What is the difference between phishing, smishing and vishing?

Phishing uses fraudulent emails to trick recipients into clicking malicious links or revealing credentials. Smishing uses the same techniques via SMS text messages. Vishing uses voice calls — either a human caller or an automated voice — to extract information or money. All three aim to impersonate a trusted entity (bank, government, employer) to create urgency and lower your guard.

How can I tell if an email is a phishing attempt?

Check the sender's actual email address (not just the display name) — it often differs from the claimed organisation. Look for urgent or threatening language. Hover over links without clicking to see the real destination URL. Check for grammar and formatting inconsistencies. Legitimate organisations never ask for passwords or full account numbers via email.

Is it safe to click links in texts from my bank?

No — the safest habit is never to click links in unexpected texts, regardless of the claimed sender. Instead, open your bank's app directly or type the bank's address into your browser. Phone numbers can be spoofed so a message appearing to come from your bank's shortcode can still be fraudulent.

What should I do if I think I've responded to a phishing email?

Act immediately. Change the password for the account you may have compromised, starting with your email account. Enable two-factor authentication. If banking credentials may have been exposed, call your bank's fraud line right away. Report the phishing email to the National Cyber Security Centre (UK) at report@phishing.gov.uk, or the Anti-Phishing Working Group (US) at reportphishing@apwg.org.

Phishing, Smishing, Vishing: What's the Difference and How to Spot Each One

Three names. One attack. The only thing that changes is the delivery channel: your email inbox, your text messages, or your phone. The goal is always the same — impersonate a trusted organisation, create urgency, and get you to act before you think.

Understanding the difference between them matters because each channel has its own tells — and its own defence.

3.4bn

Phishing emails sent every single day. It is the most common form of cybercrime in the world. Your spam filter catches most. Knowing what the rest look like means the ones that get through cannot fool you.

Phishing — the email attack

Phishing uses fraudulent emails that appear to come from a trusted source: your bank, HMRC, Royal Mail, Amazon, PayPal, Microsoft. The email creates urgency — your account will be suspended, a parcel needs customs payment, a charge was made you did not authorise — and provides a link to "resolve" the issue.

The link leads to a fake website designed to look identical to the real one. Any credentials you enter go directly to the attacker.

How to spot a phishing email

The sender address does not match. The display name says "Barclays Bank" but the actual email is "barclays-security@gmail.com" or "noreply@barclays-secure-alert.com". Always check the actual address, not just the name.
Urgent or threatening language. "Your account will be closed in 24 hours." "Failure to respond will result in legal action." This is pressure to stop you thinking clearly.
Links that do not match the text. Hover over the link (do not click) and check the real URL in your browser's status bar. If it does not match the claimed organisation's domain, it is fraudulent.
Requests for information legitimate organisations never ask for. Your bank already has your account number. HMRC does not ask for it via email. Any email asking for credentials, card numbers, or passwords is fraudulent.
Generic salutation. "Dear Customer" instead of your name. Not definitive, but a common phishing indicator.

✅ The golden rule for email

If an email asks you to click a link and log in, do not use the link in the email. Open a new browser tab and type the organisation's address directly, or use your existing bookmark. This simple habit neutralises nearly every phishing attack.

Smishing — the text message attack

Smishing uses the same tactics as phishing but delivered via SMS. Common pretexts include: Royal Mail or DPD parcel requiring a customs fee, HMRC tax rebate, your bank detecting suspicious activity, a missed call from a number you do not recognise that will cost money to return.

Smishing has become more dangerous because mobile phones are more trusted environments than email. People are more conditioned to act on texts. And because most mobile browsers do not show the full URL, it is harder to spot fake domains on a small screen.

The SMS spoofing problem

In many countries, including the UK, the sender field of an SMS can be set to anything — including your bank's actual shortcode or name. A text appearing in your existing Royal Mail or Barclays thread can still be fraudulent. This is called SMS spoofing, and it means you cannot trust the sender field alone.

Unexpected texts about deliveries you did not order
Tax rebate notifications — HMRC communicates refunds by post, not text
Any text containing a shortened link (bit.ly, tinyurl, etc.) asking you to log in
Texts requesting a small payment (£1.99 customs fee) via a link — real delivery companies send letters
Bank texts asking you to call a number in the message — call the number on the back of your card instead

Vishing — the voice call attack

Vishing uses phone calls. The caller impersonates a bank fraud team, HMRC, the police, Microsoft support, or a government agency. The script typically involves urgency: your account has been compromised, you are a suspect in a money laundering case, a virus has been detected on your computer.

Vishing is particularly effective because the human voice triggers trust. A professional, calm voice in an authoritative role — "I'm calling from Barclays' fraud prevention team" — is very different from a suspicious email. Add a spoofed caller ID showing your bank's real number, and the attack is highly convincing.

The no-hang-up trick

A vishing script designed to neutralise your scepticism: the caller tells you to hang up and call your bank's real number. When you hang up and dial, the caller stays on the line — or calls back immediately — pretending to be the bank you just called. To defeat this, wait at least 5 minutes after hanging up, or call back from a different phone.

Any caller asking you to move money to a "safe account" — your bank will never do this
Any caller asking you to download software onto your computer
HMRC calls threatening arrest for unpaid tax — HMRC does not arrest people over the phone
Microsoft or Apple calls about a virus on your computer — they do not make unsolicited calls
Any caller asking for your full password, PIN, or card number

The one habit that defeats all three

Never act on the communication you received. Always initiate contact yourself.

If an email from your bank worries you, close the email and open your banking app or type your bank's address into a fresh browser tab. If a text says your parcel is delayed, go to the courier's website directly. If a caller claims to be from your bank, hang up, wait five minutes, and call the number on the back of your card.

This single habit — breaking the communication chain and initiating contact yourself through a known channel — defeats phishing, smishing, and vishing simultaneously. It works because it removes the attacker's control over the next step.

The complete communication security system

The Scam Protection Blueprint includes a full chapter on digital communication security — email hygiene, phone safety, and a step-by-step setup guide for two-factor authentication across all your key accounts.

Get the Blueprint — $27 Free cheat sheet →