This chapter covers vishing (voice phishing) and smishing (SMS phishing), two common social engineering attacks that target users via phone calls and text messages. For the CompTIA A+ 220-1102 exam, understanding these attacks is critical because they are frequently tested under Objective 2.5 (Explain common social engineering attacks, threats, and vulnerabilities). Approximately 5-10% of exam questions touch on social engineering, with vishing and smishing appearing regularly as specific attack types. You must be able to identify these attacks, explain their mechanisms, and recommend appropriate mitigation strategies.
Jump to a section
Imagine you receive a phone call from someone claiming to be your bank's fraud department. The caller ID shows the bank's actual number (spoofed). The caller says your account was compromised and asks you to verify your PIN and Social Security number to 'secure' it. If you comply, they now have your credentials. This is vishing: voice phishing. Now imagine you get a text message that appears to be from your delivery service, saying a package couldn't be delivered and asking you to click a link to reschedule. The link leads to a fake login page that steals your credentials. That's smishing: SMS phishing. In both cases, the attacker uses social engineering to trick you into revealing sensitive information or installing malware. The 'bait' is the urgent or appealing message; the 'hook' is the action you take (calling a number, clicking a link). Just as a fisherman uses a lure that mimics prey, attackers mimic legitimate entities to catch victims.
What Are Vishing and Smishing?
Vishing (voice phishing) is a social engineering attack conducted over voice communication, typically via phone calls or VoIP. The attacker impersonates a legitimate entity (e.g., bank, tech support, government agency) to trick the victim into divulging sensitive information such as passwords, credit card numbers, or Social Security numbers. Smishing (SMS phishing) is similar but uses Short Message Service (SMS) or text messaging platforms. The attacker sends a text message that appears to come from a trusted source, often containing a link to a malicious website or prompting the victim to call a fraudulent number.
Both attacks rely on social engineering principles: authority (impersonating a person of authority), urgency (claiming immediate action required), and fear (threatening account closure or legal action). They bypass technical security controls because they target the human element.
How Vishing Works Internally
Caller ID Spoofing: The attacker uses VoIP technology or a spoofing service to falsify the caller ID information displayed on the victim's phone. This is possible because the Public Switched Telephone Network (PSTN) and VoIP systems do not inherently verify caller ID. The attacker sets the outbound caller ID to match a legitimate number (e.g., the bank's customer service line).
Automated or Live Calls: The attacker may use an automated robocall system that plays a pre-recorded message, or a live operator (often from a call center in a different country) who follows a script. The message typically creates a sense of urgency: "Your account has been compromised. Please call this number immediately."
Victim Response: If the victim calls back or stays on the line, they are prompted to enter sensitive information via keypad tones (DTMF) or speak it aloud. The attacker captures this data.
Data Harvesting: The collected information is used for identity theft, financial fraud, or sold on the dark web.
How Smishing Works Internally
SMS Gateway Spoofing: Attackers use SMS gateways or bulk SMS services that allow them to set a custom sender ID (alphanumeric name) or spoof a phone number. Some services do not validate the sender's identity. The attacker sends a text that appears to come from a known entity (e.g., "USPS," "Amazon").
Malicious Link or Phone Number: The message contains a shortened URL (e.g., bit.ly) or a phone number. The URL leads to a phishing website that mimics a legitimate login page. The phone number connects to an automated voice system that attempts to extract information.
Malware Delivery: Some smishing attacks deliver malware via a link that triggers a download of a malicious APK (on Android) or an executable. This can lead to credential theft, ransomware, or spyware.
Victim Interaction: The victim clicks the link, enters credentials, or calls the number. The attacker captures the data or gains access to the device.
Key Components, Values, and Defaults
Caller ID Spoofing: Not inherently illegal in all jurisdictions, but used maliciously. TRACED Act (US) aims to combat robocalls via STIR/SHAKEN protocols which verify caller ID.
SMS Sender ID: Alphanumeric sender IDs are common in smishing (e.g., "BankAlert"). Some countries regulate sender IDs to prevent spoofing.
Shortened URLs: Attackers use URL shorteners to hide the true destination. Services like bit.ly, TinyURL are abused.
