Unmasking the New Faces of Phishing - Smishing and Vishing

We all know to be wary of suspicious emails, but cybercriminals are constantly evolving their tactics. Phishing isn’t just about your inbox anymore. Today, sophisticated attacks are landing directly on our phones through text messages and even phone calls. Understanding these new threats – ‘Smishing’ (SMS phishing) and ‘Vishing’ (voice phishing) – is crucial for protecting yourself and your business.

The Evolving Threat Landscape: A Summary:

While email phishing remains prevalent, its effectiveness is waning as people become more aware. This has led cybercriminals to explore new avenues that exploit our trust in other forms of communication. Smishing and Vishing capitalise on the immediate and often personal nature of text messages and phone calls, making them incredibly effective at tricking unsuspecting victims into revealing sensitive information or taking harmful actions. These attacks often play on urgency, fear, or a false sense of authority.

 

The scale of the problem in the UK is significant: phishing remains the most common type of cyber-attack, with recent UK government surveys indicating that around 85% of UK businesses that suffered a cyber-attack reported it as phishing. The financial impact is also substantial; in 2024, the average cost of a phishing attack on a UK business rose to around £1,600, with disruptive breaches for larger businesses costing an average of £10,830, whilst larger breaches caused bigger companies a vastly increased sum (for example, the cost to Marks and Spencer and the Co-Op is estimated to be between £270 Million and £440 Million). Alarmingly, the sophistication is increasing, with research suggesting a significant number of phishing attempts are now AI-generated, making them harder to spot.

Smishing: When a Text Message Isn't Just a Text:

Smishing is phishing that occurs via SMS, or text message. Attackers send deceptive text messages designed to trick you into clicking malicious links, downloading malware, or divulging personal information. These messages often mimic trusted entities like banks, delivery services, government agencies, or even internal IT departments.

 

The volume of smishing attacks has seen a dramatic increase, with one report noting a 700% increase in incidents in the first six months of a recent year. This rapid growth highlights the effectiveness of this vector. A report from the Office for National Statistics (ONS) also revealed that a significant proportion of UK adults have received a text message they suspected was a phishing attempt. The most frequently impersonated brands in smishing attacks are those we interact with daily; more than half of all smishing messages impersonate delivery companies, as fraudsters take advantage of the rise in online shopping. Financial institutions and government agencies (like HMRC) are also common targets. 

  • Package Delivery Scams: You receive a text message from what appears to be Everi or Royal Mail, stating there’s an issue with a package delivery and providing a link to “resolve” it. Clicking the link often leads to a fake website designed to steal your login credentials or credit card information.
  • Bank Alert Scams: A text message pops up, seemingly from your bank, warning of “unusual activity” on your account and instructing you to click a link to verify your details. This link, of course, goes to a fraudulent site.
  • Fake Government Refunds/Benefits: During tax season or times of economic uncertainty, smishing texts might offer a “government refund” or “new benefit program,” requiring you to click a link to claim it.
  • Malware Distribution: Some smishing texts try to get you to download a malicious app or file disguised as an update or important document.

Vishing: The Voice of Deception:

Vishing, or voice phishing, involves fraudsters using phone calls to trick victims. These calls often employ social engineering tactics, where the caller pretends to be someone trustworthy to manipulate the victim into revealing information or performing actions they wouldn’t normally do. Vishing attacks can be particularly convincing because the human element adds a layer of perceived authenticity.

 

These attacks can be highly successful; one report noted that targeted campaigns that included a phone call had an average click rate of 53.2%, which is over three times more effective than a standard phishing email. While precise, up-to-date UK-specific financial loss figures for vishing alone can be difficult to isolate, various reports consistently highlight that these scams contribute to millions of pounds in losses annually. One study also found that one in twenty-five adults in the UK may have been a victim of vishing at some point, underscoring its widespread impact. 

  • Tech Support Scams: You receive an unsolicited call from someone claiming to be from a well-known tech company (like Microsoft or Apple), warning you of a “virus” or “critical issue” on your computer. They’ll then try to convince you to give them remote access to your device or pay for unnecessary “repairs.”
  • IRS/Tax Scams (HMRC in the UK): Callers impersonate HMRC agents, threatening arrest or legal action if you don’t immediately pay alleged overdue taxes. They often demand payment via gift cards or wire transfers, which are untraceable.
  • Bank Impersonation: A caller pretends to be from your bank’s fraud department, claiming suspicious activity on your account. They might then ask you to “verify” your account number, PIN, or even transfer money to a “safe” account, which is actually controlled by the fraudsters.
  • “CEO Fraud” or Business Email Compromise (BEC) Vishing: In a business context, an attacker might call an employee, impersonating a senior executive (often the CEO or CFO), demanding an urgent wire transfer or sensitive company information.

So how do we Protect ourselves:

The best defence against Phishing, Smishing and Vishing is awareness and scepticism:

  • Verify the Sender/Caller: If you receive a suspicious text or call, don’t immediately trust it. Independently verify the sender’s identity using official contact information (e.g., calling your bank directly using the number on their official website, not one provided in the message or call).
  • Never Click Suspicious Links: If a text message contains a link from an unknown or unexpected sender, do not click it.
  • Be Wary of Urgency and Threats: Both smishing and vishing often create a sense of urgency or fear to pressure you into acting without thinking. Take a breath and evaluate the situation.
  • Don’t Share Personal Information: Legitimate organizations will rarely ask for sensitive information like passwords, PINs, or full social security numbers over text or an unsolicited phone call.
  • Report It: Forward suspicious text messages to 7726 (SPAM) to help your mobile carrier identify and block these attacks. Report vishing attempts to Action Fraud (the UK’s national reporting centre for fraud and cybercrime) online or by calling 0300 123 2040.

By understanding these evolving threats, you can empower yourself and your team to be the first line of defence against the new wave of phishing attacks.