Phishing, Vishing y Smishing

Phishing, Vishing y Smishing
Author JakinCode · 02/2025 

·  Cybercrime

Tags: Computer vulnerability

Phishing, vishing and smishing are three of the most common cyber threats today. These attacks are based on social engineering techniques, a criminal tactic that seeks to take advantage of the victims’ lack of precaution in cybersecurity matters. In this article we explain what these attacks are, how they differ from each other and how you can identify them. 

PHISHING

It involves sending e-mails that mimic branding elements, formats, etc. characteristic of known senders, such as, for example, tech service providers or well-known social networks. A recipient who fails to apply proper security checks might mistake these emails for genuine communications, given the confidence generated in the victim by the supposed authenticity of the sender.  

These fraudulent emails often contain deceptive links or attachments, designed to trick the victim into revealing sensitive information—such as login credentials or bank details—or into downloading malicious content. The seemingly authentic presentation hides the attacker’s intent and tools. 

With the rise of artificial intelligence, phishing attacks have become significantly more sophisticated. Cybercriminals now use generative models to craft grammatically flawless messages, mimic corporate communication styles, and personalize attacks based on the victim’s profile—making them far more convincing and harder to detect.

SMISHING

Here, the communication channel is no longer email but messaging applications on smartphones. Through deceptive text messages, attackers aim to collect data like credit card numbers.  

The victim is manipulated—often by creating a sense of urgency or fear—into taking an action that appears helpful, but is in fact designed to benefit the attacker.  

Artificial intelligence has also enhanced smishing techniques, enabling the mass distribution of personalized messages and the generation of texts that closely resemble legitimate alerts, thereby increasing the success rate of these scams. That’s why it’s important to know the patterns of these scams to be able to detect them more easily.

VISHING

This resource is based on social engineering and impersonation too. In this case, voice calls are used as the attack vector. Cybercriminals employ telephone communications, pose as representatives of legitimate organizations—such as government agencies or banks—and use persuasive language to obtain sensitive information under false pretenses.  

AI-powered vishing attacks now leverage synthetic voices that realistically imitate real individuals or institutional representatives, making it increasingly difficult for victims to recognize the deception.

SIMILARITIES AND DIFFERENCES BETWEEN PHISHING, VISHING AND SMISHING 

While these three attack types share a common goal—to steal sensitive information such as passwords, bank account numbers, or credit card data—they differ in their delivery methods. All three rely on psychological manipulation, a key element of social engineering. 

  • Common goal: All three attacks are designed to obtain personal or financial information from victims. 
  • Psychological manipulation tactics: In all cases, cybercriminals employ strategies that manipulate the emotions and behaviors of victims, creating a false sense of urgency or trust to get users to provide the requested information. 
  • Fraudulent communications: All three types of attacks resort to the use of messages that appear to come from a legitimate institution such as, for example, a financial group, a well-known company or a trusted authority, but in fact they are criminal. 

Although all three attacks pursue the same objective, they differ in the channels used by the cybercriminals to obtain the information. 

TYPES OF SOCIAL ENGINEERING MESSAGES 

Cybercriminals use various strategies to deceive victims, depending on the type of entity they are trying to impersonate: 

  1. Social engineering in banking: Cybercriminals impersonate financial institutions in order to obtain sensitive information. They use pretexts such as account suspensions, suspicious activity or unrecognized charges to trick victims. 
  2. Social engineering in public agencies: Attackers impersonate government agencies and entities, sending emails addressing topics such as tax refunds, payment of traffic fines, among others, in order to steal personal data. 
  3. Social engineering to private companies: Cybercriminals appeal to users’ feelings through subjects and messages designed to capture their attention. Among the most impersonated companies are energy providers, supermarkets and online stores, courier and transportation companies, telephone operators, social networks, video game platforms, cloud services, email providers, and entertainment and streaming platforms. 

WARNING SIGNS THAT HELP IDENTIFY THESE ATTACKS

GRAMMARL AND SPELLING ERRORS 

Fraudulent messages are often poorly written with errors, which may indicate that they are not from a reliable source. 

REQUESTS FOR SENSITIVE INFORMATION 

Legitimate companies will never ask for information like passwords, PINs, or security codes via email or text. 

SUSPICIOUS LINKS OR ATTACHMENTS 

Messages may include links to fake or malicious websites, or attachments that may contain malware or viruses. 

URGENCY OR THREATS 

The message generates a sense of urgency, pressuring the recipient to act quickly under threat of consequences, such as account closure, fines or security problems. 

HOW TO AVOID BECOMING A VICTIM OF THESE ATTACKS

  • Do not open emails or messages from unknown senders: Delete them and block the sender. Do not reply or share personal information. 
  • Verify senders and links: Make sure messages come from trusted sources. 
  • Keep devices and software updated: Install security updates to protect against vulnerabilities. 
  • Use antivirus and mobile security apps: Install and update security software to detect threats such as malware and smishing. 
  • Enable two-factor authentication: Add an extra layer of protection to your accounts. 
  • If you receive a suspicious message, verify its authenticity: Contact the company directly through its website or official phone number. 

EDUCATION AND AWARENESS

Raising employee awareness about cybersecurity risks is critical to protect the organization’s information. Cybercriminals exploit employees’ lack of security knowledge to execute attacks such as phishing, vishing and smishing. Without proper training, employees can easily become targets, compromising sensitive data and business security. According to the Verizon DBIR 2023 report, 74% of security breaches involve the human factor, ranging from user misuse of privileges to stolen credentials and social engineering. 

An informed workforce acts as the first line of defense. Training programs, attack simulations and constant updating of best practices help employees detect and prevent threats. Fostering a culture of cybersecurity significantly reduces the risk of attacks and strengthens organizational security. 

At JakinCode we help you protect your business by developing a culture of cyber awareness focused on information security. 

Related articles

  • Cybersecurity with purpose: beyond technology 

Cybersecurity with purpose: beyond technology 

08/2025

  • 5 recommended cybersecurity books

5 recommended cybersecurity books

07/2025

  • Barcelona Cybersecurity Congress 2025: A key meeting for digital protection

Barcelona Cybersecurity Congress 2025: A key meeting for digital protection

05/2025

  • CyberLehia 2025: The future of digital talent is consolidating in the Basque Country

CyberLehia 2025: The future of digital talent is consolidating in the Basque Country

04/2025