# Vishing

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/vishing

## Quick definition

Vishing, or voice phishing, is when scammers call you pretending to be from a trusted company like your bank or tech support. They try to scare you into giving them passwords, credit card numbers, or other private details. Always hang up and call the official number yourself if something feels wrong.

## Simple meaning

Imagine you are sitting at home and your phone rings. The caller says they are from your internet provider and that your account has been hacked. They say if you do not give them your password right now, you will lose your internet for a week. They sound professional and urgent. That is a vishing attack. Vishing is short for voice phishing, and it works by using the trust people have in phone calls. Unlike an email scam you can delete, a live call puts pressure on you to act fast. The attacker often spoofs the caller ID so the number looks real, like your bank's customer service line. They may even know some basic information about you, like your name or the last four digits of your account, to sound legitimate. Once they have your password, they can log into your real account and steal money or data. The core trick is that the human voice triggers a sense of trust and urgency that makes it harder to think clearly. In the IT world, vishing is a major threat because it bypasses technical security like firewalls and antivirus. No amount of encryption can protect a user who willingly gives away their credentials over the phone. The best defense is always to verify the caller's identity by calling back using a number you know is real, not the one they give you.

## Technical definition

Vishing is a form of social engineering attack that exploits the Public Switched Telephone Network (PSTN) and Voice over IP (VoIP) systems to conduct phishing over voice channels. The attacker typically initiates a call using caller ID spoofing, which manipulates the signaling protocol to display a fake number that appears legitimate. This can be achieved using SIP header manipulation in VoIP systems or by using third-party services that allow outbound calls with arbitrary caller ID information. The goal is to obtain sensitive data such as login credentials, credit card numbers, Social Security numbers, or one-time passwords (OTPs) for multi-factor authentication (MFA). 

From a technical perspective, vishing attacks often leverage interactive voice response (IVR) systems that mimic legitimate corporate systems. The attacker may deploy a rogue IVR that prompts the victim to enter their PIN or account number. The voice channel is then recorded or forwarded to a command center where the data is captured. In more advanced variants, attackers use voice callback techniques where the victim receives a call that asks them to call a different number, creating a trail that is harder to trace. 

Vishing attacks are particularly dangerous because they can bypass email security gateways and endpoint protection. Since voice communication is not typically monitored by security information and event management (SIEM) systems, the attack often goes undetected until the compromised credentials are used. In enterprise environments, attackers may call help desks pretending to be employees who have forgotten their passwords, using personal information gathered from social media or data breaches. This technique, known as pretexting, relies on the attacker establishing a believable scenario. 

From a protocol perspective, VoIP-based vishing uses Session Initiation Protocol (SIP) for call setup and Real-time Transport Protocol (RTP) for audio. The attacker may also use anonymous call rejection bypass techniques, such as entering a leading *67 or by using a legitimate VoIP provider that does not enforce anti-spoofing measures. Security professionals defend against vishing through user awareness training, call authentication frameworks like STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs), and strict password reset procedures that require out-of-band verification.

## Real-life example

Think about the last time you received a phone call from someone claiming to be from your credit card company. They said there was suspicious activity on your account and they needed to verify your card number to stop a fraudulent charge. The caller ID even showed the same number that is printed on the back of your card. That is a classic vishing scenario. In everyday life, we are conditioned to trust phone calls from authority figures. If a doctor's office calls about an appointment, you believe them. But a vishing attacker exploits that same trust. 

Now map this to IT. In a corporate setting, an attacker might call the IT help desk pretending to be the CEO. They say they are in a meeting and locked out of their email, and they need their password reset immediately. The help desk worker, wanting to help the boss, might bypass normal procedures. This is called a pretexting vishing attack. The analogy is like a stranger knocking on your door wearing a delivery uniform. You open the door because you trust the uniform, but inside the box is a device to steal your Wi-Fi password. The uniform is the fake caller ID. The box is the request for information. The stolen password is the result. Vishing works because humans are programmed to respond to voice tone, urgency, and authority. It is much harder to hang up on a live person than to delete an email. That is why vishing remains one of the most effective social engineering techniques used in data breaches today.

## Why it matters

In the context of IT security, vishing matters because it targets the weakest link in any system: the human user. Firewalls, intrusion detection systems, and encryption are all useless if a user voluntarily gives their password to a stranger over the phone. Vishing attacks have been responsible for some of the largest data breaches in recent years, including incidents where attackers gained access to corporate networks by tricking help desk employees into resetting passwords. 

