What is Vishing?

Vishing Explained

Vishing, or voice phishing, is a type of phishing attack where scammers use phone calls to trick individuals into revealing personal information, such as passwords or credit card numbers, by pretending to be a legitimate entity.

This type of scam can be executed by real humans or via pre-recorded robocalls. While most of the criminals leading this type of attack aim to pressure their victims on a live phone call, they also often leave voice messages to increase their chances of success.

Scammers who use vishing attacks commonly pretend to be respected institutions like banks or the government. They use psychological techniques to simulate urgency, often threatening legal action or claiming your account will be frozen.

These tactics are designed to stress out their targets and make them more likely to comply without thinking the requests through.

What’s The Difference Between Phishing and Vishing?

These two scams are closely related versions of social engineering. The main difference is that phishing is delivered via email, while vishing uses voice to launch attacks on their victims. While some vishing attacks use malicious links, all phishing attacks begin this way.

Both of these scams have different audiences. Phishing attacks are mostly directed at businesses, and vishing attacks mainly target individuals. That being said, users must remain vigilant because both scams have also been led against the opposite demographic, albeit at a lower rate. To learn more about phishing, read "What is Phishing?".

Vishing attacks have become so prevalent that 55 billion robocalls were recorded in 2023; that number is even higher when factoring in human scam calls.

What is the Goal of Vishing Attacks?

The primary goal of a vishing attack is financial loss for the victim, which means successful vishing attacks are highly damaging. Money can be stolen via vishing, either through direct payment for a fraudulent bill or by obtaining the victim’s credit card information and defrauding them.

Financial loss is so common in scam calls that 68.4 million Americans have reported losing money to such calls in 2022. The actual number of victims is certainly much higher as many never report this type of scam out of shame for falling for it.

While most vishing attacks target individuals and compromise their personal finances or data, they are increasingly being used against employees to defraud businesses. The usual strategy in these cases is to impersonate someone with authority and request a money transfer or pay a fraudulent invoice, prompting employees to comply with the requests.

The Vishing Attack Process

Successful vishing attackers aren't your typical phone pranksters.

Their calls are highly strategic. Here's how a vishing attack generally proceeds:

1. Victim Research

Vishing criminals start by researching their victims. If all they have is your email address, they might send a phishing email to try and elicit your phone number.

2. Phone Call

If you've already been tricked by a phishing email, you're likely to trust a follow-up phone call. A sophisticated scheme may combine phishing and vishing to set up that expectation. Cyber criminals use special software to fake their area code, tricking you into thinking they're local.

When that call comes in with a local area code, that's even more reason to believe it's legitimate.

3. Appeal & Trick

Now that the cyber criminal has you on the phone, their next move is to appeal to your human instincts. Depending on the vishing scheme, it could be trust, fear, greed, or your desire to help.

The bad actor may use all or one of these social engineering techniques to convince you that divulging sensitive information is the right thing to do. They may ask for bank account information, credit card details, and a mailing address.

They might even ask you to do the work yourself—transferring funds, emailing confidential work-related documents, or sharing details about your employer.

4. Commit Crime

The vishing crime does not stop there. Armed with this valuable information, the cyber criminal moves in to commit further crimes. They may drain your bank account or use your credit card details to make unauthorized purchases.

If they commit full-fledged identity theft, they might use your email credentials to gain your colleagues’ trust and convince them to share confidential business information.

Some vishing schemes take a more indirect approach. Instead of forcing the action on the first call, they leave you a number to call if you have questions or want to follow up. They might claim they're the person processing your taxes or that they have your medical exam results.

This tactic legitimizes the cyber criminal and gains your trust. If you do call back, you might be led to a voicemail asking to leave information or connected to someone who will continue the vishing scam.

Vishing Scam Techniques

8 Common Vishing Scams

Vishing is a versatile scam that comes in many shapes and colors. Used in both automated and manually-directed ways, voice phishing can have devastating consequences if the victim doesn’t realize it in time.

