Cyberspace has its fair share of bad faith actors. Hackers employ advanced tools to access unauthorized data, commit fraud, and even siphon millions of dollars. These scammers and schemes have been a problem since the early days of the internet, and they are only getting more sophisticated.
Two of the most prominent forms of these attacks are social engineering techniques called phishing and smishing.
In 2021, over 320,000 internet users fell victim to phishing attacks. There was $44.2 million stolen by cyber criminals through phishing attacks alone in that year.
But the implications stretch far beyond individuals, impacting government agencies, financial services, and public enterprises across sectors.
According to Proofpoint’s 2024 State of the Phish report, 75% of organizations experienced smishing attacks in 2023.
What is smishing and phishing? And how can organizations prevent it?
This article breaks down these concepts for organizations committed to making cybersecurity a part of best practices.
What is Smishing and Phishing?
Smishing and phishing are both social engineering scams with many similarities.
Social engineering is the psychological manipulation of people into performing actions or revealing confidential information—the core tactic behind smishing and phishing attacks.
Instead of exploiting technical vulnerabilities in software or systems, social engineering targets the human layer of security. The attacker’s goal is to trick, persuade, or pressure a person into giving up sensitive data, such as passwords, bank information, or access credentials.
Scammers use fake names, websites, and links to trick unsuspecting users into revealing personal information. They may impersonate trusted officials, like bank managers or law enforcement officials, to earn the individual's trust. They may also use scare tactics, emotional manipulation, and persuasion to coax out sensitive information.
The difference between smishing and phishing is the medium.
Phishing is a broad umbrella term used to describe these manipulation tactics carried out over email, social media, phone, SMS (including smishing), or even websites. Phishing is so prevalent that it accounted for 90% of all data breaches in CISCO’s 2021 report.
Smishing refers specifically to attacks that target users over SMS (mobile text messaging). The reason why smishing is a particularly prevalent scam type, is because of the high click-through rates of SMS compared to emails or social media DMs.
What is Smishing and Phishing: Examples
Despite how frequent they are, very few are aware of the various forms phishing can take. In fact, one study found that less than 35% of millennials (the first generation with widespread internet and cellphone adoption) were familiar with the term smishing.
To help understand these concepts better, let’s take a look at some real-world examples of phishing and smishing.
Smishing in the real world
The most common type of smishing attack are those that appear to be sent by financial institutions and banks. A user receives a message that their account has been blocked or instructions that they have to upload additional material urgently. The user is then asked to click on a link that redirects to a fake webpage that mimics the real bank’s webpage. There the user is prompted to fill in personal details that hackers can access and use, including bank account details.
Example: “Your tax refund is ready. Click here to claim: [malicious link]”
But smishing attacks can appear to come from anywhere. In the United States, it may take the form of a fake package delivery announcement, an unexpected tax refund, or a free iPhone. The story and capture method is always changing, making smishing particularly dangerous and hard to track.
During the pandemic, for instance, hackers used fake COVID-19 warnings to install malware on phones across South Carolina, exploiting a particularly sensitive event to their gain. Smishing attacks increased 328% in 2020. In just one year, 76% of businesses were targeted by smishing attacks. During the initial two weeks of the nationwide quarantine, 44% of US Americans noticed an uptick in scam phone calls and text messages.
The impact of smishing is severe for both individuals targeted as well as the regulated banks, public institutions, and official agencies that the hackers impersonate.
Phishing in the real world
While all the examples above technically fall under phishing attacks, the most common medium of phishing attacks is email. This is because Business Email Compromise (BEC) attacks account for a huge share of all phishing attempts on organizations.
Example: “We noticed suspicious activity on your account. Log in now to verify your identity.”
In 2016, a Belgian bank called Crelan lost $75.8 million after a phisher posed as a high-level executive within the organization and issued an order to redirect funds. The losses were only discovered during an internal audit, as there were no real-time mechanisms available to them at the time to point out the discrepancies.
Earlier that year, an Austrian aerospace manufacturer lost $50 million to an alarmingly similar scam.
Even websites officials visit aren’t entirely safe. In 2012, the Council of Foreign Relations website was infected with malware, in what is known as a watering hole attack. The think-tank’s site was frequented by many of Washington’s policy elite at the time. As a result, the attack posed an immense threat to sensitive government data.
How Smishing and Phishing Affect Public & Regulated Organizations
For individuals, smishing and phishing pose direct financial and personal threats. But for public institutions and regulated organizations, the risks of falling victim to smishing and phishing are more diverse.
