The FBI Warning on Vishing and Smishing You Can't Afford to Ignore
In January 2022, the FBI released an advisory warning that criminals were increasingly using voice phishing (vishing) and SMS phishing (smishing) to steal credentials, drain bank accounts, and breach corporate networks. This wasn't a vague bulletin. It followed a wave of attacks that cost Americans over $44 million in losses through phone-based social engineering in 2021 alone, according to the FBI's IC3 2021 Internet Crime Report.
If you think the FBI warning on vishing and smishing is just about grandma getting tricked by a fake IRS call, think again. Threat actors are now targeting employees at Fortune 500 companies, healthcare systems, and government agencies — using phone calls and text messages to bypass email security controls entirely.
I've spent years helping organizations build defenses against these attacks. Here's what's actually happening, why traditional security tools miss it, and exactly what you should do about it.
What Vishing and Smishing Actually Look Like in 2022
Vishing: Not Your Average Robocall
Vishing — voice phishing — is a social engineering attack delivered by phone. The attacker impersonates someone the victim trusts: a bank fraud department, an IT help desk technician, a government agency representative. The goal is always the same — credential theft, account access, or unauthorized wire transfers.
The attack that made headlines in July 2020 illustrates this perfectly. Attackers called Twitter employees posing as IT staff, convincing them to hand over internal tool credentials. That single vishing campaign led to the compromise of 130 high-profile Twitter accounts, including those of Barack Obama, Elon Musk, and Apple. The attackers made off with over $100,000 in Bitcoin in just hours.
What made that attack devastating wasn't technical sophistication. It was a phone call. A convincing human voice. That's vishing.
Smishing: The Text Message You Didn't Expect
Smishing uses SMS text messages to deliver malicious links or trick victims into revealing sensitive information. In my experience, smishing is even more dangerous than email phishing because people trust text messages more. Open rates on SMS messages exceed 90%, compared to roughly 20% for email.
In 2022, the FCC issued warnings about a massive uptick in smishing attacks, with Americans receiving an estimated 8.7 billion spam text messages in March 2022 alone. Many of those carried malicious payloads — fake package delivery notices from USPS, bogus bank alerts, and COVID-related scams.
The FBI warning on vishing and smishing specifically called out attacks where criminals send texts impersonating financial institutions, asking victims to call a number or click a link. Once they do, the trap is set.
Why These Attacks Are Surging Right Now
Three factors are driving the explosion of vishing and smishing attacks this year.
1. Remote work destroyed the perimeter. When your employees work from home, they're answering personal phones, using personal devices, and operating outside your corporate network. An attacker who calls an employee's cell phone bypasses your email gateway, your web proxy, and your endpoint detection — all at once.
2. Caller ID spoofing is trivial. For less than $20, an attacker can spoof any phone number. Your employee sees a call from your company's main line, your bank's 800 number, or a government agency. The technology to fake caller ID is legal, widely available, and nearly impossible to block.
3. Multi-factor authentication created a new attack surface. This sounds counterintuitive. MFA is critical — I recommend it universally. But attackers have adapted. They now use vishing calls to trick employees into reading back one-time passcodes or approving push notifications. The Lapsus$ group used exactly this technique in 2022 to breach Uber, Okta, and other major companies. They bombarded employees with MFA push requests and then called them, posing as IT support, asking them to approve the login.
The $44 Million Question: Who's Getting Hit?
According to the FBI's IC3 data, phishing (including vishing and smishing) was the number one reported cybercrime category in 2021, with 323,972 complaints. The financial losses specifically from vishing/smishing/pharming hit $44.2 million.
But that figure is dramatically understated. Most vishing and smishing attacks go unreported. The victim often doesn't realize they've been compromised until weeks later when a data breach surfaces or money disappears.
Industries hit hardest include:
- Financial services — Attackers impersonate fraud departments to steal banking credentials
- Healthcare — Staff are tricked into revealing patient portal access or EHR credentials
- Technology — Help desk impersonation leads to internal system compromise
- Government — Attackers pose as agency officials to harvest employee credentials
If your organization hasn't experienced a vishing or smishing attempt yet, you likely just haven't detected one.
How Do Vishing and Smishing Differ from Email Phishing?
This is a question I get constantly, and the distinction matters for your defense strategy.
Email phishing is filtered by spam gateways, scanned by URL sandboxes, and flagged by endpoint tools. Your organization probably has layers of technology watching email. Vishing and smishing bypass all of those controls. There is no spam filter for a phone call. There is no sandbox for a text message received on a personal device.
The social engineering principles are identical — urgency, authority, fear, trust — but the delivery channel is unprotected. That's why the FBI warning on vishing and smishing specifically urged organizations to implement training-based defenses, not just technical controls.
This is where cybersecurity awareness training becomes your most critical layer. Technology can't stop an employee from reading a six-digit code to a convincing caller. Only training can.
