In recent years, the phone we always carry in our pockets has become the favourite target of cybercriminals; not so much for the device itself, but for the relationship of trust we have with it.
We take it out in what has become an automatic gesture, answer calls without giving it a second thought, and open links with a single tap; it is precisely in this mental space that two now widespread techniques, smishing and vishing, take hold.
Behind these terms lies the natural evolution of classic phishing; attacks no longer come solely via email, but also through SMS messages, chats, phone calls or voice messages, which appear to come from trusted individuals. This is social engineering in its purest form, becoming increasingly precise and methodical on a psychological level.
Smishing and vishing: explained in plain terms
Smishing is quite simple: you receive a message via SMS or a chat app you use every day; it is short, direct and credible. It informs you of an urgent problem, often related to a payment, a parcel delivery or suspicious access to your account. Inside is a link that looks legitimate – but it isn’t.
Vishing works in the same way, but uses a person’s voice instead.
It can take the form of a call (often very convincing), mimicking that of a bank operator or a technician from a service you are familiar with; in the most sophisticated cases, it may even use the voice of a family member or colleague. It is precisely at this juncture that technology is changing the game: the ease with which real voices can be cloned nowadays makes attacks increasingly credible.
The perfect pretext is devised before the call
Attackers never start from scratch: before calling or messaging you, they gather information. They use social media, past data breaches and public directories. Just a few clues are enough to construct a convincing message.
Sometimes they manage to find out the names of colleagues, job roles and habits; other times they invent an emergency, so plausible that it makes your impulsive reaction seem natural.
The most common tactic is the ‘fake emergency’. Some people receive messages such as ‘It’s me, I’ve lost my phone, reply here’ or ‘You need to confirm a payment immediately, otherwise we’ll freeze the account’. This language is no accident; it’s designed to rob you of the time to think.
The psychological factor: why they work so well
Smishing and vishing are successful because they don’t enter through the digital door, but rather through the emotional one. When we sense a feeling of urgency, our brain switches to autopilot; instinct makes us react, not reason.
This is exactly what criminals want: the more they make you feel under pressure, the more likely you are to do what they ask.
The technology powering vishing
In modern voice attacks, there are two elements that are making all the difference.
The first is audio deepfakes, which allow a person’s real voice to be simulated using very few samples. The second is ID spoofing, which makes a number appear on your smartphone screen that looks genuine. Perhaps your bank’s number, or a colleague’s.
The potential danger of this combination is, at this point, quite obvious.
How to really protect yourself: think more, rush less
The most effective protection isn’t an antivirus, but a mindset. When a message or call arrives that creates a sense of urgency, the first step is to slow down. Literally.
Ending the conversation, taking a breath, and contacting the person or company via official channels is always the smartest choice. No bank or reputable institution will ever ask you to share codes, passwords or OTPs via text message or during a call.
If something doesn’t add up, it is almost certainly a scam.
And within companies?
For organisations, the problem is even more critical. Smishing and vishing target not only private individuals, but above all employees with privileged access. Continuous training is needed, along with clear policies on how internal communications should take place and technical tools to filter out suspicious traffic.
The truth is simple: we are not fighting technology, but manipulation
Smishing and vishing cannot be combated with miracle tools, but with awareness and method. Attacks change form, but the lever is always the same: trust.
In the digital world, trust is granted only after verification – never before.
By Federico Branchetti – Cybersecurity Developer, Cyberoo
