It is no secret that the rapid digitalization of society has profoundly transformed personal and commercial relationships. Studies show that in 2024, financial losses caused by online scams reached R$10.1 billion, a 17% increase compared to the previous year.
This transformation, however, also expanded the attack surface for cybercriminals, who increasingly rely on social engineering to execute sophisticated fraud schemes.
Among the most common are phishing, smishing, and vishing — practices that, although different in the methods used, share the same goal: to deceive victims into stealing sensitive information, especially access credentials. Although traditionally associated with scams against consumers, these forms of social engineering are also highly effective in the corporate environment. The scammers target companies to gain access to internal systems, compromise supply chains, and carry out large-scale financial frauds.
Are Phishing, Smishing, and Vishing the same threats?
To begin the explanation, it is important to understand that the term social engineering refers to a set of techniques used by scammers to manipulate victims emotionally and socially, leading them to act against their own interests and compromising their security.
Phishing is the most well-known type of this kind of scam. Email phishing kits can be found on the dark web. For those scammers who are not experts in the subject, there are people who perform the service for them. It usually involves sending emails or messages that impersonate trusted institutions, such as banks, retailers, or online services.
The goal is to deceive the recipient into clicking malicious links that lead to fake websites, very similar to the originals, in order to capture passwords and other sensitive information, such as ID numbers or credit card data. According to Serpro data, phishing remains one of the most frequent types of fraud in Brazil, and criminals are improving their strategies with the use of artificial intelligence (AI) and deepfakes to create even more convincing and personalized content. A recent case was the arrest of a man for participating in a criminal group that carried out scams using manipulated videos with deepfake, featuring images and voice of presenter Marcos Mion.
Scammers also carry out frauds such as Business Email Compromise (BEC) and the fake CEO scam, with emails that impersonate executives to induce employees to transfer money or provide credentials.
On the other hand, smishing (a combination of SMS and phishing) uses text messages to deceive victims. With the popularization of messaging apps like WhatsApp and Telegram, this method gained strength, exploiting people's tendency to respond quickly to messages that seem urgent or important.
Vishing (voice phishing) is carried out through phone calls, in which the scammer impersonates a company or institution representative. A persuasive tone, combined with the use of data obtained from previous leaks, makes victims more likely to share confidential information over the phone. This type of scam has been increasingly targeting Brazilian companies, especially large corporations.
Old accounts are the most valuable assets for criminals
The growth of these frauds is directly related to the value that account-based ecosystems represent. An old and trusted account is more valuable to criminals than direct theft of money. This is because accounts with a history of legitimate activities are less likely to be automatically detected by traditional fraud detection systems.
The scammers use phishing and its variations together to gain access to these accounts, which may have years of relationships and transactions that validate their reputation. Once inside, the criminal can study the purchase history, behavior patterns, and in some cases, even interact with customer service, pretending to be the legitimate account holder.
According to a report by Nethone, some fraudsters go as far as building relationships with support agents, deceiving them into making account changes that facilitate the execution of the scam — a process known as account takeover. This type of attack not only causes direct financial losses but also undermines trust in digital platforms and services.
The impact of artificial intelligence and automation on frauds
Historically, social engineering campaigns required planning, time, and a certain degree of manual customization. However, the large-scale adoption of generative language models (LLMs) has completely changed this scenario.
Today, with automated tools based on generative AI, criminals can create and launch phishing campaigns in minutes. Well-written texts, which previously required fluency or time to be developed, are now automatically generated with a high degree of sophistication. As a result, the volume and frequency of these attacks increased alarmingly.
This growth reflects not only the increased reach of fraudulent campaigns but also the effectiveness of new AI-based and automation techniques.
Those who think that phishing, smishing, and vishing are risks exclusive to individual consumers are mistaken. Companies are also frequent victims of these scams, especially when corporate credentials are exposed on the dark web. According to an analysis by Nethone, scammers can acquire leaked employee data, gaining privileged access to internal systems and sensitive databases.
From there, they make subtle moves: they study the company's purchasing or operational behavior, create interactions with technical or commercial support, and gradually manipulate internal processes to carry out fraudulent transactions without raising immediate suspicion. This practice compromises not only the security of the organization but also the trust relationship with clients and partners.
How to protect yourself from these threats?
Protection against phishing, smishing, and vishing involves a combination of technology, processes, and awareness.
Education and awareness:The first line of defense is always the person. Both companies and users need to be educated to recognize common signs of these scams, such as spelling errors, excessive urgency in messages, requests for sensitive information, and unusual communication channels.
Multifactor Authentication (MFA):Even if the credentials are compromised, the use of multiple authentication layers makes unauthorized access more difficult.
Credential Monitoring:Tools that monitor credential exposure on the dark web are essential for quickly alerting companies and individuals about leaks.
AI-Based Fraud Detection Systems:Just like criminals, companies need to resort to artificial intelligence to detect abnormal behavior patterns that indicate possible invasions or fraud attempts.
In times when trust is a valuable currency, protecting credentials and maintaining a vigilant stance are essential to preserve the digital integrity of individuals and companies.
