How It Happens: Phishing, Smishing, and Vishing — When the “Bank” Calls You

This article is part of the “How It Happens” series — a plain-English guide explaining how bank fraud and unauthorized transfers actually occur.
👉 View the full series index here:
https://www.cardozalawcorp.com/library/how-it-happens-bank-hacking-and-unauthorized-transfers.cfm

I. What This Is (Plain English)

Sometimes the fraud doesn’t start with a hacked computer.

Sometimes it starts with a message that says:

“This is your bank. We detected suspicious activity.”

In phishing, smishing, and vishing schemes, criminals impersonate banks or fraud departments to trick victims into handing over just enough information for someone else to take control.

You don’t send money.
You don’t approve a transfer.
You don’t think you’re doing anything risky.

You think you’re preventing fraud.

This article explains how that deception works.

II. The Three Variants (Same Scam, Different Doorways)

A. Phishing (Email)

 

Phishing emails are designed to:

• Look like real bank messages

• Create urgency (“account locked,” “fraud detected”)

• Push victims to click a link or “verify” information

The link leads to a fake login page that captures credentials.

The FBI has repeatedly warned that phishing emails remain one of the most common entry points for bank fraud.
See the FBI IC3’s explanation of phishing schemes here:
https://www.ic3.gov/Media/Y2020/PSA200406

B. Smishing (Text Messages)

Smishing works the same way — but faster.

Text messages:

• Feel more urgent

• Are trusted more than email

• Are often read immediately

A typical smish says:

“Bank Alert: Suspicious charge detected. Reply YES or click link.”

Replying or clicking starts the takeover.

The Federal Trade Commission has warned consumers that bank-impersonation text scams are a leading cause of financial loss.
See the FTC’s guidance on text-message phishing (smishing) here:
https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages

C. Vishing (Phone Calls)

 

Vishing is phishing by voice.

The criminal:

• Calls pretending to be a bank fraud agent

• Uses spoofed caller ID

• Applies pressure and reassurance simultaneously

Victims are told:

• “We need to secure your account”

• “I just need to confirm a code”

• “I’m stopping a transfer right now”

In reality, the code is being used to log in and move money.

The Federal Communications Commission has warned that caller-ID spoofing makes these scams difficult to detect.
See the FCC’s explanation of caller-ID spoofing here:
https://www.fcc.gov/consumers/guides/spoofing-and-caller-id

III. Step-by-Step: How the Fraud Actually Unfolds

This is the common pattern across all three.

Step 1: The Message Arrives

Email, text, or call — usually urgent and authoritative.

Step 2: The Victim Responds

The victim:

• Clicks a link

• Replies to a text

• Talks to the “bank”

They believe they’re protecting their account.

Step 3: Credentials or Codes Are Captured

The criminal obtains:

• Login credentials

• One-time passcodes

• Account-recovery data

Step 4: The Criminal Acts Separately

Using that information, the criminal:

• Logs into the real bank

• Initiates transfers

• Moves funds out

This is when the unauthorized transfers occur.

IV. Why the Victim Did Not Authorize the Transfers

This distinction matters.

The victim:

• Did not choose recipients

• Did not initiate transfers

• Did not intend to move money

They were responding to deception.

Providing information under false pretenses is not authorization.

V. Why Two-Factor Authentication Often Fails Here

Many victims ask: “Why didn’t two-factor stop this?”

Because in these scams:

• The criminal is logging in in real time

• The victim is unknowingly providing the code

• The system sees a “valid” login

The Cybersecurity and Infrastructure Security Agency (CISA) has warned that social-engineering attacks can defeat technical safeguards by exploiting trust.
See CISA’s guidance on social engineering here:
https://www.cisa.gov/social-engineering

VI. What Evidence Usually Exists

Even when banks say “the customer gave the information,” evidence often exists:

• Login timestamps tied to scam communications

• Device or IP mismatches

• Call or text logs

• Rapid account changes following contact

Stopping the analysis at “credentials were used” misses the mechanism.

VII. What Banks Often Say — and Why That’s Incomplete

Banks often respond with:

• “You shared the code.”

• “You responded to the message.”

Those statements ignore how the information was obtained.

Deception matters.
Context matters.
Intent matters.

VIII. Why These Scams Work So Well

Phishing, smishing, and vishing succeed because they:

• Mimic authority

• Create urgency

• Exploit trust

• Outsource the “dirty work” to the victim

This is not hacking computers.
It’s hacking expectations.

IX. Why This Matters for Victims

Understanding these scams:

• Explains how fraud happens without consent

• Shows why “you responded” isn’t the whole story

• Clarifies why authorization is still missing

• Reframes blame where it belongs

That matters when banks oversimplify.

🔎 Explore the Full Series: “How It Happens”

Phishing, smishing, and vishing are just one set of tools criminals use to hack bank accounts.

👉 View the complete “How It Happens” master index:
https://www.cardozalawcorp.com/library/how-it-happens-bank-hacking-and-unauthorized-transfers.cfm