What Are Vishing & Smishing?

The lesser known cousins of phishing can cause quite the problem for you.
Vish and smish may sound like two characters from a children’s cartoon, but they represent the modern frontline of identity fraud. Vishing and smishing haven’t received the same levels of media attention as their cousin phishing, even though all three effectively use confidence tricks to obtain sensitive personal data. This psychological manipulation has the potential to ruin people’s financial affairs, with Interpol reporting that the global cost of social engineering fraud doubled last year to £675 million.
As bank accounts become more secure, and two-factor authentication makes it harder for algorithms to unlock passwords or login credentials, criminals are increasingly targeting the most vulnerable part of any account – the end user. Since 2010, cases of vishing and smishing have mushroomed on every continent, yet press coverage remains focused on phishing attacks.
So what is vishing?
Phishing is conducted largely via email, whereas a vishing attack is carried out over the telephone. The first stage of this telephone scam may be via an unsolicited email being sent, with the contacted individual being urgently requested to call a supplied telephone number. A vishing attack may also begin directly with a phone call from a withheld or cloned number. The caller – maintaining to be an employee of a particular organisation that the contacted individual is usually associated with – will be calm and authoritative, while emphasising a need for immediate cooperation. Believing that they’re responding to a genuine enquiry, the recipient may supply enough personal information for an actual crime (or crimes) to be committed in their name.
A rare but sophisticated form of vishing involves a gang of criminals following an individual until they visit an ATM. The criminals ring their victim soon afterwards, purporting to be from the bank whose ATM was used and claiming the bank card has been cloned or compromised. Because they can confirm the time, date and location of the ATM usage, these claims will seem highly credible. Callers may request the card’s CVC code and other sensitive data, or they may even offer to collect it from the victim’s home address as an ‘act of goodwill’.
In extreme circumstances, it’s been reported that criminals can take over the phone number they called their victim on. Putting down the phone and attempting to make an outgoing call to a bank or building society will simply redirect straight back to the fraudsters. More commonly, criminals will remain on the line as they rush their quarry through various procedures that will allegedly prevent criminal activity, while in actual fact facilitating it.
What is smishing?
Smishing is something of a mashup between vishing and phishing, and is often written as SMiShing to indicate that this is carried out through the use of text messages. These contain a hyperlink or a phone number that the recipient is urged to contact, typically an automated system where a computer invites the victim to hand over personal information while claiming criminal activity will take place without full and immediate cooperation.
Because there is no human contact, smishing is a safer technique for criminals; however, it’s also easier to identify. Unlike vishing, where the phone number displayed on your handset may look genuine, smishing messages often come from strange or unrecognised locations. Nevertheless, many people with internet banking now receive regular text messages from their bank or building society, so this isn’t always a warning sign in itself. Clicking on a link in an SMS may access a website where malware or spyware is lurking, ready to extract personal information from the victim’s computer.
How can you avoid these attacks?
The best way to avoid vishing and smishing is by never surrendering personal information to unsolicited enquiries, no matter how authentic the premise. Instead, call the phone number printed on bank cards or written statements, using a different line to the one being targeted. Avoid listing too much personal data on social media platforms, where criminals can harvest information that will add authenticity to any vishing or smishing attempts; even a date of birth or postal address can be an invaluable tool in social engineering fraud.