DTMF Tones: Dual-tone multi-frequency signaling used to transmit digits over phone lines. Attackers capture these tones to record PINs.
VoIP: Voice over IP allows attackers to make calls from anywhere, often with spoofed caller ID. Common VoIP protocols: SIP, H.323.
Configuration and Verification Commands (for Security Analysts)
While CompTIA A+ does not require deep technical configuration, understanding tools used to detect these attacks is useful:
Check Caller ID: On a VoIP system, use sip show channels (Asterisk) to view active calls and caller ID.
Analyze SMS Headers: In email-to-SMS gateways, inspect headers for spoofed sender addresses.
URL Analysis: Use curl -I <shortened_url> to reveal the redirect target.
Log Review: Examine call logs or SMS logs for unusual patterns (e.g., many calls from same number, repeated messages).
Interaction with Related Technologies
STIR/SHAKEN: Protocols that authenticate caller ID to prevent spoofing. They are being deployed by carriers to reduce vishing.
Two-Factor Authentication (2FA): Smishing attacks often target 2FA codes. Attackers trick victims into providing the code, then use it to access accounts.
Anti-Phishing Filters: Email and SMS filters can block known malicious links, but new URLs evade detection.
Mobile Device Management (MDM): Enterprise policies can block installation of apps from unknown sources, reducing malware from smishing.
Common Vishing and Smishing Scenarios
Tech Support Scam: Caller claims to be from Microsoft or Apple, says the computer has a virus, and asks for remote access to "fix" it. They then install malware or demand payment.
Bank Fraud Alert: Automated call says your debit card has been used fraudulently. You are asked to enter your card number and PIN to "verify."
Package Delivery Smishing: Text from "FedEx" or "UPS" says a package delivery failed. Clicking the link leads to a phishing page that steals login credentials.
Government Impersonation: Caller claims to be from the IRS or Social Security Administration, threatening arrest if a fee is not paid immediately via gift cards.
Mitigation Strategies
User Education: Train users to never provide sensitive information over the phone or via text unless they initiated the contact.
Verify Independently: Hang up and call the official number listed on the company's website or card.
Use Call Blocking: Enable robocall blocking features on smartphones and VoIP systems.
Report Suspicious Messages: Forward smishing texts to 7726 (SPAM) on most carriers.
Enable STIR/SHAKEN: Carriers and enterprises should implement caller ID authentication.
Use Anti-Phishing Tools: Deploy email and SMS security gateways that scan URLs and attachments.
Implement MDM Policies: Disable installation of apps from unknown sources on corporate devices.
Exam Relevance
For 220-1102, you must be able to distinguish vishing and smishing from other social engineering attacks like phishing (email), spear phishing (targeted email), whaling (targeting executives), and baiting (using physical media). The exam often presents a scenario and asks which attack is occurring. Key indicators: voice call (vishing), text message (smishing). Also, know that vishing often uses caller ID spoofing, and smishing uses URL shorteners or fake phone numbers. Remember that both exploit human trust and urgency.
Attacker Spoofs Identity
The attacker chooses a target and impersonates a trusted entity. For vishing, they use a VoIP service to spoof the caller ID to match a legitimate number (e.g., the bank's customer service line). For smishing, they use an SMS gateway that allows setting a custom sender ID (e.g., 'USPS') or spoofing a phone number. The spoofing exploits the lack of caller ID verification in legacy phone networks and SMS systems.
Attack Message Delivery
The attacker delivers the message via phone call or SMS. For vishing, a robocall or live caller delivers a scripted message that creates urgency (e.g., 'Your account has been compromised. Press 1 to speak to a representative.'). For smishing, a text message is sent with a malicious link or phone number. The message often includes a shortened URL to hide the true destination. The victim sees the spoofed sender information and trusts the message.
Victim Interaction
The victim responds to the message. In vishing, they may press a key to connect to a live operator or enter sensitive data via DTMF tones. In smishing, they click the link or call the number. The link leads to a phishing website that mimics a legitimate login page, or triggers a malware download. The victim enters credentials, credit card numbers, or other sensitive information, believing they are interacting with a legitimate entity.
