Skip to content

Best Practices for Phishing, Smishing, and Vishing: Protecting Yourself from Cyber Threats

Phishing, smishing and vishing are social engineering techniques used by cybercriminals in an attempt to obtain personal information or install malware to allow them to carry out fraud (especially financial fraud).

For that purpose, the attacker uses an electronic means to send content that allows him, for example, to simulate a real brand, pretending to be someone trustworthy in an attempt to get the victim to pass sensitive information or to perform something, in this case using malicious attachments. When this technique is used through SMS it is called smishing. By phone (voice) it is called vishing. This technique can also be used through instant messaging on social networking applications such as WhatsApp.

Knowing what methods cybercriminals use and how to identify them can help you avoid becoming a victim.

What is Phishing?

Phishing is a method of cyber-attack that attempts to trick victims into clicking on fraudulent links sent via email. The link usually leads the victim to a seemingly legitimate form that requests sensitive information or leads to the download of some file containing malicious functionality.

A classic example is receiving an email informing you that your bank account has been blocked and asking you to click on a link to regain access. In fact, that link will lead to a fraudulent form that simply collects your information and from there they can access your account and steal your money.

Know more about Phishing attacks.

What is Smishing?

Smishing is a type of fraud similar to phishing, except it comes in the form of a text message. A smishing text usually contains a fraudulent link. By following the link and the instructions provided, the victim ends up inadvertently installing malware, which will usually serve to facilitate the attacker in obtaining illicit financial gain over the victim.

These smishing text messages may look like urgent requests sent from a bank or parcel delivery service, for example. It can be easy to fall for this scam if you think you need to act quickly to solve an urgent problem and do not take steps to verify the veracity of the message.

What is Vishing?

Fraudulent calls or voice messages fall under the category of “vishing”. Cybercriminals call potential victims, often using pre-recorded robocalls, pretending to be a legitimate company to request personal information from a victim.

For example, to confirm your details with your Bank or to extend your car insurance cover. If you answer you may be served by a supposed agent and may be asked to provide personal information.

How to prevent Phishing, Smishing and Vishing attacks

To avoid becoming a victim of phishing, smishing or vishing, there are a few rules you should follow. These can directly protect you from fraud and reduce the likelihood of being targeted.

  • Do not click on attachments or links in emails, unsolicited messages or suspicious SMS
  • When you are contacted, confirm the veracity of the originating email address, profile or phone number
  • Always assess the timeliness, or timing, of the content of emails, instant messages, SMS or phone calls
  • Do not share personal data or follow instructions without verifying from other sources the veracity of the request – for example, from the Bank’s account manager or a line manager
  • Be wary of messages with formal language errors, but also do not trust all messages just because they do not have formal language errors
  • In organisations, carry out simulated phishing and smishing attacks, and possibly vishing, in order to raise awareness and levels of attention to these means
  • Do not share sensitive data on social networks, as this may provide information to possible attackers who want to carry out spear phishing (phishing aimed at a specific person)
  • Report to the organisation’s IT security officers or to the authorities whenever you are the target or victim of such an attack
  • Be attentive and do not allow yourself to be persuaded without reflection by authoritarian requests, promises or urgent requests
New call-to-action