Smishing vs Phishing vs Vishing: What’s the Difference?

phishing vs smishing vs vishing

Smishing vs phishing vs vishing: You’d do well to find someone who hasn’t been targeted by at least one of these.  

Whether it be a fake password reset email or a supposed opportunity to receive a tax rebate if you ‘click here’, phishing is becoming an ever-more popular weapon for cybercriminals.

So much so in fact that the Anti-Phishing Working Group uncovered over one million phishing attacks in Q2 of this year alone – the most it has ever seen in one quarter.

BEC: A Big Threat to Business

From a business standpoint, most employees will have received an email from their “boss” asking them to immediately transfer a pile of cash to a “vendor” or some other legitimate-looking entity. This particular type of phishing attack falls under the category of “Business Email Compromise.” According to the FBI, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion in 2021.

BEC attacks are unusually effective because they are impersonating someone the victim knows – often an authority figure like a boss. If the boss asks you to do something, most people don’t question it. But these days they should, especially when large sums of money or sensitive data is involved.

The explosion of digital transformation has created an unprecedented opportunity for bad actors, who don’t need a high success rate to profit.

There are different variants of phishing attacks, but there are steps you can take to protect yourself and your organization. Let’s review the nuances between smishing vs phishing vs vishing, and analyze how to defend against and react to them.

What is a Smishing Attack?

Smishing is an acronym for SMS phishing, or short message services phishing. Essentially, it’s a phishing attack launched via a text message. 

While most people ignore email spam, they tend to read every last text message, because people wrongly assume texts are more secure. Still, hackers can easily uncover public information about the target to craft a smishing message that feels legitimate.

Successful smishing texts convey a sense of urgency. “We know you committed a crime – call this number to clear your name.” Or “We’ve locked your Amazon account due to unusual activity detected.” In some cases, they’ll first call the target, promising to follow up with a text message containing a link.

What is the Goal of Smishing?

In a smishing attack, (as with all phishing) the aim is one of three things:

1. Compromise login credentials

2. Convince user to click a malicious link or attachment, infecting the computer

3. Manipulate victim into sending money or confidential data

The threat of personal attacks is clear, but the rise of bring your own device (BYOD) – where employees use personal devices for work – makes smishing a more viable weapon to target businesses. It’s not unusual for employees to receive text messages from their “CEOs” these days. In fact, it’s so prevalent that it’s now known as “CEO Smishing.”

What Happens If You Click a Phishing Link?

Before BEC came along, the primary objective(s) of phishing attacks were one of two things:  Getting target to click on a URL or malicious attachment.

Typically, they want this to happen for one of two reasons: 1) to encourage the victim to enter their personal information (credential theft), or 2) to encourage them to download a file loaded with malware.

Even if the target clicks the link but ultimately does neither, they will have flagged themselves as a potential victim that may well be worth exploiting further.

Phishing Smishing Vishing

Most targets that click on a link but don’t follow through with data input or a download are generally safe, but it’s still good practice to disconnect the device from the internet and contact your IT team for further support. IT may check out the device to make sure it’s clean.

Always change the password for the targeted account.

The golden rule is don’t click the link. Phishing attacks have moved beyond playing make-believe as Nigerian princes and now craft convincing emails, posing as organizations we trust.

According to cybersecurity vendor Check Point, LinkedIn is the most impersonated company in phishing attacks, accounting for more than half of all attempts. Delivery giant DHL follows in second place, the report found.

What Protects Against Spear Phishing?

Traditionally, phishing campaigns were untargeted and sent out to a broad range of people hoping that someone would bite.

However, as cybercriminals have become more advanced, they’ve adapted this approach to target individual companies and people. This is known as spear fishing. Spear fishing is prominent, with some estimates claiming that 65% of cybercriminals opt for spear fishing as their chosen attack method.

Have you ever received an email from someone addressing you by name and claiming to be your organization’s finance director and referencing things only you would know?  This is spear phishing.

Telltale Signs

In some poorly crafted attempts, it will be clear the email is not from your finance director.

The email could be littered with unusual errors. Or they might ask for your phone number, despite your real finance director having it. Upon closer inspection, you may see that the email address is actually a random Gmail account assigned to an individual with the same name.

Phishing Smishing Vishing

What is a Vishing Attack?

Vishing is another mode of phishing attack, this time using voice. Similar to smishing, vishing attacks target people wary of email attacks but feel safer when it comes to voice communication.

Many consider vishing to be the oldest type of phishing attack. While not officially known as “vishing”, the first known attempt happened around 1995.

Vishing attacks can target specific individuals, where a real human asks for another real human by name. They might claim to be from their bank while informing them of a compromised checking account.

Phishing Smishing Vishing

Vishing attacks can also be more general, launching simultaneously by the thousands using VoIP calls and pre-recorded messages.

The safest way to rebuff phishing attacks is to avoid handing over personal data if you’re suspicious. If you feel the call may be genuine, offer to hang up and call back on a legitimate phone number.

Smishing vs Phishing vs Vishing: How to Stay Safe

Smishing, phishing, and vishing attacks execute in murky waters, but the surge in digital transformation means they will only increase in volume. Some estimates claim 3.4 billion phishing emails hit inboxes every single day.

Scarily, cybercriminals are indiscriminate, targeting everyone from college kids to high-flying CEOs.

People must stay alert and spot the common trends associated with phishing attacks on an ad-hoc basis. Still, the most effective way for an organization to stay secure is through a comprehensive cyber awareness policy.

Best Practice: Security Awareness Training

Security Awareness Training, like that offered by ThriveDX’s Enterprise Division empowers businesses to both try out the product while learning about current threats through: 

  1. Simulations – Real world lures account for data entry (credential theft), malicious links and malicious attachment phishing attacks.

  2. Other simulated attacks include portable media, smishing and vishing

  3. Fully customizable content libraries

  4. Encourages suspicious activity reporting from users, increasing engagement

Cyber awareness platforms like these educate employees on how to recognize phishing, smishing, vishing, pharming, BEC, ransomware and other attacks bringing enterprises to their knees. Security awareness training also prepares workers for the inevitable day when they face a real-life phishing attack.


Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content