Data Capture
The attacker captures the information entered by the victim. For vishing, DTMF tones are recorded and decoded, or the live operator writes down spoken information. For smishing, the phishing website logs entered credentials, or malware on the victim's device exfiltrates data. The attacker may also use the information immediately (e.g., making fraudulent transactions) or sell it on the dark web.
Exploitation and Cover-Up
The attacker uses the stolen data to commit fraud, identity theft, or further attacks. They may change passwords, drain bank accounts, or apply for credit cards in the victim's name. To cover their tracks, they may delete logs, use disposable phone numbers, or route calls through multiple VoIP proxies. The victim often only realizes the attack when they notice unauthorized transactions or when their credentials no longer work.
In enterprise environments, vishing and smishing attacks are persistent threats. Consider a large financial institution that routinely receives reports from customers about fraudulent calls claiming to be from the bank's fraud department. The attackers spoof the bank's toll-free number, making it appear legitimate. The bank responds by implementing STIR/SHAKEN on its VoIP infrastructure to authenticate outbound caller ID, and by educating customers to never provide sensitive information over the phone unless they initiated the call. They also deploy a call-blocking service that filters known spam numbers. However, attackers adapt by using new numbers and VoIP providers that do not support STIR/SHAKEN. The bank's security team monitors call logs for patterns, such as a high volume of short calls to specific numbers, and uses threat intelligence feeds to block known malicious numbers.
Another scenario: a healthcare organization experiences a smishing campaign targeting employees. Attackers send texts that appear to be from the IT department, asking recipients to click a link to reset their email password due to a 'security update.' The link leads to a fake Office 365 login page. Several employees fall for it, and their credentials are compromised. The organization then implements multi-factor authentication (MFA) to mitigate credential theft, and deploys a mobile device management (MDM) solution that blocks installation of apps from unknown sources and enforces the use of company-approved messaging apps. They also conduct simulated smishing campaigns to train employees to recognize suspicious texts. Despite these measures, attackers continue to evolve, using personalized messages (spear smishing) that reference the employee's name or department, making detection harder.
Common misconfigurations: failing to enable STIR/SHAKEN on VoIP systems leaves caller ID spoofing unchecked. Not deploying SMS filtering allows malicious texts to reach users. Over-reliance on user training without technical controls leads to continued breaches. Scale: a single smishing campaign can target thousands of employees via bulk SMS services, costing millions in remediation and fraud losses. Performance considerations: STIR/SHAKEN introduces latency in call setup, but it is negligible. SMS filtering may cause false positives, blocking legitimate messages, so tuning is required. When misconfigured, these controls may block legitimate communications or fail to block attacks, creating a false sense of security.
On the 220-1102 exam, vishing and smishing appear under Objective 2.5: 'Explain common social engineering attacks, threats, and vulnerabilities.' The exam expects you to identify these attacks from a scenario and differentiate them from other social engineering types. Key indicators: if the attack involves a phone call, it's vishing; if it involves a text message, it's smishing. Common wrong answers include confusing vishing with phishing (which is email-based) or smishing with spear phishing (which is targeted email). Candidates often choose 'phishing' for any scenario involving deception, but the medium matters.
Another trap: the exam may describe a vishing attack that uses a pre-recorded message (robocall) and ask what type of attack it is. Some candidates choose 'shoulder surfing' (observing someone entering data) or 'dumpster diving' (searching trash for information), which are unrelated. Remember that vishing and smishing are forms of phishing, but the specific term depends on the medium.
Specific values and terms: know that caller ID spoofing is commonly used in vishing. For smishing, URL shorteners are often used to hide malicious links. The exam may ask about mitigation: the best defense is user education combined with technical controls like STIR/SHAKEN for calls and SMS filtering for texts. Also, know that vishing and smishing exploit social engineering principles: authority, urgency, and fear.
Edge cases: the exam might present a scenario where an attacker sends a text with a phone number to call, combining smishing and vishing. In that case, both are involved, but the initial vector is smishing. Another edge: voicemail phishing (vishing via voicemail) is also considered vishing.
