Phishing, Smishing, Vishing, and Password Protection

One Attack, Three Channels

Phishing is deceptive communication built to make people reveal information, click links, open attachments, approve access, or run transactions. It usually arrives by email, but the same playbook appears in texts, collaboration tools, social media, and fake websites. Smishing is phishing by SMS or messaging app. Vishing is phishing by voice call. The channel changes; the judgment pattern does not: pause, inspect, verify, report.

Reading the Clues

Phishing messages lean on urgency, account warnings, fake invoices, delivery notices, payroll or tax themes, password-expiration claims, job offers, and shared-document alerts. Technical tells include mismatched sender addresses, lookalike domains, unexpected attachments, shortened links, requests for credentials, odd grammar, and a link whose real destination differs from the visible text (hover to check). Sophisticated messages can look polished and cite real vendors or recent events.

Do not rely on a single clue. A message from a known vendor can still be malicious if that vendor's account was compromised. A perfect logo proves nothing. A link beginning with HTTPS only proves there is a TLS-protected connection to some site, not that the site is trustworthy.

Safe User Actions

The safest moves are to avoid clicking suspicious links, avoid opening unexpected attachments, never enter credentials via a message link, and report through the approved channel. Many organizations ship a phishing-report button. If a user already clicked, they report that fact promptly and follow instructions. They should not forward the message to coworkers as a "warning" unless that is the approved process, because forwarding spreads the malicious content.

• Smishing: do not tap links or call numbers from the text; open the known official app or call a verified number.
• Vishing: never read out passwords, MFA codes, or recovery tokens; hang up and call back on a number you trust.
• Any channel: when worried the issue is real, reach the service through a separately looked-up portal, not the contact details in the message.

Password Protection

Password protection is more than complexity rules. Strong practice means unique passwords for every account, long passphrases where allowed, a password manager, MFA on important access, secure reset processes, and watching for suspicious sign-in behavior. Never reuse a work password on a personal service; if that personal site is breached, the reused password becomes an entry point into the organization through credential stuffing.

MFA helps but is not magic. Attackers try MFA fatigue (a.k.a. prompt bombing), sending repeated approval prompts until a tired user taps Approve. The correct response to an unexpected prompt is to deny it and report it. Attackers also phish one-time codes directly through smishing or vishing, so treat those codes as secrets that no legitimate party will ask you to read aloud.

Scenario Judgment

Scenario: an employee receives an after-hours text claiming their corporate mailbox will be disabled unless they tap a shortened URL and sign in. The right action is to ignore the link and report the message; if genuinely worried, the user reaches IT through a known company portal.

Second scenario: a user already clicked a fake payroll link and entered credentials. The wrong move is to quietly change the password and hope. The right step is to report immediately so the organization can reset credentials, revoke active sessions, check MFA status, review logs, and contain account misuse. Fast reporting protects both the user and the organization.

Business Email Compromise and Payment Fraud

A high-value variant the exam loves is business email compromise (BEC), where an attacker impersonates an executive, vendor, or partner to redirect a payment or extract data. BEC often skips malicious links entirely — it is pure social engineering in a polished email, which is why URL filters miss it. Classic patterns are a "new banking details" request from a known supplier, a CEO asking finance to rush a confidential wire, or an HR data request for employee tax forms.

The defenses are procedural, not technical: out-of-band verification of any payment change on a pre-established phone number, dual approval for wire transfers above a threshold, and a culture where junior staff feel safe questioning an "urgent" executive request. On the exam, the correct answer to a BEC scenario is almost always to verify the change through a separate, trusted channel before any money or data moves.

Phishing Resistance: What Actually Helps

Different controls stop different stages of a credential attack. Spam and URL filters block many lures before they arrive. Security awareness training plus simulated phishing improves user detection and reporting rates over time. MFA blocks an attacker who steals only a password. Phishing-resistant MFA such as FIDO2/WebAuthn passkeys or hardware security keys goes further, because the credential is cryptographically bound to the legitimate site and cannot be replayed against a lookalike domain — even a user who is fully fooled cannot hand a passkey to a fake page.

Password managers add quiet protection by autofilling credentials only on the exact registered domain, so a manager that refuses to fill a login form is itself a phishing warning. Layering these controls means no single human mistake leads directly to compromise.