For IT professionals, understanding vishing is critical because it is often the first stage of a multi-phase attack. Once the attacker has a password, they can move laterally across the network, install malware, exfiltrate data, or deploy ransomware. Vishing also bypasses multi-factor authentication token if the attacker convinces the victim to read out the MFA code over the phone. This is known as an MFA fatigue attack combined with vishing. 

From a compliance perspective, many regulations like PCI DSS, HIPAA, and GDPR require organizations to implement security awareness training that covers social engineering. Failing to train employees on vishing can lead to non-compliance and hefty fines. Vishing attacks are becoming more sophisticated with the use of AI-generated voice deepfakes. Attackers can now clone a manager's voice and call employees asking for sensitive data. This makes vishing an evolving threat that security professionals must continuously adapt to. For anyone pursuing IT certifications, knowing how to identify, prevent, and respond to vishing is not optional, it is a core competency.

## Why it matters in exams

Vishing appears in several major IT certification exams, including CompTIA Security+, CompTIA Network+, CEH (Certified Ethical Hacker), CISSP (Certified Information Systems Security Professional), and CISA (Certified Information Systems Auditor). In Security+ (SY0-601 and SY0-701), vishing falls under Domain 1.0 Threats, Attacks, and Vulnerabilities, specifically in the social engineering section. You will need to understand how vishing differs from phishing and smishing (SMS phishing), and recognize example scenarios. Exam questions often present a scenario where a user receives a phone call asking for their credentials, and you must identify it as vishing. 

In the CEH exam, vishing is covered under social engineering in the Attack Vectors module. You may be asked about tools used for vishing, such as caller ID spoofing services, and how to gather information for pretexting. In CISSP, vishing appears in Domain 8 (Software Development Security) from a risk management perspective, but more commonly in Domain 1 (Security and Risk Management) as part of social engineering controls. CISA questions might ask about the effectiveness of security awareness programs against vishing. 

In general, exam questions will test your ability to differentiate between social engineering types, identify countermeasures (like call verification procedures), and understand why vishing is particularly dangerous because it exploits voice trust. You might also see questions about the STIR/SHAKEN protocol and how it helps prevent caller ID spoofing. The key is to remember that vishing always involves a voice channel, either live or recorded. If the question mentions a phone call, it is vishing. No email, no text message, only voice.

## How it appears in exam questions

In certification exams, vishing questions typically appear as scenario-based multiple-choice items. For example, a question might describe an employee named Sarah who receives a phone call from someone claiming to be from the company's IT department. The caller says they need Sarah's password to install a security update. The question asks what type of attack this is. The answer is vishing. Another common pattern is a question that lists several social engineering techniques (phishing, vishing, smishing, spear phishing, whaling) and asks you to match the description to the technique. 

Troubleshooting-style questions might present a situation where an organization has strong email filters and endpoint protection, yet employees are still being compromised. The question asks which attack vector is most likely being used. The correct answer is vishing, because it bypasses technical controls. Configuration questions might ask about implementing STIR/SHAKEN to prevent caller ID spoofing, or about help desk password reset protocols that require out-of-band verification (like video call or in-person visit). 

You may also encounter questions about multi-factor authentication (MFA) and vishing. For instance, a question might say: An attacker successfully reset a user's password via vishing and then was prompted for an MFA code. The user read the code over the phone. What control should have been in place? Options might include geolocation restrictions, number matching, or biometric verification. The correct answer is number matching with MFA, where the user matches a number on their device to the request, preventing them from blindly reading a code. Always look for clues like phone call, voice, caller ID spoofing, or help desk call in the question stem.

## Example scenario

You are working as a junior IT support specialist for a mid-sized company. One morning, you receive a call at the help desk from someone who says they are Mark, the CEO's executive assistant. Mark sounds stressed and says that the CEO is about to give a presentation to the board, but his account has been locked for some reason. He says the CEO needs his password reset within five minutes. Mark provides the CEO's full name, employee ID, and even the name of his last project. You look up the CEO's account and see it is indeed locked. Mark says the CEO is on the other line and can't call himself. He asks you to reset the password and give the new one to him over the phone. 

What do you do? This is a vishing attack. The attacker used social media and a data breach to gather personal details. They spoofed the phone number so it appeared to be an internal extension. The urgency is designed to make you skip normal verification procedures. The correct response is to follow the company's password reset policy: verify the identity using a pre-established callback number from the employee directory, never share new passwords over the phone, and require the user to set a new password using a self-service portal after a one-time link is sent to their verified email. By falling for this vishing attempt, you could give an attacker full access to the CEO's email, which could be used to wire money, steal confidential data, or launch ransomware. This scenario is common in help desk social engineering attacks, and it is why strict identity verification procedures are mandatory in secure environments.

