Phishing, Smishing and Vishing: What they are and how to protect your company

In a hyper‑connected world, cybercriminals have perfected their techniques to deceive both users and companies. Three of the most common are phishing, smishing and vishing. Although they share the same goal —stealing confidential information— they differ in the channel they use.

Phishing: The classic email scam

What is it?

An attack carried out through fraudulent emails that imitate legitimate entities (banks, suppliers, or even coworkers).

Real example

In 2024, Pepco Group suffered a phishing attack that resulted in fraudulent transfers totaling 15.5 million euros. The emails looked legitimate and included links to fake websites.

Consequences

Theft of credentials, access to internal systems, data loss and legal penalties.

How to prevent it

• Ongoing training to identify suspicious emails.
• Enable multi‑factor authentication (2FA).
• Avoid clicking links or downloading files from unknown senders.

Smishing: The phishing that arrives via SMS

What is it?

Fraudulent text messages that include malicious links or instructions to download infected apps.

Real example

An employee received an SMS from a supposed delivery company asking them to download an app to manage a shipment. After doing so, their corporate phone was compromised and thousands of SMS messages were sent from their device.

Other common cases

• “Correos: Your package is being held. Pay the fee here [fraudulent link].”
• “BBVA reports: A suspicious login has been detected.”

How to prevent it

• Do not open unknown links.
• Always verify with the company before taking action.
• Install security solutions on mobile devices.

Vishing: The voice‑based scam

What is it?

Phone calls in which the attacker pretends to be a bank, tech support or even the police.

Real example

Scammers posed as bank representatives to obtain confidential data and authentication codes, successfully carrying out fraudulent transfers.

How to prevent it

• Never share sensitive information over the phone.
• Hang up and call the entity’s official number directly.
• Train staff to recognize signs of fraud.

Impact on companies

A single click or call can cost millions. Cases such as Sony Pictures (losses exceeding 100 million dollars) and Crelan Bank (70 million euros) show that these threats are far from hypothetical.

How to prevent attacks with Microsoft 365 tools

Microsoft 365 offers a robust ecosystem to protect organizations against threats such as phishing, smishing and vishing. These are the main solutions and recommended practices:

Microsoft Defender for Office 365

• Advanced phishing protection: It analyzes emails for suspicious signs and blocks fraudulent messages before they reach the user.
• Safe Links and Safe Attachments: Real‑time link verification and sandbox analysis of attachments.
• AI‑powered anti‑phishing policies: It detects sophisticated identity‑spoofing attempts.
• Recommended plans:
• • Plan 1: Basic protection against phishing and malware.
  • Plan 2: Includes attack simulation and automated response.

Exchange Online Protection (EOP)

• Integrated spam and malware filtering in all mailboxes.
• Configuration of anti‑phishing policies to strengthen detection.

Multi‑Factor Authentication (MFA) and Conditional Access

• MFA blocks 99.9% of attacks based on stolen credentials.
• Conditional Access restricts access based on location, device, or risk level.

Attack simulation and training

• Attack Simulation Training: Simulates phishing campaigns to educate employees and measure their response.
• Ongoing awareness with tools integrated into Microsoft 365.

Alerts and monitoring

• Configuration of alerts in the Microsoft 365 Defender Security Center to detect suspicious attempts.

Secure Score

• Evaluates the tenant’s security level and provides recommendations to improve the organization’s threat posture.

Quick checklist for your company

1. Activate Microsoft Defender for Office 365 (Plan 2 if possible).
2. Configure Safe Links, Safe Attachments and anti‑phishing policies.
3. Implement MFA and conditional access.
4. Run phishing simulations and train employees.
5. Monitor alerts and review the Secure Score periodically.

ABD Consulting: your ally in cybersecurity and Microsoft 365

Phishing, smishing and vishing are threats that constantly evolve. The best defense is a combination of awareness, technology and clear protocols.

Remember: security starts with people.

At ABD Consulting and IT Solutions we help companies protect themselves against threats such as phishing, smishing and vishing through advanced solutions based on the Microsoft 365 ecosystem. Our team of experts implements security policies, configures Microsoft Defender, strengthens conditional access and trains employees to reduce human risk — the biggest attack vector today.

In addition, we carry out security audits, configuration reviews, phishing‑simulation campaigns and continuous support so your organization always maintains an optimal level of protection.

If you want to strengthen your digital security or need specialized guidance, we’re here to help.

Contact ABD and take your company's cybersecurity to the next level.