FBI Warning on Vishing and Smishing: What to Do Now

The FBI Warning on Vishing and Smishing You Can't Afford to Ignore

In early 2024, the FBI's Internet Crime Complaint Center (IC3) flagged a sharp escalation in vishing and smishing campaigns targeting businesses and individuals across the United States. The 2023 IC3 Annual Report documented over 298,000 phishing-related complaints — and that category now explicitly includes voice phishing (vishing) and SMS phishing (smishing) as dominant attack vectors. The losses tied to these social engineering schemes ran into hundreds of millions of dollars.

If you think your organization is safe because you trained employees to spot suspicious emails, think again. Threat actors have shifted tactics. They're calling your employees directly. They're texting them links that look like they came from your IT department or your bank. And the FBI warning on vishing and smishing makes one thing clear: these attacks are working at scale.

This post breaks down exactly what's happening, how these attacks operate in the real world, and specific steps you can take to protect your organization right now.

What Are Vishing and Smishing, Exactly?

Vishing: The Voice Call That Steals Credentials

Vishing is voice phishing — a phone call designed to trick you into revealing sensitive information. The caller might impersonate your bank's fraud department, the IRS, a tech support agent, or even someone from your own company's IT team. They create urgency. They sound professional. And they ask for passwords, one-time codes, Social Security numbers, or remote access to your device.

I've investigated cases where attackers spoofed the caller ID to show the real phone number of the victim's bank. When your phone displays your bank's actual number, your guard drops instantly. That's the whole point.

Smishing: The Text Message Trap

Smishing uses SMS or messaging apps to deliver the same kind of social engineering attack. You get a text that says your package couldn't be delivered, your account has been locked, or you need to verify a transaction. The link leads to a credential theft page that looks pixel-perfect.

The reason smishing works so well is that people interact with text messages differently than email. Open rates on SMS messages exceed 90%. Most people read a text within three minutes. There's no spam filter. There's no "suspicious message" banner. It's just you and a convincing message on a small screen.

Why the FBI Raised the Alarm

The FBI didn't issue warnings about vishing and smishing because the attacks are new. They issued warnings because the scale, sophistication, and success rate have exploded.

In a 2024 public service announcement, the FBI specifically warned about criminals impersonating bank and financial institution representatives via phone calls and text messages to drain accounts. Separately, CISA and the FBI jointly warned about threat actors using vishing to target remote workers — a trend that surged after the shift to work-from-home and never let up.

The CISA Cyber Threats and Advisories page continues to track these evolving social engineering techniques as a top-tier risk.

The Numbers Behind the Surge

According to the FBI IC3's reporting, phishing/vishing/smishing/pharming was the number one reported cybercrime type by complaint count in both 2022 and 2023. The Verizon 2024 Data Breach Investigations Report (DBIR) found that the human element was involved in 68% of breaches, with social engineering remaining one of the top attack patterns.

What I find most alarming: the median time for a user to click a phishing link in a simulation is under 60 seconds, per the DBIR. For smishing, it's likely even faster given the immediacy of text messages.

Real-World Vishing and Smishing Attacks That Cost Millions

The 2020 Twitter Breach: Vishing at the Core

In July 2020, a group of attackers used vishing calls to target Twitter employees. They posed as internal IT staff, convinced employees to hand over credentials, and gained access to internal tools. The attackers then hijacked high-profile accounts — Elon Musk, Barack Obama, Apple — to run a cryptocurrency scam. Twitter confirmed the attack vector was phone-based social engineering. The breach damaged the company's reputation and led to an FTC investigation.

This wasn't a sophisticated zero-day exploit. It was a phone call.

Smishing Campaigns Against Financial Institutions

Throughout 2023 and into 2024, the FBI tracked widespread smishing campaigns where victims received texts claiming to be from their bank. Messages warned of suspicious transactions and included a link to "verify" account details. The credential theft pages harvested login credentials and multi-factor authentication codes in real time, allowing attackers to drain accounts before victims realized what happened.

These campaigns hit customers of major banks across the country and generated thousands of IC3 complaints.

The MGM Resorts Breach

In September 2023, attackers breached MGM Resorts International using a vishing call to the company's IT help desk. The threat actor impersonated an employee, obtained credentials, and escalated access — eventually deploying ransomware that disrupted hotel and casino operations for days. The estimated cost exceeded $100 million. The attack started with a single phone call that lasted about 10 minutes.

