You’ve probably heard the word “phishing” more times than you can count. Email scams, dodgy links, fake login pages – most business owners now know to be at least a little wary. But while attention has been firmly on the inbox, criminals have quietly shifted their focus elsewhere – to your phone.
Vishing (voice phishing) and smishing (SMS phishing) are two of the fastest-growing cyber threats facing UK businesses right now. They’re less talked about, often underestimated, and in many cases, far more convincing than a suspicious email.
Here’s what you need to know.
What Is Vishing?
Vishing is when a criminal calls you – or a member of your team – pretending to be someone trustworthy. That might be your bank, HMRC, Microsoft support, or even your own IT provider.
The goal is simple: get you to hand over sensitive information, transfer money, or grant access to your systems. And they’re often very good at it. Vishers do their homework. They’ll know your name, your company, sometimes even recent activity on your accounts. The call feels legitimate because it’s been designed to.
Common vishing scenarios include fake IT support calls (claiming your system has been compromised and they need remote access), HMRC impersonation (threatening legal action over unpaid tax), and supplier fraud (someone posing as a known contact to redirect a payment).
What Is Smishing?
Smishing works on the same principle but arrives via text message. A typical smishing attack might look like a delivery notification asking you to click a link, a bank alert urging you to verify your account, or a message from a colleague or supplier asking you to act urgently.
The text often includes a link that takes you to a convincing but fake website designed to steal your login credentials or install malware. Because people tend to trust text messages more than emails – and often read them quickly and without much thought – smishing attacks have an alarmingly high success rate.
Why Are These Attacks So Effective?
Both vishing and smishing exploit something that no software can fully patch: human nature.
When someone calls in a panic saying your business has been breached and they need access immediately, the instinct is to act. When a text arrives saying a payment has failed and your account will be suspended, it triggers anxiety. Criminals deliberately create urgency because urgency overrides caution.
There’s also the question of context. Most of us are primed to be suspicious of emails – we’ve been trained to check the sender address, look for spelling mistakes, and hover over links. But how many of your staff have received the same training for calls and texts? For most businesses, the answer is very few.
The Business Risk
The consequences of falling victim to vishing or smishing can be severe. We’re not just talking about embarrassment – we’re talking about financial loss, compromised systems, stolen client data, and potential regulatory breaches under UK GDPR.
According to the UK Government’s Cyber Security Breaches Survey, social engineering attacks – which include phone and SMS-based scams – remain one of the most common ways businesses are compromised. And smaller businesses are frequently targeted precisely because they’re less likely to have robust defences in place.
What Can Your Business Do?
The good news is that there are practical steps you can take right now.
Train your team. Make sure staff understand that vishing and smishing are real threats. Run through common scenarios so they know what to look out for. A quick call to verify a request through an official number is always worth the extra minute.
Establish verification procedures. If anyone calls requesting access to systems or asking for payments to be made, have a clear process in place. No legitimate organisation will object to being verified.
Never click links in unexpected texts. If a message appears to be from your bank, HMRC, or a supplier, go directly to their official website rather than using any link provided.
Consider call filtering and mobile security tools. There are solutions available that can flag suspicious calls and messages before they reach your staff.
Work with a trusted IT partner. Having a managed IT support provider means you have someone to call when something feels off – before it becomes a problem.
Don’t Wait Until It Happens
The most dangerous assumption any business owner can make is that their team “would never fall for that.” Vishing and smishing attacks are sophisticated, targeted, and designed to catch people off guard. The question isn’t whether your business could be targeted – it’s whether you’re prepared if it is.
If you’d like to talk through your current security awareness posture or find out how we can help protect your team from social engineering threats, get in touch with the Provident IT team today. We work with SMEs across the East Midlands to build practical, layered security that covers every angle – including the ones that don’t arrive by email.
