Smishing and Vishing: Why Text and Voice Scams Are Rising in 2026

Cybercriminals don’t just use email anymore. Increasingly, they’re targeting people where they least expect it: their phones. Smishing and vishing, scams delivered by SMS (text) and voice calls, are rising fast in 2026, fuelled by cheap technology and AI tools that make fake messages and calls harder to spot.

At Commercial Networks, we help SMBs protect staff against these social engineering attacks with mobile cyber security, awareness training, and strong policies.

Smishing and Vishing: What They Are

• Smishing = SMS phishing. Attackers send fake texts pretending to be banks, delivery companies, or government services, tricking people into clicking malicious links.
• Vishing = voice phishing. Criminals call employees directly, often impersonating colleagues, suppliers, or IT support to extract information or payments.

The National Cyber Security Centre has warned that smishing scams are becoming more convincing as attackers use stolen branding and AI-generated messages. Vishing calls are also being boosted by deepfake audio, making voices sound eerily real.

Why These Attacks Are Rising

Several factors are behind the rise of these attacks:

• Mobile-first work – employees increasingly access work data on phones.
• Trust in phones – people are more likely to trust texts or calls than emails.
• AI tools – realistic voice cloning and automated SMS campaigns are cheap to run.
• Regulatory pressure – banks have tightened email protections, pushing attackers toward phones.
• Quick responses – mobile users are more likely to act fast without double-checking.

According to the UK Cyber Security Breaches Survey 2025, phishing remains the top attack vector, but smishing and vishing are growing rapidly and now feature in many incidents reported by SMBs.

Mobile Cyber Security: Defending the Weak Spot

The mobile channel is often overlooked in SMB security. Yet without good mobile cyber security policies, staff devices are vulnerable to smishing and vishing.

Practical measures include:

• Mobile device management (MDM) – ensuring work phones are secured and monitored.
• Blocking unknown senders – using filters to reduce malicious texts.
• Caller verification – policies for verifying unusual phone requests.
• Secure messaging apps – encouraging use of verified platforms for sensitive information.
• Multi-factor authentication – preventing stolen credentials from granting access.

At Commercial Networks, our IT Health Checks highlight where mobile risks exist and how to fix them.

Social Engineering Attacks in Action

Social engineering attacks like smishing and vishing succeed because they exploit trust and urgency. Employees may think: “It’s just a text, what’s the harm?” But one click can compromise credentials, install malware, or trigger fraudulent payments.

In 2025, Action Fraud reported that thousands of UK businesses were targeted by delivery-related smishing texts, while others faced vishing calls impersonating HMRC and banks. Some of these attacks even combined methods, starting with a text and following up with a convincing phone call.

Real-World Example

One UK energy supplier reported being hit by a sophisticated vishing campaign where attackers posed as IT support staff. Using stolen information and AI voice tech, they convinced employees to share login credentials. Fortunately, multi-factor authentication prevented the attackers from gaining full access, but the case highlighted how convincing vishing can be.

How SMBs Can Respond

Defending against smishing and vishing requires both technology and culture. SMBs should:

• Train staff to spot suspicious texts and calls.
• Set policies for verifying requests, especially financial ones.
• Use mobile security tools to filter messages.
• Encourage staff to report attempts, no matter how small.
• Regularly test defences with phishing simulations.

At Commercial Networks, we combine employee cyber awareness with managed IT services to ensure staff and systems are ready for evolving threats.

Don’t Ignore the Phone

While email phishing still dominates, smishing and vishing are the fastest-growing forms of attack in 2026. By investing in mobile cyber security and building a culture that challenges suspicious texts and calls, businesses can shut down these scams before they succeed.

At Commercial Networks, we help SMBs defend against social engineering attacks of all kinds.

Contact Commercial Networks today to secure your staff against smishing, vishing, and the next wave of threats.

Further Reading

• NCSC: Smishing guidance
• UK Cyber Security Breaches Survey 2025
• Action Fraud: Smishing and vishing scams
• Ofcom: Protecting yourself from phone scams
• Europol: Emerging mobile threats

You may also like

Deepfake Fraud: The Next Cyber Risk for SMBs Phishing Email Scams: How to Spot, Stop, and Stay Safe What Hackers Learn from Sharenting: The Hidden Dangers of Oversharing Online Cybersecurity Awareness Training: The 10 Tips Every Employee Needs