In January 2020, the FBI and CISA issued a joint advisory warning organizations about a wave of vishing attacks targeting remote workers. By mid-2021, the problem has only gotten worse. The FBI's Internet Crime Complaint Center (IC3) reported over 240,000 phishing, vishing, and smishing complaints in 2020 alone — making it the most-reported cybercrime category for the fifth consecutive year. If you think your organization is safe because you've covered email phishing, the FBI warning on vishing and smishing should be your wake-up call.

This post breaks down what these attacks look like in the real world, why they're surging right now, and the specific steps you need to take today to protect your employees and your data. No fluff — just what actually works.

What the FBI Warning on Vishing and Smishing Actually Says

The FBI and CISA's alert (AA20-01A) specifically warned that cybercriminals were using voice phishing — vishing — to target employees at large organizations, tricking them into logging into phishing websites that harvested corporate VPN credentials. The threat actors then used those stolen credentials to access internal networks, escalate privileges, and move laterally through company systems.

The advisory wasn't hypothetical. It described active campaigns where attackers researched targets on LinkedIn, called them on personal cell phones, and impersonated IT help desk staff. In several cases, the criminals had enough personal information to pass basic verification questions. Once inside the VPN, they hunted for tools to access financial systems and customer databases.

Smishing — phishing via SMS text messages — wasn't the focus of that particular advisory, but the FBI IC3's 2020 Internet Crime Report documented a sharp rise in text-based social engineering. Threat actors send texts posing as banks, delivery services, or IT departments, embedding links to credential theft pages. The combination of vishing and smishing creates a multi-channel attack surface that most security awareness programs simply don't cover.

Why Vishing and Smishing Are Surging in 2021

Remote Work Blew the Doors Open

Before 2020, most employees sat inside a corporate network with centralized security controls. Now, millions work from home on personal devices, personal Wi-Fi, and personal phone lines. That shift gave threat actors a massive new attack surface. When your employee gets a call from someone claiming to be the IT help desk, there's no way to walk down the hall and verify it.

I've seen organizations that invested heavily in email security gateways and endpoint detection — but never once trained employees on what a vishing call sounds like. That gap is exactly what attackers exploit.

Phone-Based Attacks Bypass Email Filters

Here's the uncomfortable truth: your email security stack is irrelevant to a vishing attack. Secure email gateways, DMARC, SPF records — none of it matters when a threat actor calls your employee directly. The same goes for smishing. SMS messages bypass every email filter you've deployed. Organizations that rely solely on technology for phishing defense have a blind spot the size of a billboard.

Caller ID Spoofing Is Trivially Easy

Attackers routinely spoof caller ID to display your company's actual phone number. The technology to do this costs almost nothing and requires no technical skill. Your employee sees a call from what appears to be the corporate help desk, and their guard drops immediately. The FBI advisory specifically noted this technique as a key enabler of the attacks they observed.

Real-World Vishing Attacks: The $4.88M Lesson

The 2021 Verizon Data Breach Investigations Report found that 85% of data breaches involved a human element, and social engineering was one of the top three attack patterns. The report noted a significant increase in misrepresentation attacks — which includes vishing — compared to previous years.

Consider the Twitter breach of July 2020. Attackers used vishing to call Twitter employees, impersonate internal IT staff, and direct them to a credential-harvesting site. The stolen credentials gave attackers access to internal admin tools, which they used to hijack high-profile accounts including Barack Obama, Elon Musk, and Apple. The attackers stole over $100,000 in Bitcoin through the compromised accounts. A teenager orchestrated the whole thing.

That breach didn't start with a zero-day exploit or a sophisticated malware payload. It started with a phone call. That's the reality of vishing — and it's exactly what the FBI has been warning about.

Smishing: The Text Message Threat You're Ignoring

SMS phishing is particularly dangerous because of one simple metric: open rates. Research consistently shows that text messages have a 98% open rate compared to roughly 20% for email. When a threat actor sends a smishing message, the target almost always reads it.

Common smishing lures in 2021 include:

  • Package delivery notifications — "Your package couldn't be delivered. Confirm your address here." These exploded during the pandemic as online shopping surged.
  • Bank fraud alerts — "Suspicious activity detected on your account. Verify your identity immediately." These link to convincing credential theft pages.
  • IT department requests — "Your corporate password expires today. Reset it here." These target employees specifically.
  • COVID-19 vaccine scheduling — "You're eligible for a vaccine appointment. Register at this link." The FTC flagged these scams repeatedly throughout 2021.

Each of these lures creates urgency, which short-circuits critical thinking. The target clicks, enters credentials, and the attacker is in. No malware required.

How Do I Protect My Organization from Vishing and Smishing?

This is the question I get most often, so here's the specific, actionable answer. You need a layered defense that combines technical controls, policy changes, and ongoing training.

