Cyber Threats #smishing#vishing#SMS phishing

Smishing and Vishing: SMS and Voice Phishing Explained

Understand smishing (SMS phishing) and vishing (voice phishing) attacks—how they work, real examples in 2026, and practical tips to spot and avoid them.

6 min read

Phishing has expanded well beyond email. Smishing (SMS phishing) and vishing (voice phishing) are growing attack vectors that exploit mobile phones and voice calls — channels that many people treat as inherently more trustworthy than email. In 2026, AI-powered voice cloning has made vishing dramatically more convincing, and the sheer volume of smishing attacks has made SMS an increasingly hostile environment.

What Is Smishing?

Smishing is phishing conducted via SMS or messaging apps (iMessage, WhatsApp, Telegram). The victim receives a text message that appears to come from a trusted source — a bank, delivery service, government agency, or employer — with a link or call-to-action.

How Smishing Works

  1. Attacker sends a bulk SMS to a list of phone numbers (purchased, scraped, or generated)
  2. Message impersonates a trusted service with urgent language
  3. Victim clicks the link, which loads a phishing page designed for mobile
  4. Victim enters credentials or personal information
  5. Data is captured in real time by the attacker

Why SMS is effective for phishing: People click SMS links at dramatically higher rates than email links. Mobile screens show shortened URLs, making the destination domain harder to inspect. Many people have higher implicit trust in SMS than email.

Common Smishing Scenarios

Fake delivery notifications:

“USPS: Your package could not be delivered. Update your address to avoid return: [short URL]”

These are extremely effective because many people have packages in transit and the message is plausible.

Fake bank security alerts:

“Chase: We’ve detected unusual activity on your account. Verify your identity immediately: [short URL]”

The urgency and fear of account problems drives clicks.

Fake toll road / parking violations:

“You have an unpaid EZPass toll. Pay $3.50 now to avoid a $50 fine: [short URL]”

This campaign was widespread across the US in 2023–2024 using nearly identical messages.

Government impersonation:

“IRS: Your tax refund of $847.00 is pending. Claim it here: [short URL]”

Job offer scams:

“Hi, I found your profile and have a remote job opportunity paying $3,500/week. Interested? Reply to learn more.”

These often progress to cryptocurrency investment fraud or “pig butchering” romance scams.

Recognizing Smishing

Warning signs:

  • Unexpected messages about accounts, packages, or payments you weren’t expecting
  • Urgency language (“Act now”, “Within 24 hours”, “Immediate action required”)
  • Short URLs (bit.ly, tinyurl.com, etc.) — legitimate companies use their own domains
  • Generic greetings (“Dear customer”) rather than your name
  • Requests for personal information via SMS or a linked form
  • Messages from international numbers (+44, +86, etc.) impersonating US companies

Never click links in unexpected SMS messages. Instead, navigate directly to the company’s official website by typing the address manually.

What Is Vishing?

Vishing is phishing conducted over voice calls. Attackers call victims while impersonating:

  • Bank fraud departments
  • IRS/CRA/HMRC tax authorities
  • Microsoft/Apple technical support
  • Social Security Administration
  • Utility companies
  • Employers

How Vishing Works

Auto-dialing campaigns: Millions of automated calls are placed using VoIP services. The opening message claims urgency: “This is Amazon calling about an unusual purchase on your account. Press 1 to speak with a representative.” Victims who press 1 connect to a live attacker.

Caller ID spoofing: Attackers trivially spoof caller ID to display your bank’s official phone number, government agency numbers, or your employer’s number. Seeing a familiar number on caller ID proves nothing.

Live attackers: Unlike some automated scams, sophisticated vishing uses real human attackers trained in social engineering. They use scripts, maintain personas under questioning, and adapt to resistance.

AI Voice Cloning: The New Threat

The most significant vishing development in 2024–2026 is AI voice cloning. With 10–30 seconds of audio (available from YouTube videos, social media, LinkedIn video posts, or voicemail messages), attackers can clone anyone’s voice convincingly.

The scenario: Your parent calls your phone. The voice sounds exactly like them. They say they’ve been in an accident and need you to wire money immediately before the hospital will treat them. They can’t talk long because they need to see the doctor.

This attack works because we’re hardwired to respond to distress in the voices of people we love. No amount of familiar-sounding voice information should override your verification process.

Defense: Establish a family code word — a word or phrase agreed on in advance that anyone requesting money must provide in such a call. If the caller can’t provide the code word, hang up and call back on a known-good number.

Common Vishing Scenarios

Bank fraud impersonation: Caller ID shows your bank’s number. “We’ve detected fraud on your account and need to verify your identity.” They ask for your account number, SSN, and security questions. Real banks never ask for your full security information this way.

Tech support scams: “This is Microsoft calling. We’ve detected a virus on your computer.” They direct you to install remote access software (AnyDesk, TeamViewer), then either fake-fix a non-existent problem (billing you for “repairs”) or steal stored passwords and banking credentials.

IRS/government impersonation: “This is the IRS. There’s a warrant out for your arrest due to tax fraud. You can avoid arrest by paying immediately via gift cards or wire transfer.” The IRS does not call demanding immediate payment and does not accept gift cards. Neither does any legitimate government agency.

Business Email Compromise via phone: Attackers research a company’s organizational structure (LinkedIn), then call the finance department impersonating a senior executive: “I need an urgent wire transfer processed today for a confidential acquisition. My email is down — can you process this directly?” These attacks have cost companies hundreds of millions of dollars.

Practical Defenses

For smishing:

  • Never click links in unexpected text messages — navigate to sites directly
  • Enable spam filtering on your phone carrier’s settings (AT&T Call Protect, T-Mobile Scam Shield, etc.)
  • Report smishing to your carrier by forwarding to 7726 (SPAM)
  • Use a call/SMS filtering app (Hiya, RoboKiller)

For vishing:

  • Hang up and call back on a number you obtained independently (from the official website or back of your card)
  • Establish a family codeword for emergency money requests
  • Never trust caller ID alone — it can be spoofed
  • Banks and government agencies never ask for gift card payments
  • Never allow remote access to your computer from an unexpected caller
  • Use “Do Not Disturb” settings to let calls from unknown numbers go to voicemail

For organizations:

  • Train employees on social engineering recognition — particularly around BEC (voice-based)
  • Require dual approval for wire transfers regardless of who “requests” them
  • Establish verbal verification procedures for sensitive requests received via phone

The volume and sophistication of both smishing and vishing attacks have increased substantially with the availability of cheap VoIP services, bulk SMS APIs, and AI voice cloning tools. The defenses are behavioral and procedural — technology can help filter, but no algorithm catches every impersonation.

#social engineering #phone scams #SMS phishing #vishing #smishing

// related articles

cyber-threats AI Voice Cloning Fraud: How Attackers Steal Your Voice 7 min read cyber-threats Deepfake Cyber Threats in 2026: Fraud, Impersonation, and Defense 7 min read cyber-threats SIM Swapping Attacks: How to Protect Your Phone Number 6 min read