## Common mistakes

- **Mistake:** Thinking vishing only happens via landline phones
  - Why it is wrong: Vishing can occur over any voice communication channel including VoIP, mobile phones, and even voice chat in applications like Skype or Discord. The attack vector is voice, not the type of phone line.
  - Fix: Consider any unsolicited voice call as a potential vishing attempt, regardless of the device or platform used.
- **Mistake:** Believing caller ID is always accurate
  - Why it is wrong: Caller ID is easily spoofed using VoIP protocols or third-party services. Seeing a familiar number does not mean the call is legitimate.
  - Fix: Never trust caller ID alone. Always verify the caller's identity by calling back using a known official number.
- **Mistake:** Thinking multi-factor authentication (MFA) fully protects against vishing
  - Why it is wrong: If the attacker tricks the victim into reading the MFA code over the phone, the code can be used immediately to complete the login. MFA is not foolproof against social engineering.
  - Fix: Use MFA methods that require number matching or biometrics, and train users never to share codes verbally.
- **Mistake:** Assuming only naive users fall for vishing
  - Why it is wrong: Vishing attacks can be very sophisticated using pretexting and deepfake voice technology. Even experienced IT professionals can be tricked when under pressure.
  - Fix: Implement strict verification procedures for all sensitive requests, regardless of the perceived status of the caller.
- **Mistake:** Confusing vishing with phishing or smishing
  - Why it is wrong: Phishing uses email, smishing uses SMS text messages, and vishing uses voice. Mixing them up leads to choosing the wrong countermeasure.
  - Fix: Always identify the communication channel: email = phishing, text = smishing, phone call = vishing.

## Exam trap

{"trap":"A question describes an employee receiving a voicemail that asks them to call back a number and enter their account PIN. The employee does so and later finds their account compromised. The exam question asks: 'What type of attack is this?' Many learners see the word 'voicemail' and think it is a type of phishing, so they choose 'phishing'. But the correct answer is 'vishing'. ","why_learners_choose_it":"Learners often associate phishing with any form of deceptive message. They overlook that vishing includes both live calls and recorded voice messages. The key is that the attack uses the voice channel (voicemail) and a phone number.","how_to_avoid_it":"Remember the channel: if the communication is auditory (live call or recorded voice), it is vishing. If it is text-based in an email, it is phishing. Phishing does not include voice interactions. Always focus on the medium used to deliver the attack."}

## Commonly confused with

- **Vishing vs Phishing:** Phishing uses deceptive emails to trick victims into clicking malicious links or opening attachments. Vishing uses phone calls or voice messages to directly extract information. The attack vector is different: email vs. voice. (Example: An email from 'your bank' asking you to log in is phishing. A phone call from 'your bank' asking for your password is vishing.)
- **Vishing vs Smishing:** Smishing uses SMS text messages to lure victims, often with a link to a fake website. Vishing uses voice calls. Both are forms of phishing, but the delivery method is different: text message vs. voice. (Example: A text saying 'Your package is on hold, click here' is smishing. A live caller saying the same thing is vishing.)
- **Vishing vs Pretexting:** Pretexting is a broader social engineering technique where the attacker creates a fabricated scenario (pretext) to obtain information. Vishing is a specific method of delivering the pretext via voice. Pretexting can also occur in person or via email. (Example: An attacker pretending to be a tech support agent and calling you is using vishing as the delivery method for the pretext.)
- **Vishing vs Voice phishing (same term):** Voice phishing is simply the full phrase for 'vishing'. There is no difference. The term vishing is a contraction of 'voice' and 'phishing'. They are synonyms. (Example: If you see 'voice phishing' in a text, think 'vishing'.)

## Step-by-step breakdown

1. **Reconnaissance** — The attacker gathers information about the target, such as name, job title, company, or recent purchases, using public sources like social media, data breaches, or previous attacks. This helps them sound credible.
2. **Spoofing** — The attacker uses VoIP or a third-party service to manipulate caller ID, making the call appear to come from a trusted number like the target's bank or IT department. This lowers the victim's suspicion.
3. **Call Initiation** — The attacker places the call, often using a script. They may use an automated IVR first, then transfer to a live operator if the victim enters sensitive data.
4. **Building Trust** — The attacker uses the gathered information and a sense of urgency (e.g., account compromise, prize winning) to create panic. They may also use a friendly, authoritative tone to establish trust.
5. **Extraction** — The attacker directly asks for sensitive information such as passwords, credit card numbers, or security answers. They may also request the victim to perform actions like installing remote access software.
6. **Exploitation** — Once the attacker has the information, they use it to access accounts, transfer money, steal data, or pivot to other systems. This step often occurs immediately after the call ends.

