Cyber Education

What is the Difference Between Phishing, Smishing, and Vishing and How Can I Protect Myself Against It?


Joseph Morgan


02 September, 2023



In the digital landscape we navigate daily, the threats are not just viruses or malware; they come disguised as regular communications. These deceptive tactics—Phishing, Smishing, and Vishing—are the wolves in sheep’s clothing of the cyber world. Understanding these threats is not just beneficial; it’s imperative for both individuals and businesses, especially SMBs and Micro-SMBs. So, let’s delve into the nitty-gritty of these terms and arm ourselves with the knowledge to counteract them.

Phishing phone call scams vishing - concept. Cellphone with fishing hook, credit cards & gift cards

What is Phishing?

Phishing is the granddaddy of online scams, primarily executed through email. Imagine receiving an email that appears to be from your bank, complete with logos and official language, urging you to update your account details. The objective is to trick you into divulging sensitive information, such as login credentials or credit card numbers. The sophistication level of these scams has escalated, making them increasingly difficult to spot. Therefore, vigilance and scrutiny are your first lines of defence.

  • Example: An email from “PayPa1” instead of “PayPal,” asking you to verify your account immediately.
  • Key Points:
    • Scrutinise the sender’s email address.
    • Verify URLs by hovering over them.
    • Be cautious of urgent or alarming language.

What is Smishing?

Smishing is essentially Phishing executed via SMS. It’s the younger, more agile sibling that capitalises on the immediacy and personal nature of text messages. You might receive a text claiming you’ve won a prize, complete with a link to claim your “reward.” The catch? The link leads to a fraudulent website designed to harvest your personal information. Smishing exploits the trust we inherently place in text messages, making it a potent and effective scamming method.

  • Example: A text message stating, “Congratulations! You’ve won a $100 gift card. Click here to claim now!”
  • Key Points:
    • Never click on links from unknown numbers.
    • Verify offers by contacting the official entity.
    • Report suspicious texts to your service provider.

What is Vishing?

Vishing, or voice phishing, elevates the scam to an even more personal level—voice communication. Here, the scammer calls you, often spoofing caller IDs to appear legitimate. They might pose as tax authorities, tech support, or even a family member in distress. The objective remains the same: to extract sensitive information or money. Vishing scams often employ psychological tactics, such as urgency or intimidation, to force quick, thoughtless actions.

  • Example: A call from “IRS” claiming you owe back taxes and face immediate arrest unless you pay.
  • Key Points:
    • Never share information on unsolicited calls.
    • Verify the caller by hanging up and dialling the official number.
    • Use caller ID apps for additional screening.

Example Text Message:

“Dear [Customer’s Name],
We’ve noticed suspicious activity on your account. Your account will be locked within the next 24 hours for security reasons unless you update your details immediately.

Click here [malicious link] to update now.

Your [Bank’s Name] Security Team”

The Common Thread: Social Engineering

All these scams—Phishing, Smishing, and Vishing—rely on social engineering, the art of manipulating individuals into divulging confidential information. Think of social engineering as the puppet master behind the curtain, orchestrating these scams to play on human psychology. It’s a calculated exploitation of trust, urgency, and the lack of Cyber Awareness, making it the linchpin of these cyber-attacks.

  • Key Points:
    • Scammers manipulate human psychology.
    • Trust is often exploited.
    • Awareness and education can counteract social engineering.

How to Spot a Scam

Identifying a scam requires a multi-faceted approach. First, scrutinise the source. Authentic organisations will rarely, if ever, ask for sensitive information via email, text, or unsolicited calls. Second, pay attention to the language. Poor grammar, misspellings, and generic greetings are often telltale signs. Lastly, trust your instincts. If something feels off, it likely is. Always double-check with official sources before taking any action.

  • Key Points:
    • Verify the source.
    • Look for language inconsistencies.
    • Trust your instincts and double-check.
Hand holding cellphone with incoming call from Unknown Caller - fraud scam phishing call spoofing

Protecting Yourself Against Phishing

To guard against Phishing, employ spam filters to sift out suspicious emails. Always hover over URLs to verify their legitimacy and be wary of pop-up windows asking for credentials. Implement two-factor authentication (2FA) wherever possible. These measures act as multiple layers of security, making it increasingly challenging for scammers to succeed.

