Vishing and smishing

What is vishing and smishing?

Texts and phone calls can be used maliciously to facilitate theft and fraud. “Vishing” calls (voice phishing) try to alarm you into making payments or providing important financial information. “Smishing” texts (text scams) may encourage you to click on malicious links, activating trojan viruses that can steal passwords and other high-value data.

Many vishing campaigns are high volume, using auto-dial and broadband calling to contact thousands of potential victims per hour. They try to drive fear-based responses: for example, a common scam is a false bank call-back service that pretends to alert you to bank account fraud and then requests detailed card information on response.

Attackers can also take a more targeted approach, such as by impersonating a senior employee requiring urgent assistance. They may seem to be in a rush and will take control of the conversation as they pressure you to provide sensitive information or forward funds to a specific account.

Smishing has begun to overtake vishing in popularity. Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.

What are the risks to your business?

  • Data theft (or encryption for ransom)
  • Fraudulent internet banking redirection
  • Financial theft
  • Identity fraud

How to defend your business against vishing and smishing

  • Raise awareness of the potential impact of vishing and smishing on your business, and implement a policy for reporting suspected cases.
  • Train staff to never share financial or company information with unverified callers.
  • Learn to spot suspicious calls and text and never:
    • be rushed into making a quick decision in response to an urgent request.
    • provide personal or financial information over the phone.
    • use numbers provided by the caller or in the text; instead, use known contact numbers.
    • click on a link in a text you were not expecting.
  • There are several give-away signs that a call claiming to be from another employee may be a vishing attempt:
    • The caller refers to the organization by name on a supposedly internal call.
    • The call is made to Canada from one country, for information on another.
    • The caller instructs the recipient to use internal systems to provide information.

Read more

Questions? Ready to get started?

You are leaving the HSBC CMB website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.