By Dana Smith, Senior Communication Specialist, Information Security at BCD Travel
As cyber threats continue to evolve, so too must our understanding of how attackers attempt to exploit us. Most of us are familiar with phishing—those sneaky emails pretending to be from legitimate sources. But have you heard of mishing?
What is mishing?
Mishing is short for mobile phishing. Specifically, it refers to phishing attacks carried out through phone calls, SMS texts, or voicemail messages (hence, the “m” from “mobile” or “messaging”). Cybercriminals use mishing to impersonate trusted institutions—like banks, tech support, HR departments, or even government agencies. Their goal? To trick victims into revealing sensitive information such as passwords, financial details, or account access. There are multiple forms of mishing, including:
- Smishing (SMS phishing)
- Quishing (QR code phishing)
- Vishing (Voice phishing)
- Wi-fi based attacks (Evil Twin)
Smishing is common right now, and something you’ve probably already experienced if you have a mobile phone. In the U.S., thousands of mobile device users have been receiving texts saying they owe money for unpaid tolls. Globally, similar scams are prevalent, such as texts promising incredible job opportunities working from home or messages about a package being undeliverable because the address was invalid. This tactic is becoming more common every day.
Mishing risks for business travelers
For business travelers, mishing poses unique risks. Business travelers on the go may be more likely to respond quickly to messages without verifying their authenticity. Here’s how mishing can impact business travel:
- Travel arrangements: A traveler might receive a text claiming a flight has been canceled, prompting them to click a malicious link to rebook.
- Expense management: Fraudsters could impersonate a company’s finance department, asking travelers to verify credit card details for expense reports. They also might receive a message from someone claiming to be a banking institution, warning of suspicious activity. In a panic, the traveler might call or message back and unknowingly hand over banking credentials.
- Hotel reservations: A message might appear to be from a hotel, asking travelers to confirm booking details through a fake website.
How to spot and stop mishing
- Be skeptical of urgency. Scammers often use threats or tight deadlines to create panic. Legitimate organizations rarely convey urgent messages via voicemail or text.
- Never share sensitive info over voicemail or text. This includes passwords, social security numbers, or financial details—even if the caller sounds legitimate.
- Verify independently. If a message asks for a return call, don’t use the number provided. Instead, contact the institution using a known, trusted number.
- Use multi-factor authentication (MFA). Even if credentials are compromised, MFA can block unauthorized access.
