Vishing (voice phishing) is a social engineering attack carried out over a phone call, where an adversary uses psychological tactics like urgency or intimidation to manipulate you into revealing sensitive information or performing a harmful action.
Vishing is phishing done by voice. Instead of an email or text, an attacker calls you on the phone and uses psychological manipulation to get something they want. That something is usually sensitive information (your password, a one-time code, your birthdate), or an action like wiring money or installing software.
Under the CED, vishing is one flavor of social engineering (EK 1.1.A.1), which is any attack that uses psychological tricks rather than hacking code. The attacker leans on the same human pressure points as other social engineering: intimidation ("Your account will be locked unless you act now") and urgency ("You only have five minutes to verify this charge"). On a live call those tactics hit even harder, because you can't pause and reread the message. The voice on the line pressures you to react before you think.
Vishing lives in Unit 1: Introduction to Security, under topic 1.1 Understanding Social Engineering. It's a concrete example you can use to demonstrate three connected objectives: identifying the tactics (AP Cybersecurity 1.1.A), explaining why those tactics work on people (AP Cybersecurity 1.1.B), and describing the damage when an attack succeeds (AP Cybersecurity 1.1.C). The big idea is that the weakest link in security is often the human, not the technology. Vishing proves it. No malware required, just a phone and a convincing story.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryPhishing (Unit 1)
Phishing is the umbrella term for tricking someone into giving up info or clicking something malicious. Vishing is just phishing delivered by voice call instead of email. If you understand the parent concept, vishing is the same playbook over the phone.
Smishing (Unit 1)
Smishing is phishing by SMS text message. Vishing, smishing, and email phishing are the same attack split by channel: text, voice, and email. The CED groups them all under social engineering because the psychology is identical only the delivery changes.
Intimidation and Urgency (Unit 1)
These are the engines that make vishing work (EK 1.1.A.2, 1.1.B.2, 1.1.B.3). Intimidation uses fear of consequences; urgency uses time pressure to stop you from thinking. On a phone call both feel more real because there's a human voice pushing you to decide right now.
One-Time Passwords and Impersonation (Unit 1)
A classic vishing payoff is getting you to read out an OTP or login code (EK 1.1.C.2), which lets the attacker log in as you. Even small details like a pet's name or birthdate (EK 1.1.C.1) can be used to answer security challenge questions and impersonate you later.
Expect vishing to show up in multiple-choice questions that describe a scenario and ask you to name the tactic or the attack type. A stem might describe someone getting a phone call from a "bank" demanding their verification code immediately, and you'd identify it as vishing plus the urgency/intimidation tactics behind it. You should be able to do three things: label the attack as voice-based social engineering, explain the psychological principle making it effective, and state the likely impact on the victim. No released FRQ has used the word "vishing" verbatim, but it's a textbook example for any prompt asking you to identify social engineering indicators or describe the impact of a successful attack.
Both are social engineering through a phone, but the channel is the giveaway. Vishing is a voice call (the "v" is for voice). Smishing is a text message (the "sm" is for SMS). Same psychology, different delivery, so read the scenario for whether the attacker called or texted.
Vishing is voice phishing: a social engineering attack delivered through a phone call.
It uses the same psychological tactics as other social engineering, especially intimidation and urgency, to make you act before you think.
The attacker's goal is usually sensitive info like a one-time password or login code, or getting you to perform an action like sending money.
It maps to topic 1.1 and supports objectives 1.1.A (identify tactics), 1.1.B (explain why they work), and 1.1.C (describe impact).
The key difference from smishing is the channel: vishing is voice calls, smishing is text messages.
Vishing is voice phishing, a social engineering attack where an adversary calls you on the phone and uses psychological tactics like urgency or intimidation to trick you into revealing sensitive information or doing something harmful. It falls under topic 1.1, Understanding Social Engineering.
Not exactly. Phishing is the broad category of tricking people into giving up information or clicking malicious links, usually by email. Vishing is a specific type of phishing carried out by voice phone call, so it's a subset, not a synonym.
The channel. Vishing happens over a voice call (the "v" is for voice), while smishing happens over SMS text messages (the "sm" is for SMS). The manipulation tactics are the same, so check the scenario for whether the attacker called or texted.
It exploits natural human responses. Intimidation makes you fear a negative consequence, and urgency pressures you to act fast before you can stop and ask whether the request is reasonable (EK 1.1.B.2 and 1.1.B.3). A live voice makes both feel more urgent and real.
The victim might hand over personal details like a birthdate or pet's name that get used to answer security questions, or read out a one-time password that lets the attacker log in as them (EK 1.1.C.1 and 1.1.C.2). That can lead to account takeover or impersonation.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.