Passportal Blog

What are Smishing and Vishing?

[SECURITY | 3 MIN READ] Cybercriminals increasingly rely on social engineering attacks beyond traditional phishing. Smishing and vishing are two other methods MSPs should educate their customers on.


Most organizations are already familiar with phishing. During a phishing attack, bad actors attempt to gain sensitive personal or professional information by fraudulently impersonating a reliable contact via email. Whether they pose as a legitimate business telling you one of your accounts is suspended or a personal contact claiming to be in an emergency situation, phishers leverage a sense of urgency to get their targets to hand over sensitive information. This sense of urgency makes it more likely that victims will share sensitive details without critically thinking about who they’re communicating with.

While the number of phishing attacks continues to grow—research shows that phishing attacks are currently at the highest level they’ve been in three years, it’s no longer the only way bad actors obtain personal and professional credentials. Now, bad actors are turning to smishing (SMS/text phishing) and vishing (voice phishing) as they look to diversify their lines of attack against private individuals—and larger organizations.

As managed services providers (MSPs) work to keep their customers’ infrastructure secure, it’s critical they fully account for the threat posed by smishing and vishing. Alongside traditional phishing attacks, these evolving methods of fraud present a number of risks to those who aren’t trained to spot them or who aren’t properly protected with the right tools.

What Is Smishing and How Does It Work?

Whereas regular phishing uses email, smishing relies on SMS messages, or texts, over smartphones. Like phishing, bad actors attempting to carry out a smishing attack try to get targets to provide them with sensitive information such as bank account details, credit card information, Social Security numbers, and more by claiming to represent a trusted organization such as a financial institution.

Smishing attempts often demand you call a phone number or download a link for more information—both of which will set the attack in motion through downloaded malware or further social engineering. The link can also take the end user to a website that prompts them for their information and claims these details are needed as soon as possible. If you suspect a text you’ve received is smishing, don’t click the provided link. You can always call the customer service department of whatever company the sender purports to represent to verify whether they actually sent the message.

What Is Vishing and How Does It Work?

Similarly, vishing attempts to offer another alternative to phishing by carrying attacks out over the phone. These callers try to pass themselves off as a trusted organization in order to disarm the target, making them think that the call is a routine procedure. They’ll often leave a callback number at which you can provide personal information, login credentials, birthdates, and similar information.

Vishing attempts may even be done in concert with phishing. For example, bad actors may use email to steal sensitive information. However, if two-factor authentication (2FA) is in place, they may carry out a vishing attack to get the target to tell them the characters and numbers of the passcode sent to their smartphone. Once again, callers will typically try to impress upon targets the urgency of acting quickly to prevent the target from taking the necessary time to think about the legitimacy of the call.

How Can Password Security Help?

In order to protect against smishing and vishing attacks—in addition to traditional phishing—MSPs can invest in staff and customer security awareness training to educate everyone involved on how to spot social engineering attempts. Your customers and employees are the first line of defense against phishing, smishing, and vishing.

In the event a smishing or vishing attempt is successful, the next line of defense is a strong password management platform. By allowing MSPs to easily update passwords as needed, ensure that customers are using different passwords across accounts, and employ encryption best practices, password managers can make it more difficult for bad actors to do lasting damage. SolarWinds Passportal is designed to help keep organizational networks secure and avoid the typical pitfalls that can make phishing, smishing, and vishing attacks so devastating.

Additional Reading


SolarWinds® adds Passportal suite to its MSP product portfolio. MSP security, simplified. SolarWinds® Passportal + Documentation Manager is a SOC 2 certified, RAPID 7 tested, award winning platform.

 Audited Tested Awarded-01

Grow your business faster with the world's first unified platform for true password management and secure IT documentation. More than 2,000 best-in-class MSPs around the world are leveraging our security, automation, and rapid access client knowledge to out preform the competition.Passportal-SolarWinds_1200x190


Topics: Passportal Insights MSP Wisdom Security Education