Threats

Smishing and vishing: when scams arrive via SMS and phone calls

Smishing and vishing: how SMS and phone scams work, differences from phishing, and real-world cases to recognize and avoid them.

scams arrive via phone calls

6 February 2026

Table of contents

  • What is phishing and why it’s no longer just email
  • Smishing: when the scam comes via SMS
  • Vishing: the scam that uses your voice
  • Real cases: when the scam feels real
  • Why phone scams are rapidly increasing
  • How to protect yourself from smishing and vishing
  • The human factor: the real target

Have you ever received an urgent SMS warning about a blocked bank account, a pending delivery, or a suspicious payment? Or a phone call that sounded trustworthy, with a calm and professional voice claiming to be from your bank or customer support? If the answer is yes, you have entered the world of smishing and vishing, two increasingly common evolutions of traditional online scams.

In recent years, while many users have learned how to recognize phishing emails, cybercriminals have shifted their focus to channels perceived as more “personal” and trustworthy: text messages and phone calls. This article aims to clearly explain the difference between phishing, smishing, and vishing, present real-life cases, and help a general audience understand how these scams work and how to defend against them.

What is phishing and why it’s no longer just email

Phishing is the “parent” form of these scams. It involves sending fraudulent messages that pretend to come from legitimate entities such as banks, online services, or public institutions with the goal of stealing credentials, personal data, or money.

For years, phishing was almost exclusively associated with email: poorly written messages, low-quality logos, and suspicious links. Today, however, phishing has become far more sophisticated, both in language and design, and most importantly, it has changed channels.

The issue is not only technical but also psychological. Modern scams exploit urgency, fear, and trust, factors that work far more effectively when they reach people through their personal phone a device we consider private and safe.

Smishing: when the scam comes via SMS

Smishing is a phishing variant that uses SMS or text messages (including iMessage, RCS, and sometimes WhatsApp) to deceive victims. The term comes from the combination of SMS and phishing.

The message is usually short, direct, and alarming and that’s exactly why it works. SMS messages are almost always read within minutes and often without the skepticism people apply to emails.

Typical smishing examples

A classic smishing message might be:

“Dear customer, your account has been temporarily blocked. Log in immediately to verify: [link]”

Or:

“Your parcel cannot be delivered. Update your details within 24 hours: [link]”

The link leads to a fake but convincing website, often nearly identical to the real one, asking for usernames, passwords, card numbers, or OTP codes.

Why smishing is so effective

Smishing relies on three main triggers:

  • Urgency
    “within 24 hours,” “immediate action required.”
  • Authority
    Bank, courier service, public institution.
  • Habit
    We are used to receiving legitimate SMS notifications for deliveries, payments, and verifications.

Many victims only realize the scam when they notice suspicious transactions or compromised accounts.

Vishing: the scam that uses your voice

Vishing (voice phishing) is a scam carried out through phone calls, often using numbers that appear local or even identical to official bank or company numbers (a technique known as number spoofing).

Unlike smishing, vishing adds a powerful element: the human voice. Hearing someone speak confidently and professionally dramatically lowers our defenses.

How a vishing scam works

A typical vishing scenario looks like this:

  • The victim receives a call from a supposed bank operator.
  • The caller reports a “fraud attempt” on the account.
  • The victim is asked to “verify their identity” using personal data or codes received via SMS.
  • In reality, those codes are used to authorize fraudulent transactions.

In some cases, the scammer stays on the line while the victim accesses the real bank website, guiding them step by step into making a costly mistake.

Vishing and fake call centers

In recent years, real criminal call centers have emerged, complete with scripts, hold music, and trained operators. These are no longer improvised scams but well-organized operations, often international in scale.

Phishing, smishing, and vishing: clear differences

Understanding the difference between phishing, smishing, and vishing is essential to recognizing them in time:

  • Phishing
    Fraudulent messages sent via email.
  • Smishing
    Scams carried out via SMS or text messages.
  • Vishing
    Scams conducted through voice phone calls.

The mechanism is always the same: make the victim trust the message and act quickly, but the attack channel changes.

Real cases: when the scam feels real

Smishing and vishing do not only target elderly or inexperienced users. Increasingly, victims are everyday users, workers, and professionals.

A common scenario involves receiving an SMS from a “bank” followed shortly by a confirmation phone call. This combination makes the scam extremely convincing.

According to reports collected by the Polizia Postale, many fraud cases begin with an SMS that sets the stage for a follow-up call.

Why phone scams are rapidly increasing

The growth of smishing and vishing is linked to several factors:

  • Greater skepticism toward emails.
  • Heavy reliance on smartphones for daily activities.
  • Widespread availability of personal data on the dark web.
  • Increasingly advanced spoofing techniques.

Additionally, speaking on the phone creates emotional pressure it’s harder to stop and think when someone insists in real time.

How to protect yourself from smishing and vishing

The best defense is not technical but behavioral. Some basic rules:

  • No bank ever asks for passwords or codes via SMS or phone.
  • Never click on “urgent” links received by SMS.
  • Hang up and call back using the official number.
  • Do not trust the number displayed on your screen.

Even a single doubt is enough to stop and verify.

The human factor: the real target

Smishing and vishing do not attack your phone they attack your mind. They exploit stress, fear, and trust. That’s why anyone can fall victim, especially during moments of distraction or fatigue.

Today, digital security also depends on awareness. Knowing these scams exist greatly reduces the risk of falling for them.

Conclusion

Scams no longer arrive only by email. Smishing and vishing are now among the most widespread and dangerous threats because they exploit channels we consider safe. Understanding the difference between phishing, smishing, and vishing, recognizing the warning signs, and knowing how to respond is the first step toward protection.

The golden rule remains the same: when there is urgency and a request for data, stop and verify.

Frequently asked questions

  1. What is smishing?
    A scam that uses SMS messages to steal data or money.
  2. What is vishing?
    A phone scam based on deceptive voice calls.
  3. What’s the difference between phishing and smishing?
    Phishing uses email; smishing uses SMS.
  4. Do banks ever call to ask for codes?
    No, never.
  5. Can an official-looking phone number be fake?
    Yes, through spoofing.
  6. What should I do if I click a suspicious link?
    Close it immediately and change your passwords.
  7. Does smishing only affect smartphones?
    Yes, because it relies on text messaging.
  8. Is vishing always done by real people?
    Often yes, but sometimes by automated systems.
  9. Can these calls be blocked?
    Partially, but not completely.
  10. Does awareness really reduce risk?
    Yes, it’s the first and most effective defense.
2
To top