Smishing and vishing: phishing by SMS and phone call
Phishing doesn't only arrive by email. Increasingly, scammers reach people through text messages and phone calls — two channels most of us instinctively trust. Understanding how these attacks work is the first step to staying safe.
What is smishing?
"Smishing" is phishing that arrives as an SMS or text message. Because texts feel personal and urgent, people tend to react quickly — which is exactly what the scammer wants.
Common examples include:
- A "failed delivery" notice asking you to pay a small fee or confirm your address.
- A fake bank alert warning of a "suspicious payment" with a link to "secure your account."
- A message pretending to be from a colleague or your boss asking for a quick favour.
The link usually leads to a convincing fake website that captures your login details, card number, or personal information.
What is vishing?
"Vishing" is phishing by voice — a live phone call or a voicemail. The caller often pretends to be from your bank, a delivery company, tech support, or even a government office.
The goal is always the same: create pressure so you act before you think.
Typical tactics include claiming your account has been hacked, that you owe money, or that you must "verify" your identity by reading out a code or password. Some scammers now use AI-generated voices to imitate a real person you know.
Warning signs to watch for
You don't need technical skills to spot most of these attacks. Slow down and look for the red flags:
- Urgency and threats — "Act now or your account will be closed."
- Unexpected links — especially shortened links or slightly misspelled web addresses.
- Requests for codes or passwords — no legitimate bank or company will ask you to share these.
- Pressure to keep it secret — "Don't tell anyone, this is confidential."
- Payment in unusual ways — gift cards, wire transfers, or cryptocurrency.
The one-time code trap
Be especially careful with the six-digit codes sent to log in or confirm a payment. A scammer who already has your password may call and ask you to "read back the code we just sent." Handing it over lets them straight into your account.
What to do instead
The safest habit is simple: stop, and verify through a channel you trust.
- Don't click links in unexpected texts. Type the company's website address yourself, or use their official app.
- If you get a worrying call, hang up and call back using the number printed on your bank card or official website — never the number the caller gives you.
- Never share passwords, PINs, or one-time codes with anyone who contacts you.
- When in doubt, ask a colleague or take a moment. Legitimate organisations are happy to wait.
If you think you've been caught
Mistakes happen, and acting fast limits the damage:
- Contact your bank immediately if you shared financial details.
- Change any password you may have revealed, and turn on two-factor authentication.
- Report the message or call to your IT or security team at work, and to the relevant authorities.
Reporting isn't about blame — it helps protect everyone else who might receive the same scam.
How GottaPhish helps
Smishing and vishing exploit the trust we place in texts and phone calls, reaching people on channels email defences never see — and GottaPhish, together with our expert support team, helps you address exactly that. Our realistic simulations include SMS and voice-style scenarios so employees learn to spot the pressure tactics behind these attacks in a safe, no-blame environment, backed by practical awareness training and clear dashboards that track progress over time. Our support and experts team works hands-on with you to design believable scenarios, set up campaigns, and interpret the results, so your whole team stays alert across every channel.