## Practical mini-lesson

Vishing is not just a theoretical concept; it is a daily threat that IT professionals must actively defend against. In practice, defending against vishing starts with policy. Every organization should have a clear, written procedure for verifying identity over the phone. For example, password reset requests must require the caller to provide a one-time code sent to their verified mobile device, not their personal knowledge. Help desk personnel should be trained to recognize urgency and authority as red flags. A CEO calling for an immediate password reset is a classic vishing pretext. 

From a technical perspective, implementing STIR/SHAKEN is a key measure. STIR/SHAKEN is a framework that authenticates caller ID using digital signatures. When a call is placed, the originating carrier signs the call's origin, and the terminating carrier verifies the signature. If the signature does not match, the call can be marked as 'verified' or 'spam'. This helps reduce spoofed calls but does not prevent all vishing. Organizations should use MFA with number matching, not push notifications or SMS codes. Number matching requires the user to enter a number displayed on their authenticator app or device, which they cannot easily read over the phone. 

What can go wrong? A common failure is that users are not trained to hang up and verify through an independent channel. Attackers often use call spoofing to make the victim believe the call is internal. Another failure is weak help desk procedures. In many breaches, help desk employees have reset passwords without proper verification. To mitigate this, use a system where password resets require a ticket from the user's manager or a video verification call. 

Professionals also need to understand the legal and compliance side. Under PCI DSS, voice calls that collect cardholder data must be encrypted and logged. Under HIPAA, sharing patient information over the phone without verification is a violation. For IT pros, a best practice is to conduct periodic simulated vishing campaigns to test user awareness. This helps identify weak points and retrain employees. Vishing defense requires a combination of technical controls (STIR/SHAKEN, MFA with number matching), procedural controls (verification policies), and human awareness (training).

## Memory tip

Vishing = Voice + Phishing. Remember the 'V' for 'Voice' and 'V' for 'Victim on the phone'. If you hear a voice asking for secrets, it's vishing.

## FAQ

**What does the term 'vishing' stand for?**

Vishing is a combination of 'voice' and 'phishing'. It refers to phishing attacks carried out over the phone or voice messaging systems.

**How is vishing different from a regular scam call?**

Every scam call that asks for sensitive information is vishing, but not all scam calls are vishing if they only ask for money without trying to obtain credentials. Vishing specifically aims to steal data that can be used for identity theft or account access.

**Can vishing be prevented by caller ID alone?**

No. Caller ID is easily spoofed using VoIP technology. Relying on caller ID for verification is a security risk. Always verify through a separate, trusted channel.

**What is the best way to respond to a vishing call?**

Do not provide any personal information. Hang up immediately. Then call the official number of the organization the caller claimed to be from to verify the request.

**Is vishing a threat to organizations that use Multi-Factor Authentication (MFA)?**

Yes, if the MFA method relies on codes that can be spoken aloud, attackers can trick users into reading the codes over the phone. Number matching or hardware tokens are more secure.

**What is STIR/SHAKEN and how does it relate to vishing?**

STIR/SHAKEN is a protocol used to authenticate caller ID on phone networks, making it more difficult to spoof numbers. It helps reduce vishing by verifying that the caller ID is legitimate.

## Summary

Vishing, or voice phishing, is a social engineering attack where criminals use phone calls to trick victims into revealing sensitive information like passwords, credit card numbers, or personal data. It relies on the inherent trust people place in voice communication and often uses caller ID spoofing to appear legitimate. Unlike email phishing, vishing can bypass technical security controls and exploit human psychology under pressure. For IT professionals, vishing is a critical threat because it can lead to credential theft, network breaches, and data loss. Defending against vishing requires a layered approach: user awareness training, strict verification procedures for help desks, implementation of STIR/SHAKEN to combat spoofing, and the use of MFA methods that cannot be bypassed by voice. 

In certification exams, vishing is a common topic in Security+, CEH, CISSP, and CISA. You will encounter scenario-based questions that ask you to identify vishing, differentiate it from phishing and smishing, and apply appropriate countermeasures. The key takeaway is that if the attack involves a voice channel (live call, voicemail, or IVR), the answer is vishing. Always focus on the delivery method. Understanding vishing is not just about passing an exam; it is about protecting real-world systems from one of the most effective and growing attack vectors in cybersecurity.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/vishing
