Social Engineering Beyond Phishing: Vishing, Smishing, and Pretexting
When organisations think about social engineering, phishing emails dominate the conversation. While email phishing remains the most common vector, it is just one technique in a broader category of human-targeted attacks. Attackers increasingly use voice calls, text messages, and elaborate pretexting scenarios to bypass technical controls and exploit human psychology.
Vishing: Voice-Based Social Engineering
Voice phishing (vishing) uses phone calls to manipulate targets into revealing sensitive information or taking harmful actions. Attackers impersonate IT support, bank representatives, government officials, or company executives. The immediacy of a phone conversation creates pressure that email cannot replicate — targets must respond in real time without the opportunity to verify the request.
Vishing has become more dangerous with AI voice cloning technology. Attackers can now generate convincing replicas of known voices using just a few minutes of audio samples sourced from public presentations, social media, or corporate videos. Cases of CEO voice impersonation leading to fraudulent wire transfers have been documented with losses exceeding $200,000.
Smishing: SMS-Based Attacks
SMS phishing (smishing) exploits the trust people place in text messages. Text messages have significantly higher open rates than emails — over 98% compared to approximately 20% for email. Smishing attacks typically impersonate delivery services, banks, or government agencies, directing targets to credential-harvesting websites or malware downloads.
The shorter format of text messages makes it harder for targets to identify suspicious elements. URLs in text messages are often shortened, hiding the actual destination. Mobile devices also provide less security context than desktop browsers, making it easier for fake websites to appear legitimate.
Pretexting: The Art of the Scenario
Pretexting involves creating a fabricated scenario (pretext) to engage a target and extract information or actions. Unlike phishing, which typically uses a single message, pretexting may involve extended interaction over days or weeks, building trust before making the request.
Common pretexts include: a new employee needing system access, an auditor requesting documentation, a vendor needing to verify account details, or a journalist seeking background information. The attacker researches the target and organisation extensively, using publicly available information to make the scenario convincing.
Defending Against the Full Spectrum
- Expand training beyond email: Security awareness programmes must include vishing, smishing, and pretexting scenarios. Employees should understand that social engineering can arrive through any communication channel.
- Verification procedures: Establish out-of-band verification for sensitive requests regardless of the communication channel. A wire transfer request received by phone should be verified through a separate channel — never by calling back the number that called you.
- Simulate diverse attacks: Phishing simulations are standard practice. Extend simulation exercises to include vishing calls and smishing messages to test employee resilience across channels.
- Limit publicly available information: Attackers use OSINT (open-source intelligence) to craft convincing pretexts. Review what information about your organisation and employees is publicly accessible and consider reducing unnecessary exposure.
- Technical controls: Implement call filtering for known scam numbers, SMS filtering for suspicious links, and consider voice verification systems for high-value transactions.