Vishing, Smishing, and Pretexting
Explore voice-based (vishing) and SMS-based (smishing) attacks, and understand how pretexting creates believable false scenarios to manipulate victims.
Social Engineering Beyond Email
While phishing dominates headlines, attackers use multiple communication channels to manipulate victims. Vishing uses voice calls, smishing uses SMS text messages, and pretexting is the practice of constructing a believable false scenario (pretext) to justify why the victim should comply with a request. These attacks succeed not because victims are ignorant, but because they exploit fundamental human instincts: trust in authority, desire to be helpful, and the tendency to follow instructions when under pressure.
Vishing: Voice-Based Phishing
Vishing (voice phishing) uses phone calls to manipulate victims. Common pretexts include impersonating an IRS agent threatening arrest for unpaid taxes, a bank fraud department warning of suspicious transactions, tech support claiming to have detected a virus, or a government benefits office requiring verification. Attackers use caller ID spoofing to display the phone number of a legitimate organization. Robocall vishing campaigns operate at scale, then connect interested victims to live operators. The real-time nature of voice calls creates pressure that makes critical thinking difficult.
# Common vishing pretexts:
# 'This is the IRS. You owe back taxes; pay now to avoid arrest'
# 'Microsoft Support detected a virus on your computer'
# 'Your bank account is compromised; verify your PIN to secure it'
# 'Social Security Administration: your number has been suspended'
#
# Red flags:
# - Caller ID can be spoofed (not proof of legitimacy)
# - Legitimate orgs do NOT call demanding immediate payment or credentials
# - Urgency + threats of arrest/account closure are common manipulation