provide personal info to resolve an issue

Defense

Carefully inspect sender address, links, and requests in emails before taking any action

Confirm the legitimacy of uncommon texts before clicking links or calling numbers

Hang up and call back via an official number if the call is suspicious

What Is Phishing?

Phishing attempts usually come through email. Scammers use email because it's easy to spoof the "From" address and make it look like the email is from your bank, a popular store, a government agency, etc. They often base the messages on things people would plausibly get emails about, like your bank, Amazon orders, package tracking notices from UPS or FedEx, or password reset requests from Facebook or Gmail.

Of course, your first reaction is to think, "Oh no, I better check on that!" So, you click on their provided link to take care of it immediately. But that link doesn't take you to the authentic website. Instead, it takes you to a fake login page that the scammers created, and as soon as you enter your login details, they have full access to your account. Next thing you know, they have changed your password, drained your bank account, or stolen your identity.

cash app phishing email example

I recently received a suspicious email (screenshot above) exhibiting several signs of a potential phishing scam. Here's how I could tell:

  1. I do not have a Cash App account and haven't signed up for one.
  2. The sender's address looks nonsensical, illegitimate, and unrelated to Cash App's official email.
  3. If I did use Cash App, why would I need to click a link to confirm a deposit rather than having it automatically appear in my account?

Promises of a "no paid involvement" note seem designed to evade suspicions about the sender's underlying motives. While the message purports to provide free money, its risks include identity theft, malware downloads, or other schemes to profit from stolen personal data. Given these multiple red flags, I promptly deleted the email without responding.

What Is Smishing?

Smishing is a phishing scam sent through text messages to your phone instead of emails to your inbox. The word comes from mixing "SMS," meaning Short Message Service (text messages), and "phishing."

Smishing texts use all sorts of tricks to get you to click on links or give up sensitive details. The messages often look legitimate, like they're from your bank, a friend, or a company you use, and include embedded links to click through. If you click that link and submit your login credentials, you have fallen prey to the scam.

In another scenario, a smishing text may claim you won a prize or lottery out of the blue. To collect your "winnings," you need to pay a small fee, call a number, or click a link that would require your personal details (including passwords). This prize is nonexistent, and your compromised account details may enable the scammers to drain your bank balance.

Similarly deceptive is a message stating someone won a lottery and wishes to share their winnings with you. As expected, they provide instructions to click a link or furnish personal information to secure the funds.

Even tax season is not safe—smishing texts may promise tax refunds or claim you owe the IRS money.

So why text and not email? Well, according to Gartner, way more people read and reply to texts—around 98% versus just 20% for email. Because we're constantly glued to our phones, smishing has a higher chance of success.

What Is Vishing?

cybercriminal posing as a bank representative
macrovector/freepik

Vishing is "voice phishing" and refers to scams carried out over phone calls. It's like getting a phishing email, except the attacker calls you directly with a recorded or live interaction instead of reaching out digitally.

Vishing scams use different social engineering strategies to try to fool you. A common vishing attack technique is to claim an urgently scary scenario like your Social Security number being used fraudulently or that you owe the IRS money. This sets up the victim with fear or panic, making them more likely to comply when the scammer says they need personal info to help resolve the situation. The story in the X thread below is a typical scenario:

Another trick vishers use is "caller ID spoofing," meaning they fake the caller ID to make it look like the call is coming from a legitimate company, government agency, or local number. They may have gathered bits and pieces of your info from past data breaches, so they sound extra convincing when they call. They'll say things like "Hi John, I'm calling from your bank..." and boom, they've got your attention and trust.

One of two things now occur.

  1. The victim will be met with an automated voice system requiring the victim to enter their credit card, debit card, or other banking details, along with their PINs and other personal identifiers or
  2. When the victim initially hangs up to call their bank, the fraudster does not. This keeps the line open and connected to the fraudster. The victim may then hear a spoofed dialing tone, followed by the scammer "answering" the phone. They then act as a bank official, requesting details from the victim for later use or to funnel funds from one account into a new, "secure" account.

Unfortunately, monetary loss through vishing attacks is still a legal gray area, with the banks arguing that some liability must be placed upon the victim to protect their interests actively, despite scammers' concerted efforts.

How to Spot Phishing, Smishing, and Vishing Scams

As devious and deceitful as the scammers are, you can arm yourself with a handful of mitigation tactics. They are easy to remember and will save you time, money, and heaps of wasted energy.

  1. Double-check the caller's number, email address, or instant or text message source. The number may have been spoofed to look like an official source.
  2. Even if the number looks legitimate, always use a different phone line when you're asked to call a number back. This avoids "no hang-up" scams. Use a number from a recent bank statement, or look up your bank's main customer service number online.
  3. Never give anyone your banking information over the phone, no matter how insistent they are. Your bank will not ask you for any identifying details, especially not PINs, the security numbers on the back of the card, or even your expiry date.
  4. Never transfer money into another account at the behest of a random caller. Your bank will never ask you to do this. Similarly, they will not send a courier to your house to collect your checking book. No official institution will do this unless perhaps you are being arrested at the behest of the IRS.
  5. Be extremely wary of unsolicited texts from your bank or another trusted name. Unless you have previously agreed with your bank that SMS contact is okay, it won't happen.
  6. Be similarly wary of any links included in any SMS message. Shortened links could take you anywhere, and there is little way of knowing what will happen once that link is tapped or clicked.
  7. Hang up on threatening calls demanding immediate payment. Real companies won't make baseless threats out of the blue.
  8. Never pay unfamiliar callers with irreversible means like gift cards, cryptocurrency, or wire transfers. These payment methods offer you no fraud protection.
  9. Trust your instincts. If an email, text, or call seems suspicious or "too good to be true," assume it's a scam attempt.

Above all, be vigilant. If you are unsure, simply hang up. If it is an unsolicited email or text, ignore it.