Smishing and Vishing: A Matter of Trust

It is a fact that most people no longer answer calls from unknown numbers due to the rising risk of scams. The fear of having one’s personal and sensitive data stolen is justified, but phishing attacks through telecom channels are not only a concern for individuals and businesses; they can also have profound implications for national security, by posing as a direct threat against the operational capability of public administration and critical infrastructure, and by eroding trust in key communication services.  

Smishing and Vishing are Growing in Frequency and Impact

Smishing is a form of social engineering attack that exploits text messages to deceive recipients into sharing personal data, typically through links directing users to phishing websites. Attackers often use urgency, fear, or curiosity in their messages to prompt immediate action. Although the term smishing is derived from “SMS phishing”, the practice also extends into MMS, RCS, and messaging apps. Common smishing scams include delivery scams and bank account scams.  

“Vishing”, or voice call phishing, involves attackers impersonating legitimate and trusted entities, such as banks or government authorities, during phone calls. Like smishing, vishing relies on the use of urgency and fear to manipulate victims. However, a key difference is that while smishing can be automated to send phishing messages to multiple recipients simultaneously, vishing is typically much more targeted and requires scammers to engage directly with their victims. The immediacy and personal nature of a phone call enable emotional manipulation on a deeper level, resulting in higher success rates.  

While email remains the channel with the largest volumes of phishing attempts, smishing and vishing are growing at alarming rates. Vishing, for example, increased by 442% in the second half of 2024 according to CrowdStrike. It is disturbing as it is generally considered the most hazardous to organizations and individuals, due to its efficacy in live voice manipulation and the difficulty in mitigating it. Smishing falls somewhere in between the two. 

Direct Impacts of Data Theft through Smishing and Vishing

Data theft through smishing and vishing can have direct consequences for national security. Both are gateway crimes, through which threat actors acquire credentials or other valuable personal information, which they then use to commit financial fraud, identity theft, or provide unauthorized access to accounts. If individuals with access to critical infrastructure systems are targeted, the results can be devastating. 

State-backed threat actors could utilize these attacks to gain access to systems and sensitive information for espionage purposes or in hybrid warfare scenarios. The 2015 attack on Ukraine’s power grid was the first known cyberattack to take down energy infrastructure and cause real-world outages. It began with a phishing attack aimed at stealing credentials (although it should be noted that it was carried out through a spear-phishing email with malware, not smishing or vishing), illustrating how phishing can facilitate infrastructure disruption. 

It is not only state-backed hackers with a geopolitical agenda who pose a threat to cause disruption. For cybercriminals seeking financial gain, phishing attacks are a common precursor to ransomware attacks, with critical infrastructure being a preferred target. For example, the recent attack on airports in Europe has been confirmed to be a ransomware attack, although it remains unclear whether phishing was involved in the incident. 

The Indirect Effects of Trust Erosion

Beyond direct data theft, smishing and vishing undermine the reliability, safety, and usefulness of mobile communication by eroding public trust in telecom channels.  When mobile users become wary of the legitimacy of calls and messages, it leads to a general reluctance to use mobile services. This is an indirect threat that can have consequences for the use of mobile communication in critical services and for the economic growth that mobile communication contributes to. 

In the first place, it can reduce the effectiveness of official communication from authorities. During the COVID-19 pandemic, for instance, scammers rapidly deployed phishing campaigns themed around COVID-19. Masquerading as health authorities, scammers created uncertainty and doubt in legitimate public communications around COVID-19, which led to increased levels of misinformation and compromised the authorities’ operational capabilities. It is common for scammers to exploit major societal events or crises because when the need for information is particularly urgent, the barriers to deception are lower.  

Additionally, many countries around the world use cell broadcasts (simultaneously sending SMS messages to all mobile phones in one or more cells in the network) for emergency and disaster communication in public warning systems. It is an effective way to reach a majority of the population with important messages quickly and efficiently, especially since it is not hindered by high network loads. Such messages could be evacuation orders, tsunami warnings, or a plea to get more information through other media. One of the reasons SMS is used for this type of communication is its widespread availability. Any mobile phone can receive SMS messages, and using cell broadcasts, any phone in an area can be reached without prior registration or sign-up. However, if mobile users are accustomed to misinformation in messaging channels, they may choose to disregard any public warnings they receive through broadcast SMS messages. 

Low trust has an economic impact. Mobile services have a significant effect on economic growth. The GSMA estimates that mobile services contributed $6.5 trillion to the global economy last year and are projected to reach $11 trillion, primarily due to improvements in productivity and efficiency. If people shy away from using mobile services such as messaging and voice calls, the positive impact of digital transformation that they enable decreases. On the other hand, if mobile services can provide safe and trusted communication free from scams and fraud, they can contribute to economic growth, especially in low- and middle-income countries. 

Industry Response

Increasing challenges with smishing and vishing have led regulators in several countries to hold operators responsible and accountable for the traffic in their networks, mandating the implementation of security controls. A notable example is Singapore’s Shared Responsibility Framework, under which operators, together with banks, can be held accountable for fraud losses if they fail to protect their networks and their users’ data.  

For operators, regulatory compliance provides a baseline. However, regulations often lag behind scammers, meaning that operators keen on providing secure services to their users must further enhance their defenses. Commercial considerations weigh heavily on operators to ensure robust protection of voice and messaging channels. For example, smishing and vishing are considered among the most serious cyberthreats to businesses, and the lucrative enterprise market is now seeking secure telecom services. Enterprises (and individuals) do not have the same possibilities to protect against threats over telecom channels as they do for email and IP-based threats. It is in the operators’ core networks that vishing and smishing scams can be detected and mitigated using messaging and voice firewalls. 

Smishing messages are commonly designed to mimic legitimate messages from trusted sources. Threat intelligence, volumetric controls, and know-your-customer processes can be helpful. Still, smishing scammers move fast, and by the time such methods detect and block them, they have already reached thousands of potential victims. There is, however, one thing that can detect and block smishing messages in real-time, and that is the URL to the phishing website. Smishing links are typically very short-lived, though, as scammers cycle through new versions to avoid detection. A block list with detected malicious URLs is therefore not a viable solution. Instead, an efficient URL filter in a messaging firewall must be able to detect phishing URLs in real-time, even if they have never been encountered before. Together with other scam controls, real-time URL analysis can provide robust protection against smishing. 

Vishing is considered extremely hazardous for mobile users due to the combination of social engineering leverage, high reward for scammers, and gaps in traditional security defenses. Unlike email phishing, vishing bypasses enterprise and private security controls because the attack happens over live voice calls, a channel not protected by IP firewalls. However, a voice and signaling firewall deployed in the mobile core network can mitigate a large proportion of vishing calls, including the most dangerous ones. 

Available data indicates that the absolute majority of scam calls have spoofed caller IDs, making them appear to be from trusted entities. It is a key tactic to lend the call immediate legitimacy, thereby making it come across as more credible. This makes vishing calls more dangerous because it becomes more difficult for individuals to recognize them as fraudulent. The signaling during call setup can reveal if the caller ID has been spoofed.  A voice and signaling firewall can detect this and subsequently block the call before it gets connected to the recipient. Detecting and blocking spoofed calls is, therefore, a crucial method for mitigating vishing.  

While there is much more to securing user data in telecom than protecting against smishing and vishing, messaging and voice firewalls remain essential and readily available defenses that can mitigate cyber attacks on critical infrastructure at the very first stage, before they have consequences.