It’s no secret that the rapid digitization of society has profoundly transformed personal and business relationships. Studies show that in 2024, financial losses caused by online scams reached R$10.1 billion, a 17% increase from the previous year.
This transformation, however, has also expanded the attack surface for cybercriminals, who increasingly rely on social engineering to execute sophisticated fraud schemes.
Among the most common are phishing, smishing, and vishing—practices that, although different in their methods, share the same goal: deceiving victims to steal sensitive information, especially login credentials. Although traditionally associated with scams against consumers, these forms of social engineering are also highly effective in corporate environments. Fraudsters target companies to gain access to internal systems, compromise supply chains, and execute large-scale financial fraud.
Are Phishing, Smishing, and Vishing the Same Threats?
To begin the explanation, it’s important to understand that the term social engineering refers to a set of techniques used by fraudsters to emotionally and socially manipulate victims, leading them to act against their own interests and compromising their security.
Phishing is the most well-known type of this scam. Phishing email kits can be found on the dark web. For fraudsters who aren’t experts, there are services that execute the scam for them. It typically involves sending emails or messages impersonating trusted institutions like banks, retailers, or online services.
The goal is to trick the recipient into clicking malicious links that lead to fake websites, very similar to the real ones, aiming to capture passwords and other sensitive information, such as document numbers or credit card details. According to Serpro data, phishing remains one of the most frequent fraud types in Brazil, and criminals are refining their strategies with artificial intelligence (AI) and deepfakes to create even more convincing and personalized content. A recent case was the arrest of a man for participating in a criminal group that used deepfake videos featuring the image and voice of TV host Marcos Mion.
Fraudsters also carry out scams like Business Email Compromise (BEC) and the fake CEO scam, using emails impersonating executives to trick employees into transferring money or providing credentials.
On the other hand, smishing (a combination of SMS and phishing) uses text messages to deceive victims. With the popularity of messaging apps like WhatsApp and Telegram, this method has gained traction, exploiting people’s tendency to quickly respond to messages that seem urgent or important.
Meanwhile, vishing (voice phishing) is carried out through phone calls, where the fraudster poses as a representative of a company or institution. A persuasive tone, combined with the use of data obtained from previous leaks, makes victims more likely to share confidential information over the phone. This type of scam has increasingly targeted Brazilian companies, especially large corporations.
Old accounts are the most valuable assets for criminals
The growth of these frauds is directly related to the value of account-based ecosystems. An old and trusted account is more valuable to criminals than direct theft of money. This is because accounts with a history of legitimate activity are less likely to be automatically detected by traditional fraud detection systems.
Fraudsters use phishing and its variations together to gain access to these accounts, which may have years of relationships and transactions validating their reputation. Once inside, the criminal can study purchase history, behavior patterns, and in some cases, even interact with customer service, pretending to be the legitimate account holder.
As pointed out in a Nethone report, some fraudsters even build relationships with support agents, deceiving them into making account changes that facilitate the scam—a process known as account takeover. This type of attack not only causes direct financial losses but also undermines trust in digital platforms and services.
The impact of artificial intelligence and automation on fraud
Historically, social engineering campaigns required planning, time, and a degree of manual customization. However, the widespread adoption of generative language models (LLMs) has completely changed this landscape.
Today, with automated tools based on generative AI, criminals can create and launch phishing campaigns in minutes. Well-written texts, which previously required fluency or time to craft, are now automatically generated with a high degree of sophistication. As a result, the volume and frequency of these attacks have increased alarmingly.
This growth reflects not only the broader reach of fraudulent campaigns but also the efficiency of new AI and automation-based techniques.
Those who think phishing, smishing, and vishing are risks exclusive to individual consumers are mistaken. Businesses are also frequent victims of these scams, especially when corporate credentials are exposed on the dark web. According to a Nethone analysis, fraudsters can acquire leaked employee data, gaining privileged access to internal systems and sensitive databases.
From there, they make subtle moves: study the company’s purchasing or operational behavior, create interactions with technical or commercial support, and gradually manipulate internal processes to carry out fraudulent transactions without raising immediate suspicion. This practice compromises not only the organization’s security but also the trust relationship with customers and partners.
How to protect yourself from these threats?
Protection against phishing, smishing, and vishing involves a combination of technology, processes, and awareness.
Education and awareness: the first line of defense is always the individual. Both companies and users need to be educated to recognize common signs of these scams, such as spelling errors, excessive urgency in messages, requests for sensitive information, and unusual communication channels.
Multi-Factor Authentication (MFA): even if credentials are compromised, using multiple authentication layers makes unauthorized access more difficult.
Credential Monitoring: tools that monitor credential exposure on the dark web are essential for companies and individuals to be quickly alerted about leaks.
AI-Based Fraud Detection Systems: just like criminals, companies must rely on artificial intelligence to detect anomalous behavior patterns that indicate potential intrusions or fraud attempts.
In times when trust is a valuable currency, protecting credentials and maintaining vigilance is essential to preserving the digital integrity of individuals and businesses.
