Phishing, smishing and vishing: how they differ and how to defend yourself

Phishing, smishing and vishing are words that appear more and more frequently in bank warnings and police campaigns, but many people do not know exactly what they mean or how to tell one from another. They are the three main variants of the same family of frauds: social engineering attacks that impersonate the identity of trusted entities, such as banks, public authorities or courier companies, to deceive the victim and get them to hand over their data, their credentials or their money.

The common denominator is social engineering: techniques that do not attack computer systems but rather the victim’s psychology directly. They do not seek technical vulnerabilities, but human vulnerabilities in trust, fear, urgency and deference to authority. The mechanism is always the same: the victim receives a communication that appears to come from an entity they trust, that communication creates a sense of urgency or threat, and it tells them they must act immediately. The effectiveness of these attacks does not depend on the victim’s naivety: highly educated people fall for them because the deception is professionally designed.

Phishing is the original form, operating by email. The email replicates with great fidelity the appearance of the entity’s real communications and contains a link to a fake website where credentials are requested, or an attachment with malware. A key point: banks and public authorities never ask you by email to enter credentials, passwords or security codes; if an email asks for that, it is phishing, however convincing it may seem.

Smishing is the SMS variant. The victim receives a message warning of an urgent situation and providing a link or a number. It is especially dangerous because, through spoofing techniques, the fraudulent SMS may appear grouped in the same conversation thread as the legitimate messages from the real bank. The golden rule is never to click on a link in an SMS: if in doubt, access the official website or app by typing the address yourself.

Vishing is the telephone-call variant. The fraudster poses as a bank employee, a police officer or a technician, and the number may be manipulated through caller ID spoofing so that the entity’s official number appears. They create urgency and ask for certain data, such as the verification code that arrives by SMS, which in reality authorises an operation, or for a remote-access program to be installed. The golden rule is to hang up and call the entity’s official number yourself.

The differences lie in the channel and the level of interaction: phishing operates by email, on a mass scale and without real-time contact; smishing, by SMS, with the dangerous possibility of mixing with the bank’s legitimate messages; and vishing, by call, with a direct interaction that generates psychological pressure that the other channels do not reproduce with the same intensity.

If you have been a victim, call your bank immediately at its official number, change all compromised passwords, uninstall any remote-access program, preserve the evidence and file a complaint. Whoever commits these attacks incurs an offence of fraud under Article 248 of the Criminal Code, to which the offence of computer intrusion under Article 197 bis and computer fraud may be added, with higher penalties.