Here are the most common versions affecting both individuals and businesses:

1. AI-based Vishing

Scammers have begun integrating them into their vishing attacks with the rise of readily available, free AI voice tools. A few videos or voice recordings can create a compelling voice model.

This advanced software allows scammers to create voice recordings and sound boards that can be used to conduct a live conversation, credibly interacting with the victim’s answers.

2. Robocall

Robocalls are the precursor of AI vishing. Using the crude computer-generated voice software seen in automated phone tree systems, these pre-recorded messages are less dangerous than their evolution since they can’t adapt to the victims’ reactions, yet they still manage to trick millions of people every year.

3. VoIP

This technology allows scammers to simultaneously create thousands of phone numbers, scaling their attacks much faster and circumventing banned numbers. VoIP isn’t a nefarious technology in itself, but it is heavily relied on by scammers and hackers to carry out attacks.

4. Caller ID Spoofing

Using dark web software, scammers can modify their caller ID to trick their victims into believing the call comes from their bank, the government, or even their employer. These caller IDs can be extremely convincing and, in some cases, perfectly match the business or person they are trying to emulate.

5. Dumpster Diving

This advanced and more extreme method is mostly used against businesses. It involves digging through the company’s physical trash to find personal data documents, allowing them to launch a successful vishing attack.

For example, finding out how a company organizes its invoices or identifying the names of its employees in accounts payable helps to produce persuasive vishing attacks.

6. Tech Support Call

This type of attack is primarily directed at employees at large multinational companies, where they tend not to know the tech support staff personally. It usually tries to gain employee credentials to launch a cyber attack later.

7. Voicemail Scam

AI and robocall vishing attacks regularly leave voicemails, increasing the odds of a victim hearing them. However, when this type of scam is used against a business, it becomes a typical phishing attack.

Scammers will research which companies have voice-to-text software for their voicemails and then send fake emails telling people they have a voicemail to listen to, with a fraudulent malware link hidden in the email.

8. Client Call

With this type of vishing, scammers impersonate a company that recently issued an invoice to the victim's business to collect fraudulent payments. This method is often combined with dumpster diving, which can provide a legitimate invoice number to claim that a payment wasn’t received.

6 Examples of Vishing

There are many variations and scenarios of vishing, making it a far more dangerous scam than others. Here are the most common iterations to look for:

1. Government

Posing as a victim’s local tax authority, scammers will either tell people that their taxes are due or that they are entitled to a tax refund. The common scenarios include:

Scammers pressure the victim to pay them on the spot via a wire transfer for missing tax amounts.
Victims are directed to a fraudulent website to claim their rewards, steal their credentials, or ask for a payment to “unlock” their tax refund.

2. Banking

In this case, scammers will pretend to be employees of the victim’s bank and lead them to divulge their login credentials or to input them on a fraudulent website. The common scenarios include:

Victims receive a call concerning a fraudulent charge on their bank account or credit card. The caller asks for login information to “secure” the account or to“confirm their PIN” and steals it.
Scammers will also call their victims, claiming a bill has been overpaid and they need their information to direct the funds to the right account.

3. Tech support

This scam is gaining popularity, especially with hybrid working styles and remote tech support services. Employees nowadays rarely know the tech support staff directly, and an individual asking for remote control of your machine isn’t as suspicious as it used to be.

4. Insurance

Insurance companies are usually only contacted in stressful times when people might be more vulnerable or not do their usual security checks. Scammers will even go through a victim’s trash to find which insurance company they use and call them after a big storm or other natural event to increase their chances of being believed.

5. Charity

Soliciting charity donations over the phone isn’t inherently wrong, and many legitimate charities do it. However, scammers often use this opportunity to collect donations for fake causes with sad stories.

6. Prize win

Another popular vishing scenario involves calling a victim to tell them they won a big prize. The victim is then directed to a website to collect their winnings, where they are induced to submit their banking information to later be exploited. There’s an alternative in which they are asked to pay a fee to “unlock” their winnings, and the scammers vanish with the money.