How Vishing and Smishing Bypass Your Existing Defenses

Here's what actually happens in most organizations: you have email security gateways, spam filters, maybe even AI-powered phishing detection on inbound email. Those tools are doing real work. But they don't protect the phone in your employee's pocket.

No Technical Filter Catches a Convincing Voice

Vishing bypasses every email security tool you own. There's no URL to scan. There's no attachment to sandbox. It's a human talking to a human, and the attacker has rehearsed the script. They know your company's org chart because they scraped LinkedIn. They know your IT ticketing system because they called and asked last week.

Smishing Exploits Mobile Trust

Smishing messages arrive on devices where your corporate endpoint protection often doesn't reach — especially personal phones used for work. Even on managed devices, SMS-based attacks operate outside the email security stack. The links often use URL shorteners, making it harder for users to inspect the destination.

This is exactly why the FBI warning on vishing and smishing emphasizes human awareness as the primary defense. Technology alone isn't enough.

How to Protect Your Organization: Specific Steps

1. Train for Voice and Text Attacks, Not Just Email

Most security awareness programs focus almost entirely on email phishing. That's a gap your attackers know about. Your training needs to include realistic vishing and smishing scenarios — what those calls sound like, what those texts look like, and how to respond.

A strong starting point is enrolling your team in cybersecurity awareness training that covers social engineering across all channels. If your people only know how to spot a suspicious email, they're unprepared for the threat the FBI is actually warning about.

2. Run Phishing Simulations That Include SMS and Voice

Simulations build muscle memory. If your employees have never received a simulated vishing call or smishing text, their first encounter will be a real one — and the odds aren't in your favor.

Organizations running regular phishing awareness training programs with multi-channel simulations see measurable drops in click-through and response rates. The data on this is consistent across the industry: trained employees fail phishing tests at a fraction of the rate of untrained ones.

Standard SMS-based multi-factor authentication (MFA) is itself vulnerable to smishing and SIM-swapping. Move to phishing-resistant MFA wherever possible — hardware security keys (FIDO2/WebAuthn) or app-based authenticators with number matching. CISA has published specific guidance recommending phishing-resistant MFA as a priority.

4. Establish a Verification Protocol for Sensitive Requests

Create a clear, company-wide policy: no one provides credentials, resets passwords, or transfers funds based on an inbound phone call or text message alone. Employees should hang up and call back using a known, verified number. This simple step would have prevented the Twitter breach and the MGM breach.

5. Adopt Zero Trust Principles

A zero trust architecture assumes every access request could be malicious — whether it comes from inside or outside the network. Even if an attacker obtains credentials through vishing, zero trust controls like continuous authentication, least-privilege access, and network segmentation limit the blast radius. It's not a silver bullet, but it makes credential theft far less catastrophic.

6. Report Every Attempt

Encourage employees to report vishing and smishing attempts immediately, even if they didn't fall for them. Each report gives your security team intelligence about active campaigns targeting your organization. And file reports with the FBI's IC3 at ic3.gov — it feeds the data that drives the warnings that protect everyone.

The FBI's core recommendations, drawn from multiple public advisories, are straightforward:

Don't trust caller ID. Spoofing is trivial and widespread.
Never provide personal or financial information in response to an unsolicited call or text.
Verify independently. If someone claims to be from your bank or employer, hang up and contact the organization directly using a number you already have.
Don't click links in unexpected text messages. Navigate to the website directly through your browser instead.
Enable strong MFA on all accounts, preferably not SMS-based.
Report incidents to the FBI IC3 and your local FBI field office.

These recommendations aren't theoretical. They're the distilled lessons from hundreds of thousands of complaints and billions of dollars in losses.

The Gap Between Knowing and Doing

I've seen organizations that know about vishing and smishing in the abstract but haven't updated their security awareness programs to address them specifically. There's a dangerous gap between knowing a threat exists and actually preparing your people to handle it.

The FBI warning on vishing and smishing isn't a future prediction. It's a description of what's happening right now, to organizations of every size, in every sector. The attacks are cheap to launch, hard to trace, and devastatingly effective against untrained targets.

Your email filters won't catch the phone call. Your firewall won't block the text message. The only defense that works at the point of attack is a trained human who recognizes the play and refuses to engage.

Start with your people. Build the training. Run the simulations. Make the verification protocols non-negotiable. That's how you turn an FBI warning into an FBI warning that doesn't apply to you.