1. Implement Multi-Factor Authentication Everywhere

The FBI advisory emphasized that organizations using multi-factor authentication (MFA) were significantly harder to compromise, even when credentials were stolen via vishing. If an attacker gets a password but can't bypass MFA, the credential theft is neutralized.

Deploy MFA on every externally accessible system — VPNs, email, cloud applications, and admin portals. Hardware security keys (like YubiKeys) are stronger than SMS-based codes, which can themselves be intercepted through SIM-swapping attacks.

2. Establish a Verbal Verification Protocol

Create a policy that any request for credentials, password resets, or system access received via phone must be verified through a separate, known channel. If someone calls claiming to be IT, the employee hangs up and calls the IT help desk at the published number. This simple step defeats most vishing attacks entirely.

Train employees on this protocol and test it. A policy nobody follows is just paper.

3. Run Phishing Simulations That Include Vishing and Smishing

Most phishing simulation programs only test email. That's not enough anymore. Your security awareness program needs to include voice and text-based simulations that mirror real-world attack scenarios. Organizations that run regular phishing simulations through programs like phishing awareness training for organizations see measurable reductions in click-through rates and credential submissions over time.

4. Train Employees on Social Engineering Tactics, Not Just Email

Your security awareness training must cover vishing, smishing, pretexting, and other social engineering methods — not just email phishing. I've reviewed dozens of training programs that spend 95% of their time on email threats and barely mention phone-based attacks. That ratio is dangerously outdated.

A comprehensive cybersecurity awareness training program should teach employees to recognize the specific psychological triggers attackers use: urgency, authority, fear, and helpfulness. These triggers work the same way whether the attack comes by email, phone, or text.

5. Adopt a Zero Trust Approach

Zero trust isn't just a buzzword — it's the architecture that limits blast radius when (not if) credentials are compromised. The principle is simple: never trust, always verify. Every access request is authenticated and authorized regardless of where it originates.

In practice, this means network segmentation, least-privilege access, continuous monitoring, and contextual authentication. If a compromised VPN credential only grants access to a single segmented resource, the damage from a vishing-enabled breach shrinks dramatically. NIST's Zero Trust Architecture publication (SP 800-207) provides the framework.

6. Monitor for Credential Exposure

Subscribe to threat intelligence feeds that alert you when employee credentials appear in dark web marketplaces or paste sites. Credentials stolen through vishing and smishing often end up being sold or shared. Early detection lets you force password resets before the credentials are used.

What the FBI Recommends You Do Right Now

The FBI and CISA advisory included specific recommendations that remain directly applicable in 2021:

  • Restrict VPN connections to managed devices only — block personal devices from accessing the corporate VPN.
  • Implement domain monitoring to detect the creation of lookalike domains used in vishing and smishing campaigns.
  • Actively scan for unauthorized access and lateral movement, especially from VPN endpoints.
  • Use formal, documented processes for any employee-facing password or access changes. No exceptions for phone requests.
  • Report vishing and smishing attempts to the FBI IC3 at ic3.gov.

These aren't aspirational recommendations. They're baseline requirements if you take the threat seriously.

The Ransomware Connection Most People Miss

Here's something that doesn't get enough attention: vishing is increasingly being used as the initial access vector for ransomware attacks. Threat actors call employees, steal VPN credentials, gain network access, and deploy ransomware — sometimes within hours. The Colonial Pipeline attack in May 2021, which disrupted fuel supplies across the eastern United States, involved compromised VPN credentials. While the specific initial access method in that case pointed to a legacy VPN account, it underscores how credential theft — whether through vishing, smishing, or other means — directly enables ransomware.

The FBI IC3's 2020 report documented $29.1 million in reported ransomware losses, and the agency acknowledged that number vastly understates the true cost. When you trace many of these attacks backward, social engineering is the starting point.

Your 30-Day Action Plan

Stop reading and start here:

  • Week 1: Audit MFA coverage. Identify every externally accessible system without MFA and create a deployment timeline.
  • Week 2: Draft and publish a verbal verification policy for phone-based IT requests. Brief all employees.
  • Week 3: Launch your first vishing or smishing simulation. Measure baseline susceptibility. If you need a starting point, explore phishing simulation training designed for this exact scenario.
  • Week 4: Enroll your organization in ongoing cybersecurity awareness training that covers voice and text-based social engineering — not just email.

The FBI warning on vishing and smishing wasn't a one-time alert. It was the start of a trend that's accelerating. The organizations that act now will be the ones that don't end up in next year's breach statistics. The ones that dismiss phone-based threats as old-school will learn the hard way that threat actors don't care which channel they use — they care about which one works.

Your email filters won't save you from a phone call. Your firewall won't block a text message. Only trained, skeptical employees stand between your organization and a credential theft that spirals into a full-blown data breach. Build that human firewall now, before the next call comes in.