Phishing Tactics to Watch Out For

  • Clone Phishing: Attackers replicate a legitimate email you’ve received but alter the content or attachment with malicious links or files. Always double-check even familiar-looking emails.

  • Whaling: This is a targeted form of phishing aimed at senior executives. The emails are crafted to look like critical business communications.

  • Watering Hole Attack: Attackers infect a website you frequently visit, aiming to compromise your system during your next visit. Ensure the websites you visit are secure (HTTPS).

  • Deceptive Phishing: Attackers impersonate a legitimate company to steal your login credentials. Look for signs like poor grammar and generic greetings.

  • Pharming: Attackers redirect traffic from a legitimate website to a fraudulent one. Always check the website’s URL to ensure it begins with “https.”

Protecting Yourself Against Smishing

For Smishing, the rules are straightforward but effective. Do not respond to texts from unknown or suspicious numbers. Refrain from clicking on any links or downloading attachments. If the text claims to be from an organisation you’re affiliated with, verify by contacting them through official channels. Reporting the scam to your service provider can also help prevent the spread.

Smishing Tactics to Watch Out For

  • Urgency and Scarcity: Messages often create a sense of urgency to prompt quick action, like “Your account will be locked unless you update your details immediately.”

  • Masquerading as Trusted Entities: Messages often come disguised as trusted organisations. Always verify through official channels.

  • Two-Step Smishing: The attacker sends an initial message without any links but seeks to establish trust. A follow-up message will contain the malicious link.

  • Reverse Smishing: The attacker asks you to text back specific information, often to confirm that a mobile number is active.

  • Message Forwarding: The attacker tricks you into forwarding a specific text to multiple contacts, spreading the scam more broadly.

Protecting Yourself Against Vishing

In the case of Vishing, never divulge personal information during an unsolicited phone call. If the caller claims to represent an official organisation, hang up and dial the official number to confirm the inquiry’s legitimacy. Utilise caller ID apps to screen incoming calls and report any suspicious activity to the authorities.

Vishing Tactics to Watch Out For

  • Caller ID Spoofing: Attackers manipulate the caller ID to appear as if the call is coming from a trusted source. Always verify by calling back on an official number.

  • Voice Cloning: Advanced attacks may use voice cloning to impersonate someone you know. Always verify unexpected requests, even if the voice sounds familiar.

  • Interactive Voice Response (IVR) Scams: Attackers set up an IVR system to collect your credit card details. Be cautious when asked to enter sensitive information during a call.

  • Post-Call Manipulation: After a legitimate interaction, the attacker calls you claiming there was an issue and that you need to verify your information again.

  • Pre-recorded Messages: These are automated calls that instruct you to call back a particular number, usually premium-rate, designed to make money from the call charges.

Phishing Tactics

Smishing Tactics

Vishing Tactics

Reporting a Scam

If you or your organisation fall victim to any of these scams, reporting is not just an option; it’s a responsibility. Your report could be the missing piece in a larger puzzle, helping authorities track down these cybercriminals. Various platforms, including CertNZ, are available for this purpose.

  • Key Points:
    • Reporting is a responsibility.
    • Use platforms like the CertNZ for reporting.
    • Your report could help catch the criminals.

The Bigger Picture

Cyber Awareness transcends individual or organisational safety; it’s a societal responsibility. A collective increase in Cyber Awareness can significantly reduce the efficacy of these scams, making the digital world a safer space for everyone.

  • Key Points:
    • Cyber Awareness is a collective responsibility.
    • Education can make the digital world safer.
    • Individual actions impact the larger community.


Phishing, Smishing, and Vishing are not mythical creatures from folklore; they are real, present, and ever-evolving threats in our digital lives. However, with heightened Cyber Awareness and proactive protective measures, these threats become far less daunting. Equip yourself, educate others, and let’s create a safer digital landscape for all.

  • Key Points:
    • Phishing, Smishing, and Vishing are real threats.
    • Cyber Awareness is the key to protection.
    • Proactive measures can significantly reduce risks.