Real Vishing Attacks That Breached Major Companies
Twitter (2020): The Vishing Attack That Shook Silicon Valley
I already mentioned this one, but the details are worth studying. The attackers researched Twitter employees on LinkedIn, identified those with access to internal admin tools, and called them posing as IT staff. They directed employees to a fake VPN login page. The credentials harvested from those calls gave attackers access to Twitter's internal systems, leading to one of the most visible breaches in social media history.
Uber (September 2022): MFA Fatigue + Vishing
Just weeks ago, an 18-year-old attacker associated with the Lapsus$ group compromised Uber's entire internal network. The attack started with purchased credentials from the dark web, followed by MFA push spam — sending repeated authentication requests to an employee's phone. When that didn't work, the attacker called the employee on WhatsApp, claimed to be Uber IT, and convinced them to approve the MFA prompt. From there, the attacker accessed Uber's Slack, Google Workspace, AWS console, and HackerOne vulnerability reports.
This is what a modern vishing attack looks like. It's not a Nigerian prince. It's a calculated, multi-step social engineering operation.
Robinhood (November 2021)
An attacker called a Robinhood customer support employee, used social engineering to gain access to internal support systems, and exfiltrated personal data on approximately 7 million customers. Names, email addresses, and in some cases, more extensive personal information was exposed — all from a single phone call.
Seven Steps to Defend Against Vishing and Smishing
Here's what I recommend to every organization I work with. These aren't theoretical — they're the specific controls that stop these attacks.
1. Train Your People — Specifically on Voice and Text Attacks
Most security awareness programs focus almost exclusively on email phishing. That leaves a massive blind spot. Your training must cover vishing scenarios (fake IT calls, fake bank calls, MFA fatigue attacks) and smishing scenarios (fake delivery notifications, bogus account alerts). Our phishing awareness training for organizations covers these attack vectors with realistic simulations that prepare employees for what they'll actually face.
2. Implement a Verbal Verification Policy
Establish a rule: no employee should ever provide credentials, approve MFA prompts, or transfer funds based solely on a phone call. If someone calls claiming to be from IT, the employee hangs up and calls back using a verified number from the company directory. This single policy would have prevented the Twitter, Uber, and Robinhood breaches.
3. Deploy Phishing-Resistant MFA
FIDO2 security keys and hardware tokens eliminate the MFA fatigue attack entirely. An attacker can't call your employee and ask them to tap a YubiKey remotely. CISA's guidance on phishing-resistant MFA lays out exactly how to implement this.
4. Adopt Zero Trust Architecture
Zero trust means never trusting a session, device, or user just because they authenticated once. Even if an attacker tricks an employee via vishing and gets initial access, zero trust segmentation, continuous authentication, and least-privilege access controls limit the blast radius. The Uber breach escalated because a single compromised account had access to far too many systems.
5. Monitor for Caller ID Spoofing of Your Numbers
Work with your telecom provider to implement STIR/SHAKEN, the FCC-mandated caller ID authentication framework. While you can't prevent all spoofing, you can reduce attackers' ability to impersonate your organization's phone numbers when calling your own employees or customers.
6. Establish an Internal Reporting Channel
Make it ridiculously easy for employees to report suspicious calls and texts. A dedicated Slack channel, a short-code SMS number, or a one-click reporting button in your security portal. Every reported attempt is intelligence you can use to warn others and tune defenses. In my experience, organizations that make reporting easy see 3-5x more reports — and catch attacks faster.
7. Run Vishing Simulations
You already run phishing simulations over email (and if you don't, start today). Add vishing simulations. Have your red team or a trusted partner call employees using realistic pretexts — password resets, VPN issues, MFA problems. Measure who complies. Train the ones who do. Repeat quarterly.
What the FBI Recommends You Do Right Now
The FBI's guidance in their vishing and smishing advisories includes several specific recommendations that align with NIST's Cybersecurity Framework:
- Verify the identity of callers before providing any information
- Never click links in unsolicited text messages
- Contact organizations directly using numbers from official websites, not numbers provided in calls or texts
- Enable MFA on all accounts — but use phishing-resistant methods when possible
- Report vishing and smishing attempts to the FBI's IC3 at ic3.gov
These recommendations aren't groundbreaking. But the fact that the FBI felt compelled to issue them publicly tells you the scale of the problem.
Your Employees Are the Target — Make Them the Defense
Every vishing and smishing attack ends the same way: a human being makes a decision. They either hand over the credential or they don't. They either click the link or they don't. They either approve the MFA push or they don't.
No firewall, no SIEM, no EDR tool intercepts that moment. Only training does.
The 2022 Verizon Data Breach Investigations Report found that 82% of breaches involved the human element — including social engineering, credential theft, and errors. Your people aren't the weakest link. They're the most targeted link. There's a difference, and it changes how you should invest.
Start with comprehensive security awareness training that covers vishing, smishing, and modern social engineering tactics. Then layer on phishing simulations that include voice and text scenarios. Measure, train, repeat.
The FBI's warning is clear. The threat actors aren't slowing down. Your response needs to be faster than their next phone call.