New Phishing Techniques To Be Aware of: Vishing and Smishing

Gavin Phillips 09-05-2016

Personal data has become one of the most valuable and sought after currencies. We deal in it and trade it without thinking, each and every day, opening ourselves and our inner-data sanctums to potential attackers who would use that information against us. Spotting phishing attempts has become de rigueur for most Internet users. If you’ve ever signed up to anything online, there is a good chance your full name, home address, email address and phone number have also changed hands. Armed with this, scammers can attempt to exploit you.


We like to think we are too clever to be tricked by the obvious scams. That our knowledge of how common phishing scams are pulled off makes us superior to old Mrs. Bethel down the road, who couldn’t spot a “Nigerian Princess” from a mocked-up PayPal Invoice How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More . It might even be somewhat true. But the fraudsters don’t rest, and as we have seen with the growth in Vishing and Smishing exploits, they are happy to utilize new attack vectors to exploit your trust.

What should you be looking out for? Quick Tips and Facts That'll Help Avoid Vishing and Smishing Scams Read More How will you know a vishing or smishing attempt when it arrives? And are you likely to be a target?

Let’s take a look.

What Are These New Techniques?

Phishing attempts usually come through email or instant messaging. The victim receives an email or instant message with a spoofed sender field, containing a message requiring an instant response. The fraudulent email or instant message contains a link directing the victim to a fake website where they usually enter a personal piece of information, such as a password, their work login credentials, or other identifying information.

While phishing existed long before the Internet What Exactly Is Phishing & What Techniques Are Scammers Using? I’ve never been a fan of fishing, myself. This is mostly because of an early expedition where my cousin managed to catch two fish while I caught zip. Similar to real-life fishing, phishing scams aren’t... Read More , our capacity to engage with social media, connect with people through email, and generally place trust in online systems we don’t fully understand (including banking) has curated a golden period for would-be scammers. Their Midas touch continues with the “introduction” of vishing and smishing exploits Gone Phishing: 5 Security Terms You Need to Know The Internet is a shark tank; you're exposed to threats left and right. You need to understand the risks to protect yourself. Here we introduce you to the five most common online security threats. Read More .



Voice phishing, referred to as Vishing, is a common electronic fraud technique seeing an increase in usage. It largely relies on the victim’s tendency to place trust in the sanctity of a landline versus other communication platforms, such as their mobile phone, or email.

A vishing attack usually has a primary goal of extracting banking details, or other important personal information from the victim, and are usually completed by automated dialing and voice synthesizing equipment. However, there are increasing reports of human operators pressing their victims to part with their details. Vishing attacks are usually very difficult to trace, even more so with the advent of extremely cheap Voice-over-IP (VoIP) services and automated services.


One common attack technique involves the victim simply answering the attackers call. They then hear the spiel the scammer has decided to use, usually involving an immediately actionable request involving their credit card, or unusual banking activity. The victim is then provided with a spoofed phone number to call.

One of two things now occur. Either:

  1. The victim will be met with an automated voice system requiring the victim to enter their credit card, debit card, or other banking details, along with their PIN numbers and other personal identifiers, or
  2. When the victim initially hangs up the phone to make a call to their bank, the fraudster does not. This keeps the line open and connected to the fraudster. The victim may then hear a spoofed dialing tone, followed by the scammer “answering” the phone. They then act as a bank official, requesting details from the victim for later use, or to funnel funds from one account into a new, “secure” account.

Depending on the scam and the bank, victims may recover some of their lost funds, but this by no means guaranteed. Some banks, however heartless it may appear to be, reject claims of this nature as the victim has acted with “gross negligence” by not assuring their own banking security.

“HSBC has refused to refund the money, arguing that the couple’s real bank cards (not a clone) and the correct pins were used and that, therefore, they have breached the bank’s terms and conditions and were grossly negligent.”

And while the above instance applies to lost and stolen bank cards, monetary loss through vishing fraud is still a legal gray area, with the banks arguing that some of the liability must be placed upon the victim to actively protect their own interests, despite concerted efforts by scammers.



“SMiShing”, the portmanteau of SMS and phishing, is the act of using SMS messaging to defraud an individual. Smishing techniques are relatively analogous to phishing and vishing. The victim receives a text message purporting to be from a reliable, trustworthy source.

The SMS usually contains a similar message, too, with attackers posing as banking administrators or officials to deliver a warning of a compromised credit or debit card, an account, or an identity. The victim is then encouraged to follow the compromised link or phone number included in the message, where the victim reveals the specified information to the fraudsters.

