It is no secret that the rapid digitalization of society has profoundly transformed personal and business relationships. Studies show that in 2024, financial losses caused by online scams reached R$ 10.1 billion, an increase of 17% compared to the previous year.
This transformation, however, has also broadened the attack surface for cybercriminals, who increasingly rely on social engineering to run sophisticated fraud schemes.
Among the most common are phishing, smishing and vishing ' PRACTICES that, although different in the methods used, share the same goal: deceiving victims to steal sensitive information, especially access credentials. Although traditionally associated with scams against consumers, these forms of social engineering are also highly effective in the corporate environment. Scammers target companies to gain access to internal systems, compromise supply chains and execute large-scale financial fraud.
Are phishing, Smishing, and Vishing the same threats?
To begin with, it is important to understand that the term social engineering refers to a set of techniques used by scammers to emotionally and socially manipulate victims, leading them to act against their own interests and compromising their safety.
Phishing is the best known type of this type of scam. Phishing kits by email can be found on the dark web. For those scammers who are not experts in the subject, there are those who run the service for them. It usually involves sending emails or messages that pose as trusted institutions such as banks, retailers or online services.
The goal is to trick the recipient into clicking malicious links that lead to fake websites, very similar to the original ones, in order to capture passwords and other sensitive information, such as document numbers or credit card data. According to Serpro data, phishing remains one of the most frequent types of fraud in Brazil, and criminals have been improving their strategies with the use of artificial intelligence (AI) and deepfakes to create even more convincing and personalized content. A recent case was the arrest of a man for participation in a criminal group that applied videos manipulated with deepfake, with image and voice of the presenter Marcos Mion.
Scammers also carry out scams like Business Email Compromise (BEC) and the fake CEO scam, with emails posing as executives to trick employees into transferring money or providing credentials.
On the other hand, smishing (combining SMS and phishing) uses text messages to deceive victims.With the popularization of messaging applications such as WhatsApp and Telegram, this method has gained traction, exploiting the tendency of people to respond quickly to messages that seem urgent or important.
Vishing (voice phishing) is carried out through telephone calls, in which the scammer impersonates a representative of a company or institution. A persuasive tone, combined with the use of data previously obtained in leaks, makes victims more likely to share confidential information over the phone. This type of scam has increasingly hit Brazilian companies, especially large corporations.
Old accounts are the most valuable assets for criminals
The growth of these scams is directly related to the value that account-based ecosystems represent. An old, trusted account is more valuable to criminals than direct money theft.This is because accounts with a history of legitimate activity are less likely to be automatically detected by traditional fraud detection systems.
Scammers use phishing and its variations together to gain access to these accounts, which can have years of relationship and transactions that validate their reputation. Once inside, the criminal can study purchase history, behavior patterns, and in some cases even interact with customer service by pretending to be the legitimate account holder.
As pointed out in a Nethone report, some fraudsters even build relationships with support agents, tricking them into making changes to the account that facilitate the execution of the coup (account takeover). This type of attack not only causes direct financial losses, but also compromises trust in digital platforms and services.
The impact of artificial intelligence and automation on fraud
Historically, social engineering campaigns required planning, time, and a certain degree of manual customization.However, the large-scale adoption of generative language models (LLMs) has completely changed this landscape.
Today, with automated tools based on generative AI, criminals can create and launch phishing campaigns in minutes. Well-written texts, which once required fluency or time to draft, are now automatically generated with a high degree of sophistication. As a result, the volume and frequency of these attacks have increased alarmingly.
This growth reflects not only the greater reach of fraudulent campaigns, but also the efficiency of new AI-based techniques and automation.
Who thinks that phishing, smishing and vishing are risks exclusive to individual consumers is mistaken. Companies are also frequent victims of these scams, especially when corporate credentials are exposed on the dark web. According to an analysis by Nethone, scammers can acquire leaked employee data, gaining privileged access to internal systems and sensitive databases.
From there, they make subtle movements: they study the buying or operating behavior of the company, create interactions with technical or commercial support and gradually manipulate internal processes to carry out fraudulent transactions without raising immediate suspicions. This practice compromises not only the security of the organization, but also the relationship of trust with customers and partners.
How can you protect yourself from these threats?
Protection against phishing, smishing and vishing involves a combination of technology, processes and awareness.
Education and awareness: both businesses and users need to be educated to recognize common signs of these scams, such as misspellings, excessive urgency in messages, sensitive information requests, and unusual communication channels.
Multifactor Authentication (MFA): even if credentials are compromised, using multiple layers of authentication makes unauthorized access difficult.
Credential Monitoring: tools that monitor credential exposure on the dark web are essential for businesses and individuals to be quickly alerted to leaks.
AI-Based Fraud Detection Systems: just like criminals, companies need to turn to artificial intelligence to detect anomalous behavior patterns that indicate possible intrusions or fraud attempts.
In times where trust is a valuable currency, protecting credentials and maintaining a vigilant posture is essential to preserving the digital integrity of individuals and businesses.
