Phishing, smishing, vishing

Phishing, Smishing, Vishing – What’s the Difference?

In the IT world there are many words and acronyms used that mean something to those of us in the industry but that may not mean much to our customers. Phishing, smishing and vishing are three of those words. All three are related to gathering personal information to carry out a cyber attack using compromised credentials. Most people have heard of phishing but as with everything cybersecurity related, threat actors are always looking for better, easier, or complementary ways to attack.   

Today’s article will focus on defining these concepts and on how to prevent these types of attacks by understanding what methods are used by the cybercriminals and how to spot these types of attacks. 


Phishing is a method of cyberattack that attempts to deceive victims into clicking on fraudulent links that are included in emails. The emails look like they come from legitimate sources or known entities and usually have a sense of urgency to them. The link usually takes the victim to what looks like a legitimate form or website that asks for personal identifiable information such as usernames, passwords, account numbers or other private information. The information is then sent directly to the cyber criminal without the victim realizing that they were tricked. The link can also deploy malware, ransomware, spyware and other malicious software on devices. 

For example, an email that looks like the IT department or Microsoft that the victim’s account has been locked and requests that the victim clicks a link to regain access. The link actually leads to a fraudulent form that collects the victim’s information. The threat actor then has information that can help them access the environment the victim works in and may gain access to very sensitive data. 


Smishing is like phishing, except it comes in the form of a text message. A smishing text will often contain a fraudulent link that takes victims to a form or website that’s used to steal their information. Similar to phishing, the link can also download malware, ransomware, and so forth onto the victim’s device. 

Smishing text messages appear to be urgent requests sent from a bank or delivery service, for instance. They may claim that there’s been a large withdrawal from your bank account (a bank would never do this), or that you need to track a missing package (best to go directly to the delivery service website, not click on the link provided). Again, the threat actor is attempting to obtain information that can help them access the environment the victim works in and may gain access to very sensitive data. 


Fraudulent phone calls or voicemails fall under the vishing method of attack. Scammers call potential victims, often using pre-recorded robocalls, pretending to be a legitimate company to obtain personal information from a victim. 

An example would be a victim getting a call from someone pretending to be their IT Helpdesk. If the call is answered and the victim connects with the alleged agent, they may ask to confirm the victim’s identity to provide the help the victim needs i.e. the victim’s M365 password is expiring and needs to be changed as soon as possible:  

  • First and last name 
  • Email address 
  • M365 Username 
  • Current Password 

If multi-factor authentication (MFA) is enabled, they may ask to stay on the call until the code is received so they can gain access.  

Preventing Phishing, Smishing and Vishing Attacks 

Here are some recommendations to help avoid becoming a victim of phishing, smishing or vishing.  

  • Never click on links from someone that is unknown or not what is usually received from a known person. Instead, the real website for the organization the communication is supposed to be from should be visited to check to see if the notification indicated in the email or text message is real. Calling the person who sent the message is also a good alternative. 
  • If a call is received from a financial institution, government organization or company that the organization does business with asking for confidential information, do not provide it. We recommend calling them at their official phone number to ensure the request is legitimate. 
  • We recommend investing in Cybersecurity awareness and training for all of the organization’s leaders and employees. This will help with identifying phishing, smishing or vishing attacks and lower the risks of the organization falling victim to an attack. 

Cybersecurity awareness and training is one of the ways for organization to reduce the risks of being victimized by cyber criminals. MicroAge can help you determine what the best solution is for you. Let’s start a conversation today. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts


How to Keep Your Business Compliant with GDPR and PIPEDA Regulations

Identity protection and data security are the buzzwords of the tech industry, with laws like GDPR and PIPEDA being put in place to protect an…

Read More

Rethinking Your IT With A Decentralized Workforce – Chapter 2: Collaboration with Microsoft 365

With remote hybrid work increasing during the pandemic, it is vital to know how you can rethink your IT. Collaboration tools are essential when your…

Read More

The Benefits of Cybersecurity Awareness Training

We are not stating anything that most of us aren’t already aware of when we say that cyberattacks and the sophistication of these attacks has grown at impressive rates over…

Read More
Azure virtual desktop

Common Reasons for Adopting Azure Virtual Desktop

There have been significant changes in the last several years in the way organizations of all sizes serve their customers. The same applies to their…

Read More
on-site backup cloud backup

Pros and Cons On-site Backup and Cloud Backup

Every organization has crucial data that it cannot afford to lose. As more information passes through cloud business networks and data center environments, data security…

Read More