To eliminate wrong answers, focus on the communication channel. If the attack uses email, it's phishing or spear phishing. If it uses phone calls, it's vishing. If it uses text messages, it's smishing. If it involves physical media like a USB drive, it's baiting. If it's targeting a specific high-level executive, it's whaling. By mapping the channel to the attack type, you can confidently select the correct answer.
Vishing = voice phishing via phone calls; smishing = SMS phishing via text messages.
Both rely on social engineering: authority, urgency, fear.
Caller ID spoofing is a key technique in vishing; URL shorteners are common in smishing.
The best defense is user education combined with technical controls (STIR/SHAKEN, SMS filtering, MFA).
On the exam, identify the attack by the communication channel: calls = vishing, texts = smishing.
Never provide sensitive information in response to an unsolicited call or text; verify independently.
Report smishing texts to 7726 (SPAM) and block suspicious numbers.
These come up on the exam all the time. Here's how to tell them apart.
Vishing
Uses voice calls (live or automated)
Often employs caller ID spoofing
Victim may speak or enter DTMF tones
Commonly targets financial information
Mitigation includes STIR/SHAKEN and call blocking
Smishing
Uses SMS or text messaging
Often uses URL shorteners or fake phone numbers
Victim clicks link or calls number
Commonly targets login credentials or malware installation
Mitigation includes SMS filtering and user education
Mistake
Vishing only involves live callers, not automated messages.
Correct
Vishing includes both live callers and automated robocalls. The key is the use of voice communication to deceive. Automated messages that prompt the victim to call a number or press keys are common vishing tactics.
Mistake
Smishing is the same as phishing because both use links.
Correct
While both use links, phishing is conducted via email, while smishing uses SMS or text messaging. The medium is different, and smishing often exploits the higher trust users place in text messages compared to email.
Mistake
Caller ID cannot be spoofed; if it shows a known number, it's legitimate.
Correct
Caller ID spoofing is easy with VoIP technology. Attackers can display any number they choose. Never trust caller ID alone; verify by calling back using a known official number.
Mistake
Smishing attacks only target individuals, not enterprises.
Correct
Smishing attacks frequently target enterprise employees as a vector to gain access to corporate networks. For example, a text impersonating IT support can lead to credential theft and network compromise.
Mistake
If you don't click a link in a smishing message, you are safe.
Correct
Even without clicking, replying to the message or calling the number can lead to data exposure. Also, some smishing attacks use 'zero-click' exploits that can compromise the device without interaction, though rare.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Vishing (voice phishing) uses phone calls to trick victims into revealing sensitive information, often with caller ID spoofing. Smishing (SMS phishing) uses text messages containing malicious links or phone numbers. The primary difference is the communication channel: voice vs. text. Both are forms of phishing that exploit social engineering.
Never provide personal information over the phone unless you initiated the call. Hang up and call the official number from the company's website or your card. Use call-blocking apps to filter spam calls. Enable STIR/SHAKEN if your carrier supports it. Be skeptical of urgent or threatening messages.
Do not click any links or call any numbers in the text. Forward the message to 7726 (SPAM) to report it to your carrier. Block the sender. If you clicked a link, change your passwords immediately and monitor your accounts for fraud. Run a security scan on your device if you suspect malware.
Yes. For example, a smishing text may contain a phone number that the victim calls, leading to a vishing attack. This combines both techniques. The initial vector is smishing (the text), but the actual information theft occurs during the voice call. Be aware of multi-stage attacks.
Yes, they are forms of fraud and identity theft, which are illegal in most jurisdictions. However, attackers often operate from countries with lax enforcement. Laws like the TRACED Act in the US aim to combat robocalls and caller ID spoofing. Reporting attacks to authorities can help in investigations.
Attackers use VoIP services that allow them to set the outbound caller ID to any number they choose. They may also use 'neighbor spoofing' to display a local number to increase trust. Caller ID spoofing is possible because the phone network does not verify the authenticity of the caller ID information.
STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are protocols that authenticate caller ID. They allow the receiving carrier to verify that the caller ID has not been spoofed. This helps reduce vishing by making it harder for attackers to spoof legitimate numbers.
You've just covered Vishing and Smishing Attacks — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?