Phishing vs Vishing vs Smishing (Differences & Examples) | AP Cybersecurity
Phishing vs Vishing vs Smishing: Differences, Examples & How to Spot Them
Phishing, vishing, and smishing are the same social engineering attack delivered through different channels: email, voice call, and text message. The framework requires you to identify the channel, not memorize every sub-type name.
Contents
Same goal, different channel
Social engineering can happen in person, but it is most often delivered through email, text message, or social media (EK 1.1.A.1). The channel names are: phishing by email, vishing by voice call, and smishing by text message (SMS).
The goal is identical across channels: get the target to reveal information, click a malicious link, or download a malicious file. Only the delivery differs, which is why the exam asks you to name the channel used in a scenario.
An attacker calls pretending to be the help desk and asks the employee to read back a texted code. Which channel is this?
Reveal answer
Vishing. The attack is delivered by voice call. The texted code is the target, but the social engineering channel is the phone call.
Identify the tactic (intimidation or urgency) AND the channel (email, text, voice, in person). Naming the exact sub-type such as whaling is enrichment, not required.
Indicators that cut across channels
No matter the channel, the same red flags appear: a look-alike sender or number, pressure to act fast, a request to reveal information or click a link, and vague details a legitimate sender would include.
A look-alike domain (typosquatting) such as a zero in place of an 'o' is the single most reliable email tell. For voice and text, an unknown number paired with an urgent request to share a code is the equivalent.
A text from an unknown number says 'Your bank login is locked. Reply with your one-time code to restore access.' What channel and what red flag?
Reveal answer
Smishing. The red flag is a request to reveal a one-time code under pressure. Legitimate banks never ask you to send your code.
The 2020 Twitter account takeover
Attackers phoned Twitter employees posing as internal IT (vishing) and walked them into entering credentials on a fake login page. With that access they hijacked high-profile accounts to run a scam.
Channel: voice (vishing). Impact: credential theft.
Key Terms
| Phishing | Social engineering delivered by email. |
| Vishing | Social engineering delivered by voice call. |
| Smishing | Social engineering delivered by text message. |
| Typosquatting | Using a look-alike domain such as a zero for an o. |
| Channel | The delivery method: email, voice, text, or in person. |
Match It Up
Common Mistakes
Thinking phishing is the only social engineering
Phishing is one channel (email). Voice (vishing), text (smishing), and in person are equally valid.
Memorizing sub-types instead of channels
The framework requires the channel. Whaling vs spear phishing labels are enrichment.
Ignoring the sender domain
A look-alike domain is the strongest single email indicator. Always read the address, not just the display name.
Assuming voice calls are safe
Vishing defeats people who trust a human voice. The same skepticism applies.
Check for Understanding
Frequently Asked Questions
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]