SMS phishing victims are not always exposed by a banking scam, as you can see in the above Tweet. That is a sample of the Smishing campaign currently underway, taken from my home-town. Similarly, in 2012 a large number of US citizens received an SMS containing text along the lines of:


“Dear Walmart shopper, Congratulations you have just won a $1000 Walmart Gift Card. Click here to claim your gift. (cancel: STOP)”

This scam used Walmart’s popularity to lure victims into clicking the link, where they were then asked a series of personally identifying questions, culminating in a straight-up request for credit or debit card details.

Personal details aren’t always the primary goal. Some smishing campaigns focus on installing malware on the victim’s phone for a sustained data collection attack, preferring to gather more information over a longer period of time, while the victim remains painfully unaware.

Don’t Get Caught Out

As devious and deceitful the scammers are, you can arm yourself with a handful of mitigation tactics. They are all ridiculously easy to remember and will definitely save you time, money, and heaps of wasted energy. Almost all apply to any form of phishing you might encounter.

  • Check and double check the number of the caller, or source of the instant or text message. The number may have been spoofed What Is Email Spoofing? How Scammers Forge Fake Emails It looks like your email account has been hacked, but those weird messages you didn't send are actually due to email spoofing. Read More to look like an official source.
  • Even if the number looks legitimate, when you’re requested to call a number back, always use a different phone line. This avoids “no hang-up” scams. Use a number from a recent bank statement, or look up the main customer service number for your bank online.
  • Never give anyone your banking information over the phone, no matter how insistent they are. Your bank will not ask you for any identifying details, especially not PIN numbers, the security numbers on the back of card, or even your expiry date.
  • Never transfer money into another account at the behest of a random caller. Your bank will never ask you to do this. Similarly, they will not send a courier to your house to collect your checking book. No official institution will do this, unless perhaps you are being arrested at the behest of the IRS.
  • Be extremely wary of unsolicited texts from your bank or another trusted name. Unless you have previously agreed with your bank that SMS contact is okay, it won’t happen.
  • Be similarly wary of any links included in any SMS message. Shortened links could take you anywhere, and there is little way of  knowing what will happen once that link is tapped or clicked.

Most of all, be vigilant. If you are unsure, simply hang up. If it is an unsolicited text, ignore it. Vishing and smishing social engineering techniques rely on the same abuse of trust as phishing. Even while I was writing this article, I received this email:

Phishing Attempt While Writing Article

Now, I know the email address is spoofed 5 Examples To Help You Spot A Fraud Or Fake Email The shift from spam to phishing attacks is noticeable, and is on the rise. If there's a single mantra to keep in mind, it's this -- the number one defense against phishing is awareness. Read More . Why? Because there are only two people with email addresses at that URL, and one of them is mine. The attachment is also a total giveaway.

Technology will never offer the 100% deterrent we would like. Neither will it detect the scammers 100% of the time. Technology can offer you an excellent starting point, but as with almost everything in life, unless you commit your own due diligence and attempt to think critically about incoming communications, you’re setting yourself up for a really bad time.

Have you been victim to a vishing or smishing scam? Did you realize immediately, or only when your accounts were compromised? Do you know what to look for now? Let us know below!

Related topics: Hacking, Phishing.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ellen
    August 31, 2016 at 3:14 pm

    Really great article. Loved the level of detail!

  2. Anonymous
    May 9, 2016 at 7:27 pm

    "...answering the attackers call." **Attacker's** - learn where and when to use an apostrophe! And proofread!!!

    • Gavin Phillips
      May 9, 2016 at 7:32 pm

      Two in a row, sorry Howard. But you could be more constructive than pointing out minute grammar infractions, and actually talk about the subject of the article.

  3. Anonymous
    May 9, 2016 at 7:11 pm

    A greatly written article, and a nice reminder. Always remain vigilant! Working at Wal-Mart as a cashier in the money center for a while helped remind me there is STILL a lot of people that fall for these types of scams. If you feel a link is safe, place your cursor over the link (without clicking on it) and see if it is a legitimate link, or if it sends you somewhere else, as well!

    As I tell the students at the High School I work at: if in doubt, delete it out.

    • Gavin Phillips
      May 10, 2016 at 6:24 pm

      Thanks, Jonathan, always interesting to write about the new methods scammers use, hopefully keeping myself and everyone else above water. But you’re right, so many people fall for it, and I can understand why. If people who are supposed to be “tech savvy” and up-to-date with the latest scams can still fall victim, then anyone who is even slightly vulnerable is going to have a bad time. Unfortunately, as it works, they’ll keep coming.

      Thanks for reading!