Smishing vs Vishing
Smishing and vishing are both social-engineering fraud attacks that impersonate trusted parties to extract money, credentials, or sensitive actions. Smishing ("SMS phishing") operates over text messages; vishing ("voice phishing") operates over phone calls. Attackers often use them in combination — an SMS that asks the target to call a spoofed number is the most common pattern.
Smishing and vishing are two siblings in the phishing family. Both rely on social engineering. Both impersonate trusted parties. They differ in the channel and, increasingly in 2026, in the technology the attacker brings.
| Smishing | Vishing | |
|---|---|---|
| Channel | SMS text message | Phone call / voicemail |
| Typical opening | "Your package is on hold. Click here:" | "This is your bank's fraud team." |
| Key tech | URL shortening, link spoofing | Caller-ID spoofing, voice cloning |
| Scales well | Millions of texts/day trivially | Was human-bottlenecked; AI cloning removed the bottleneck |
| Hardest to defend | Click-through URLs that mimic legitimate domains | AI-cloned voices of known people |
| 2026 risk profile | High volume, moderate per-attack loss | Rising volume, very high per-attack loss |
Why attackers combine them
The most common pattern since 2024 is smishing-as-qualification-for-vishing. The attacker sends a text to a wide list: "This is Chase Bank — suspicious transaction, call us back at 212-555-XXXX." Anyone who calls back has self-selected into the victim pool. The attacker answers the return call, plays voice-clone audio of a "fraud representative," and walks the target through transferring money to a "safe account."
This pattern is especially dangerous because the target initiated the callback — they have fewer defenses than they would on an unsolicited inbound call.
Defenses
Against smishing:
- Never click links in unsolicited SMS. Go to the purported sender's real site or app directly.
- Report to your carrier (7726 in the US).
- Be skeptical of shortened URLs, urgency ("action required in 24h"), and any SMS requesting a callback to an unfamiliar number.
Against vishing:
- Always call back on a number you sourced yourself (from the bank's website, the back of your card, a company directory) — not the one provided in the original message.
- For organizations: implement callback-verification policy for any voice-based authorization. See the Ferrari case.
- Use audio deepfake detection on recorded calls that matter — free tool, no signup.
Against both:
- Awareness. Most successful phishing attacks hit people who didn't know the attack type was possible. Reading this glossary is a step.
Related reading
- Vishing — long-form definition
- Voice phishing — equivalent term, regulatory usage
- Voice cloning — technology enabling AI-vishing
- Deepfake scam call guide
- Banking industry playbook
Check a suspicious call or voicemail
If you have a recording of a suspicious call, upload it to the free audio detector. You'll get a verdict plus timestamped reasoning showing exactly why the model flagged (or cleared) the audio.