Phishing, Smishing & Vishing
The message looked urgent. The number matched. The link loaded a familiar page. Four minutes later, the money was gone.
The SMS That Drained the Account
Priya was at work when a message arrived from a number saved as "SBI Bank" in her contacts.
"Alert: Unusual login detected. Verify now to prevent suspension: sbi-securelogin.in/verify"
She had received genuine bank alerts in the same thread before. The urgency felt real. She clicked, entered her credentials on a page identical to SBI's site, then entered the OTP that arrived seconds later.
Within four minutes, Rs 1.8 lakh was transferred from her account.
The number was spoofed. The page was a clone. The OTP she entered did not verify a login - it authorized the transfer the attacker had already queued.
What Is Actually Happening
Phishing (email), smishing (SMS), and vishing (voice) share one mechanism: impersonate a trusted source, create pressure, and capture credentials or payment before the target pauses to verify.
3.4 billion
phishing emails sent every single day in 2025.
Even a 0.001% success rate produces tens of thousands of victims daily. Volume is the strategy.
Source: Proofpoint State of the Phish Report, 2025SMS Fraud Reports Rose 89% in 2024
People click SMS links at much higher rates than email links. Mobile screens hide full URLs. Sender IDs can be spoofed to appear in existing threads with your real bank - making the message look like an official continuation.
1 in 3 Social Engineering Attacks Now Uses Voice
AI voice cloning has lowered the barrier to convincing caller impersonation. Vishing accounts for 33% of all social engineering incidents. Callers arriving with your name and partial account details purchase them from breach markets beforehand.
1 in 3 Employees Click Phishing Links
In controlled tests, 34% of employees clicked a phishing link and 1 in 8 entered credentials on the fake page. Click rates are highest for financial alerts, HR notices, and IT security warnings - the same formats attackers prioritize.
Phishing Pages Stay Live Under 60 Minutes
The average phishing page is active for less than 60 minutes before being taken down or moved. Attackers use the window to collect as many credentials as possible, then act immediately before victims notice.
How Each Format Works
Email phishing spoofs display names and uses lookalike domains. alerts@hdfc-banking.co.in looks official. The domain after the @ symbol is the only checkable fact.
Smishing exploits mobile UX. Sender names can be set by the sender, not verified by the network. A message can appear in the same thread as your real bank by using the same sender name string.
Vishing uses spoofed caller IDs and scripted social engineering. Callers arrive knowing your name, partial account number, and a recent transaction - bought from breach markets. This creates a false sense of verification before asking for an OTP.
QR codes in phishing emails are used because they bypass email link scanning. The QR redirects to a credential page that corporate filters never see.
The consistent factor across all three: the attacker creates a reason not to pause. A 24-hour deadline. A suspended account. A transaction already in progress. The urgency exists to prevent the one action that would expose the scam: independent verification.
Practice: Sort the Inbox
Six messages have arrived. Classify each as real or phishing. After every decision, the specific tells are revealed.
What That Just Showed You
1. Display names are not sender addresses. The name shown can be set to anything. "SBI Bank" costs nothing to fake. The actual sending address or domain is the only checkable fact.
2. OTPs authorize actions, not identities. An OTP does not verify a login. It approves a specific action. When an attacker asks for your OTP to "block" a transaction, they are asking you to approve the transaction.
3. Urgency is a mechanism to skip verification. Every phishing, smishing, and vishing attack includes a reason to act now. That reason exists because verification would reveal the scam.
4. Credential pages look identical to real ones. The only reliable tell is the domain name. Checking the URL before entering any data is the single most effective habit.
Three Things Worth Doing
1. Check the domain before entering anything.
On mobile, tap the address bar to see the full URL. The domain - the part immediately before .com, .in, or any extension - must exactly match the organisation's known domain.
2. Never act on an inbound contact. Go outbound. If a bank, courier, or government body contacts you urgently, close the message or hang up. Then contact them using a number you already have saved or a website you already know. Use nothing from the message itself.
3. OTPs are authorizations, not verifications. No bank, government agency, or support team needs your OTP to help you. If someone asks for it, they are using it against you.
One Question Before You Continue
Priya entered her OTP on the fake page because she thought it would verify her identity and block the suspicious transaction. What did the OTP actually do?