Phishing, Smishing, Whaling, and Vishing: Who is coming after your wallet?

July 18, 2025

Boston, Spring of 2012

Waynflete School’s team has made it to the finals of the Boston Federal Reserve Cup Challenge for Economics and Personal Finance, and we wouldn’t have gotten that far without Alysa, who was the team’s default personal finance expert, successfully fielding questions on credit score, insurance, banking, and more.

And…we won!

Fast forward to 2025, and here I am once again turning to Alysa – this time for professional help on a critical topic: cyber hygiene (her phrase, not mine, and I love it). Who knew that she’d continue to do great things? I did!

Alysa, tell me about your work at Avalara.

During the pandemic, I was hired as an Operations Analyst by DAVO Sales Tax, which has since been acquired by Avalara Inc. Avalara is a B2B tax compliance company, serving all sizes and types of businesses in the business-tax space. I am just about to start my fifth year with this organization and am currently an Analyst of Global Client Payments (I work on the Treasury team). I manage company and customer funding and payments, bank reconciliations, customer refunds, and merchant account balances. I also audit sales tax filings and bank transactions for fraudulent or inaccurate payments and work closely with our tech engineering team to make product improvements to our funding processes.

It seems that our financial security is being compromised daily through cyberattacks and scams. Is there more danger more often, or does it just seem that way because it is so highly reported?

There is no nice way to say this, so I will give it to you straight. Yes, the danger is growing and growing at an exponential rate. Cyber-attacks, especially financially motivated ones, are increasing in volume, sophistication, and impact.

Everything is digital now. We are quickly moving out of the analog world where we pay with cash and transact in person. I can’t think of a single bill or purchase that requires you to pay with physical money or a check. Everything from mortgage payments to movie tickets is paid online. This rapid increase in digital transactions creates more opportunities for cyber attackers.

Then we must consider advances in technology, which benefit us as consumers, but also benefits the scammers.

Sure, there is some cognitive bias at play. When the media and headlines show a constant stream of cyberattacks and scams, it is to be expected that this adds to our perception of a growing danger.

What are the most common threats in 2025?

The big three attacks that everybody should know about are phishing, ransomware, and credential stuffing.

Phishing is the most experienced type of attack on a day-to-day basis. Phishing, and its many subcategories such as targeting phishing, whaling, smishing, vishing, business email compromise, etc., all fall under the umbrella of social engineering. In this type of attack, the scammer impersonates a trusted party to trick victims into revealing sensitive information such as login credentials, credit card numbers, or other personal data. Usually, this involves playing on the victim’s emotions by creating a false sense of urgency, which causes them to overlook their logic and better judgment and then take action by divulging personal information. This can be done via email, text, call, social media messaging, QR codes, or malicious websites.

A perfect and recent example of this in Maine and surrounding states was the EZ Pass toll scam text. A text was sent to thousands of people saying that they had unpaid tolls and that unless they took immediate action an additional fee would be charged. Of course, this was not true. The attacker played on people’s desire to be law abiding citizens, and a fear of incurring additional charges to get the information they wanted.  

Phishing is often accompanied by ransomware—malicious software that encrypts a victim’s files or systems, demanding a ransom payment to unlock them. Ransomware is generally delivered via a phishing email, manipulating the victim’s emotions to click a link or download the software. While ransomware attacks are more common for businesses, individuals can also be impacted.

Credential stuffing is a little different than phishing and ransomware in that it does not require any action to be taken by the victim. In this type of attack, cyber criminals obtain login credentials from past data breaches, which are easily found on the dark web, and then use them to attempt to gain access to multiple accounts. It is an automated process, requiring little manual work for the fraudster and allowing them to target a wide audience of victims.

How does, or will, AI factor into this world, for the attackers and for the defending public?

I alluded to this earlier, but AI is the next frontier in the technology space and will continue to create areas of increased risk of, and improved protection from, cyberattacks. 

Hackers are now using AI to make their attacks smarter, faster, and harder to spot. They can create super convincing phishing emails or even fake a voice or video call from a trusted party, including family and friends, to trick someone into handing over sensitive info. AI tools also help them scan huge networks to identify weak spots much more efficiently than a human ever could. With AI, even less experienced attackers can launch advanced scams. That’s what makes it so dangerous, the attacks are getting more believable, more targeted, and a lot more frequent.

Luckily, AI is doing a lot of good on the defensive side, too.  It’s like having a super smart security guard that never sleeps. It can spot unusual behavior quickly; like if someone logs into your account from a strange location or suddenly downloads a ton of files. It also helps filter out phishing emails, detect malware before it spreads, and even predict where attacks might happen next by analyzing patterns and past incidents. And AI can respond in real-time, isolating infected devices, blocking suspicious traffic, or locking down accounts automatically before things get worse.

So, while attackers are using AI, so are the defenders. At this point, it is a matter of who uses it better, sooner.

I recently heard you use the phrase, “practice good cyber hygiene”. I love it! What are some of the specifics to that end?
I love it, too! Let’s talk cyber hygiene and how we can improve our own.

Cyber hygiene is the digital equivalent to personal hygiene. It’s the habitual practices and behaviors that we follow to maintain health, prevent infections, and minimize vulnerabilities. The same way we wash our hands to decrease the risk of spreading germs or contracting an illness, there are things we can do in the digital space to decrease our risk or impact of cyberattacks. Cyber hygiene can be boiled down to good password practices, smart cyber use, and responsibly managing devices.

• Check out these password tips from Alysa

Social media platforms are a cesspool for cybercrime. They are an open door to your personal information, and the scammers don’t even have to try hard. People proudly broadcast their personal lives and information. It is so imperative that we are highly selective with what we relay to the world. While reusing passwords is more prevalent with older generations that only needed one password to survive, the younger generation lives almost entirely online and opens themselves up to a more targeted type of attack.

Presenting yourself on social media is the same as presenting yourself to the entire world, scammers included. What you do, where you go, who you talk to, what you like… It can all be used against you. Remember a few minutes ago when I said that phishing, the most common form of attack, is a type of social engineering? This is where the scammers get the ammo.

• For more advice on social media safety, head to Alysa’s Cyber Hygiene Tips

Lastly, responsible physical device use. Boring, but classic and effective.

• Lock your computer when you aren’t using it. Lock your phone when you aren’t using it. Don’t leave your things in public places. Know where your technology is at all times.

I want to emphasize that cyber hygiene is not a one-and-done thing. It is an ongoing practice. Just like washing your face only makes it clean until you sweat or get dirty, cyber hygiene is only as good as its maintenance. The more we live online, the more we need to treat digital decisions as the real-life decisions that they are.

Alysa is my former student and advisee from Waynflete (Class of 2012). I was lucky enough to have taught Alysa several times, including Personal Finance. She attended Southern Maine Community College and earned an associate’s degree in hospitality management and business administration. That is where she discovered a love of accounting. After SMCC, Alysa transferred to Ohio Wesleyan University, where she earned a BA in Accounting with a Business minor. She works from home with her two dogs and in her free time rides her horse, reads, and, of course, investigates recent cyberattacks.