IBM reports that the average cost of a data breach is now $4.9 million, prompting many organizations to adopt new tools, processes, and technologies to safeguard their businesses. That said, the risks go far beyond the financial. Organizations must also consider:
Phishing attacks damage reputations
Data breaches have a far-reaching impact on an organization’s public image. A financial provider that is targeted doesn’t just lose money in the attack. It loses the confidence of its customers, who may scramble to get their funds out.
One study found that customers were 42% less likely to use a service if the organization faced a breach.
Government authorities, healthcare providers, and other regulated agencies are held to similar standards. A single headline can be a PR crisis and take years to repair.
Data regulations are tightening
For public agencies, navigating the regulatory environment has always been a minefield. As cybersecurity regulations tighten, keeping up is a challenge.
For example, under the GDPR organizations can be fined up to $20 million for failing to protect the private data of a European citizen. Industry-specific data laws, such as the HIPAA or The Gramm-Leach-Bliley Act (GLBA), can also hand out fines in cases of a breach.
In 2019, Equifax was hit with a bill of $700 by the Federal Trade Commission, after a data breach affected over 100 million Americans. The Gramm-Leach-bliley Act, PCI DSS standards, and various national banking regulations impose strict requirements for customer data protection and incident reporting.
Risks of impersonation
The risk of impersonation is just as serious as data breaches.
It isn’t just directly targeted companies that have to be aware. When hackers impersonate an organization, they may use the company’s official branding, messaging, and digital presence. This creates a host of additional regulatory and legal risks.
As more organizations embrace more social media platforms and digital communication channels, the scope for foul play widens. Hackers can now use sophisticated technology like Generative AI or Large Language Models to impersonate authorities with even more accuracy.
How Online Evidence Capture Plays a Key Role in Combating Phishing and Smishing
Over the years, several solutions have been put forth to deal with smishing and phishing attacks. Many organizations enforce multi-factor authentication, employ strong access control measures, and ensure the basics of encryption.
But as the threats evolve, organizations need to diversify their response. By using online evidence capture tools, for example, organizations can collect and analyze questionable communications received on digital platforms or online to help identify perpetrators, understand their modus operandi, and build a case for law enforcement.
Tools like WebPreserver can collect, preserve, and analyze digital evidence from a range of sources to help build a case and provide proof, including evidence of fake websites, social media accounts, profiles, and messages, and more.
Traditionally, evidence capture relied on manual processes. Security teams archived emails, downloaded text messages, or took screenshots of suspicious webpages. But those methods were designed for a time when content was relatively static. Today, a fake account can be deleted in hours, and a fraudulent website can be edited in seconds. Crucial evidence can vanish in seconds.
That’s why we recommend considering the benefits of using a web capture tool, like WebPreserver:
1. Capture dynamic and ephemeral content
Today’s phishing campaigns unfold on dynamic platforms — social media feeds, mobile messaging apps, or multi-media websites. For investigators, this means relying on static screenshots or saved links is not enough. With an automated content capture tool, you can capture every element including video, links, documents, etc. in its native formatting, before it disappears.
2. Legally admissible evidence
For materials to be admissible in court, they must be authentic and contain essential metadata. Most traditional screenshot captures fail to meet these standards of data integrity, adding to compliance and legal headaches.
A web capture tool collects all information about the materials captured, including metadata, user interactions, and platform-specific elements. These details help reconstruct the experience and establish the scope and intent of the fraud. They are also essential for any of this evidence to be submitted before a judge.
3. Automated, real-time capture
The best defense is proactive. Web capture tools allow organizations to monitor and document any potential threats in real time.
Traditional preservation methods are slow, cumbersome, and error-prone, meaning evidence could be deleted before it was captured. Modern tools allow organizations to preserve this evidence immediately, reducing the chances of evidence being edited or deleted before it is captured.
Moreover, organizations need to work with a solution that scales. A web capture tool like WebPreserve has no problem archiving a long webpage or conversational thread, including all comments, replies, and likes. Capturing all of this information could take days if done manually.
WebPreserver can help fight back against the risks posed by smishing and phishing directly. It allows organizations to stay on top of the threat, by capturing webpages, social media posts, and other digital content in real time. It preserves these documents with accurate metadata, timestamps, and in legally-admissible formats.
This evidence can protect you against litigation, prove innocence in the case of impersonation, and protect compliance teams from regulatory action.
Want to see WebPreserver in action?