Signs of a Vishing Attempt

Receiving a robocall is almost always the sign of a vishing attack nowadays unless it’s an expected call. If it’s a human calling, be wary of anyone pressuring you to make a payment or to give up confidential information.

In almost all cases where money is due, whether to a bank or the government, they would contact you in a much more understanding and flexible manner to arrange payment with you. Also, take note of how most institutions you deal with would generally contact you. If your bank usually contacts you by mail and you start receiving calls from them, it might be a sign of a scam.

7 Clues to Help Recognize Vishing Attacks

1. If a caller from a trusted authority asks for account access or confidential information, it could be a vishing attack. Banks, hospitals, police, and government departments do not ask for sensitive data over the phone.

2. Poor audio quality, unusual background sounds, voice glitches, and pauses could indicate a vishing attack. If you know the caller, but their voice sounds robotic or unnatural, it could be a voice clone.

3. Pay attention to the language being used. Vishing attacks often make threats and use excessively persuasive language.

4. Sometimes, vishing scammers leave phone numbers for follow-up calls. Look it up. If the number doesn't match the organization's listed number, it could be a vishing attempt.

5. Be vigilant. Calls from unknown or unusual numbers may be vishing attempts. If you decide to answer, be on high alert.

6. Calls from technical support asking for remote access or requiring you to download software updates are often vishing attempts.

7. Raise your awareness on calls from colleagues, your boss, human resources, or partner companies. If you feel pressured to divulge information or act fast with money, this may be a vishing call.

Vishing Attack Prevention

Vishing is done over the phone, and the best way to prevent it is to never answer calls from phone numbers you don’t recognize or, if you must, be very careful with what the person on the other end of the line asks you. Also, pay close attention to caller IDs; spoofed versions often have subtle misspellings or are written in lowercase instead of all caps.

The best way to prevent this scam is to simply say you’ll call them back. If the person on the phone gives you a number right away and instructs you not to use the publicly available number for the institution in question, something is up.

The same tip applies to payment methods. If a company you always paid via credit card or bank transfer starts asking for crypto or gift cards, it’s always a scam using a different payment method to make the money untraceable.

Security awareness training is key to preventing a successful vishing attack. Leveraging vishing training exercises like the below, provides users with real-world attack scenarios that teach and enforce best practices.

Gamification can also be an excellent tool for businesses who want to familiarize their staff with vishing. Interactive games where users try to pick out suspicious phone calls are essential to providing accurate context so your staff recognizes these calls when they happen in the wild.

If you’re ready to integrate vishing as a subject in your cybersecurity awareness training, preview our training modules here.

Suspect you're receiving a vishing call? Here are some tips to follow.

1. Don't provide or confirm your personal information, workplace, or home address over the phone.

2. Don't answer phone calls from unknown numbers. Let the call go to voicemail, and assess the legitimacy of the message before responding.

3. Listen carefully to the caller's voice to detect anomalies or odd background noise.

4. Pause before responding to requests—especially when requests are urgent. The caller might be exploiting your sense of responsibility to act fast.

5. Ask questions. If the caller demands information or offers a prize, say you need their name and company phone number to verify who they are. If they refuse to provide this information, hang up. If they provide it, ensure it's legitimate before you provide your information in return.

6. Register your phone number with the Do Not Call Registry. Legitimate companies usually honor this list, so receiving robocalls and telemarketing calls after the fact could indicate a vishing attack.

7. Implement an authentication process for work calls that involve sensitive information. If a caller impersonates a colleague but can't answer a security question, it could be a vishing attempt.

8. Don't respond to emails or social media messages that ask for your phone number. This tactic is often the first step in a targeted vishing attack. Instead, report these emails and messages to your IT team.

9. Explore and enable protection features on your phone that block or filter out spam calls.

Vishing Resources

Guide

The Cyber Security Hub

Sign up now to access engaging, shareable cyber security
awareness content that’s available in multiple formats.

ACCESS THE HUB