For years, phishing meant suspicious emails with attachments, typos and links leading to fake login pages. Not surprisingly, corporate security departments focused precisely on email protection. The problem is that cybercriminals have long since moved to where no one expects them to go – to SMS inboxes and employee phone numbers.
Smishing (SMS phishing) and vishing (voice phishing) attacks are not new, but they are only now gaining a scale that should light red lights in SOC teams and CISOs. According to data for the second half of 2024, vishing incidents have increased by 442%. At the same time, smishing has been growing steadily for several years, moving from the periphery of cyber threats to the premier league.
Why are these attacks so effective?
Unlike traditional email phishing, smishing and vishing rely almost exclusively on psychology – not on technical vulnerabilities. The scenarios are deceptively simple: someone calls an employee, claims to be from the IT department, a supervisor or an external contractor and orders an urgent task – e.g. changing a password, providing access data, confirming identity. Or they send an SMS with a link to a supposed login portal, invoice or VPN tool.
While a suspicious email from an unfamiliar address and typos in the domain often arouses vigilance, a short text message or phone call – especially on a private phone – is less often treated as a potential attack. And it is this perception gap that cybercriminals are exploiting.
What do such attacks look like?
The most famous case in 2024 was a series of attacks on retailers in the UK, attributed to the Scattered Spider group. Hackers phoned IT staff, speaking perfect English, impersonated others within the organisation and prompted them to reset passwords. As a result, they gained access to internal systems and then escalated privileges and carried out further actions ranging from sabotage to data theft.
In other cases, SIM swapping, i.e. the acquisition of a phone number by extorting or phishing for a duplicate SIM card, was also used. In this way, attackers took control of 2FA-secured accounts and even carried out financial transfers using SMS authorisation.
Why don’t IT departments see these attacks?
The main reason is simple: most companies do not include protection for employees’ private mobile devices. BYOD (Bring Your Own Device) policies allow private phones to be used for business purposes, but do not cover their active monitoring.
SOCs are built around networks, endpoints and mail systems – they do not have tools that monitor SMS messages or voice calls. Nor are there ‘firewalls’ for phone calls. Furthermore, most security software is unable to analyse and block unauthorised calls or messages at a system level.
Even if an employee recognises a fraud attempt, the chance of them reporting the incident is sometimes low – especially if there has been no actual breach. And the longer an incident remains unknown, the greater the chance of a successful attack.
What can be done about it?
While smishing and vishing cannot be fully blocked, the chances of detecting them quickly and reducing their impact can be significantly improved. Here are the courses of action that companies more aware of this wave of threats are implementing:
- Monitoring of the darknet and instant messaging – looking for brand impersonation attempts, phishing kits offers and smishing domains.
- Threat simulations – just like email phishing tests, companies are starting to run vishing and smishing campaigns for educational and auditing purposes.
- Extension of mobile security – introduction of MDM/MTD (Mobile Threat Defense), which covers private devices with at least basic control.
- Staff training – especially in recognising attempts at telephone manipulation. Voice communication should be treated with the same care as email.
- State-of-the-art detection mechanisms – using AI to recognise anomalies in user behaviour, including at the level of voice or SMS communication.
Time for a change of perspective
Vishing and smishing are no more technically advanced than email phishing. But they are more intimate, harder to detect and more psychologically effective. This combination makes them extremely dangerous, especially in companies that still treat cyber security as a problem of networks and servers rather than people and their phones.
Since most attacks today are based on socio-technics and the use of new communication channels, organisations need to shift the focus of protection. The classic ‘block and react’ approach is not enough. It is necessary to build resilience, which assumes that some attacks will succeed – but that they will be quickly detected, reported and neutralised before they cause damage.
Because the most dangerous attacks today are those that happen within reach – in a text message or at a number from an unknown number.
