June 11, 2025

How to identify and avoid the latest AI-powered impersonation attacks: Smishing, vishing & deepfakes

AI-generated content has advanced to the point that it is often difficult to identify. If you have doubts about the authenticity of someone wishing to communicate with you, or the situation “just doesn’t seem right”, workforce members should follow their suspicions and contact the Help Desk.

Hacker typing on a laptop (iStock)

Malicious actors are combining SMS phishing (smishing), voice phishing (vishing), and AI-generated deepfakes to carry out impersonation attacks. These tactics exploit trust in text, voice, and video to deceive individuals and organizations. Let’s breakdown each attack to help you stay aware and protected.

Smishing

  • Fraudulent SMS messages that:
    • Appear to come from trusted sources (e.g., banks, delivery services). Are AI generated phone numbers not associated with a specific organization or company.
    • Contain links to fake websites or malware.
  • An example of smishing would be if you receive a text asking you to click on or verify something. “Your package is on hold. Click here to verify delivery info.”

Vishing

  • Voice calls or messages that impersonate:
    • Well-known, public figures or personal relations to increase the legitimacy of their schemes, such as bank officials, tech support, or HR.
    • Using spoofed caller IDs and VoIP tools to appear authentic.
  • An example of vishing would be if you receive a call from your bank saying, “We’ve noticed suspicious activity on your account. Can you verify your info?”

AI Deepfakes (Voice/Video)

  • Machine-generated media that:
    • Imitate real people with startling accuracy.
    • Can simulate live video or voice of executives or associates.
  • An example of an AI deepfake would be if you receive a call from the CEO asking for an urgent wire transfer.

How to Protect Yourself

  • Verify calls, emails, and video requests through known contacts.
  • Do not click on any links in an email or text message until you independently confirm the sender’s identity. Please forward any suspicious emails to phishing@vumc.org for validation.
  • If you are contacted by someone you know well through a new platform or phone number, verify the new contact information through a previously confirmed platform or trusted source.
  • Be careful what you download. Never open an email attachment or download applications at the request of or from someone you have not verified.

AI-generated content has advanced to the point that it is often difficult to identify. If you have doubts about the authenticity of someone wishing to communicate with you, or the situation “just doesn’t seem right”, workforce members should follow their suspicions and contact the Help Desk at 615-343-HELP (3-4357). From there, a team member will notify the VUMC IT Security Operations Incident Response team.

Related Articles