It is no secret that the rapid digitization of society has profoundly transformed personal and business relationships. Studies show that in 2024, financial losses caused by online scams amounted to R$ 10.1 billion, a 17% increase from the previous year.
This transformation, however, has also expanded the attack surface for cybercriminals, who increasingly rely on social engineering to carry out sophisticated fraud schemes.
Among the most common are phishing, smishing, and vishing — practices that, although different in the methods used, share the same goal: deceive victims to steal sensitive information, especially access credentials. Although traditionally associated with scams against consumers, these forms of social engineering are also highly effective in the corporate environment. Scammers target companies to gain access to internal systems, compromise supply chains, and conduct large-scale financial fraud.
Phishing, Smishing, and Vishing are the same threats?
To begin the explanation, it is important to understand that the term social engineering refers to a set of techniques used by scammers to emotionally and socially manipulate victims, leading them to act against their own interests and compromising their security.
Phishing is the most well-known type of scam. Phishing kits can be found on the dark web. For those scammers who are not experts in the field, there are those who perform the service for them. It usually involves sending emails or messages posing as trusted institutions, such as banks, retailers, or online services.
The goal is to deceive the recipient into clicking on malicious links that lead to fake websites, very similar to the original ones, in order to capture passwords and other sensitive information, such as document numbers or credit card data. According to Serpro data, phishing continues to be one of the most frequent types of fraud in Brazil, and criminals are improving their strategies with the use of artificial intelligence (AI) and deepfakes to create even more convincing and personalized content. A recent case was the arrest of a man for involvement in a criminal group that scams using manipulated deepfake videos, with the image and voice of presenter Marcos Mion.
Scammers also carry out frauds such as Business Email Compromise (BEC) and the CEO fraud, with emails impersonating executives to induce employees to transfer money or provide credentials.
On the other hand, smishing (SMS and phishing combination) uses text messages to deceive victims. With the popularity of messaging apps like WhatsApp and Telegram, this method has gained strength, exploiting people’s tendency to respond quickly to messages that seem urgent or important.
As for vishing (voice phishing), it is carried out through telephone calls, in which the scammer poses as a representative of a company or institution. A persuasive tone, combined with the use of data obtained previously in leaks, makes victims more likely to share confidential information over the phone. This type of scam has been increasingly targeting Brazilian companies, especially large corporations.
Old accounts are the most valuable assets for criminals
The growth of these frauds is directly related to the value that account-based ecosystems represent. An old and trustworthy account is more valuable to criminals than direct money theft. This is because accounts with a history of legitimate activities are less likely to be automatically detected by traditional fraud detection systems.
Scammers use phishing and its variations together to gain access to these accounts, which may have years of relationships and transactions that validate their reputation. Once inside, the criminal can study purchase history, behavioral patterns, and in some cases, even interact with customer support, pretending to be the legitimate account holder.
As pointed out in Nethone’s report, some fraudsters go as far as building relationships with support staff, deceiving them to make changes to the account that facilitate the execution of the scam – a process known as account takeover. This type of attack causes not only direct financial losses but also compromises trust in digital platforms and services.
The impact of artificial intelligence and automation on fraud
Historically, social engineering campaigns required planning, time, and a certain degree of manual customization. However, the widespread adoption of Generative Language Models (LLMs) has completely changed this scenario.
Today, with generative AI-based automated tools, criminals can create and launch phishing campaigns within minutes. Well-written texts that previously required fluency or time to be crafted are now automatically generated with a high degree of sophistication. As a result, the volume and frequency of these attacks have increased alarmingly.
This growth reflects not only the broader reach of fraudulent campaigns, but also the effectiveness of new AI and automation-based techniques.
Those who think phishing, smishing, and vishing are risks exclusive to individual consumers are mistaken. Companies are also frequent victims of these frauds, especially when corporate credentials are exposed on the dark web. According to Nethone’s analysis, scammers can acquire leaked employee data, gaining privileged access to internal systems and sensitive databases.
From there, they make subtle moves: study the company’s buying or operational behavior, create interactions with technical or commercial support, and gradually manipulate internal processes to carry out fraudulent transactions without raising immediate suspicions. This practice compromises not only the organization’s security but also its trust relationship with customers and partners.
How to protect against these threats?
Protection against phishing, smishing, and vishing involves a combination of technology, processes, and awareness.
Education and awareness: the first line of defense is always the person. Both companies and users need to be educated to recognize common signs of these scams, such as spelling errors, excessive urgency in messages, requests for sensitive information, and unusual communication channels.
Multi-Factor Authentication (MFA): even if credentials are compromised, the use of multiple layers of authentication makes unauthorized access difficult.
Credential Monitoring: Tools that monitor the exposure of credentials on the dark web are essential for companies and individuals to be quickly alerted to leaks.
AI-Based Fraud Detection Systems: Just as criminals do, companies need to turn to artificial intelligence to detect anomalous behavior patterns that indicate possible intrusions or fraud attempts.
In times when trust is a valuable currency, protecting credentials and maintaining a vigilant posture is essential to preserve the digital integrity of individuals and companies.
