Vishing is a cybercrime that uses the phone to steal personal confidential information from victims. Often referred to as voice phishing, cybercriminals use savvy social engineering tactics to convince victims to act, giving up private information and access to bank accounts.

Similar to phishing or smishing, vishing relies on convincing victims that they are doing the right thing by responding to the caller. Often the caller will pretend to be calling from the government, tax department, police, or the victim’s bank.

Using threats and convincing language cybercriminals make victims feel as though they have no other option than to provide the information being asked of them. Some cybercriminals use strong and forceful language and others suggest they are helping the victim to avoid criminal charges. A second and common tactic is to leave threatening voicemails that tell the recipient to call back immediately or they risk being arrested, having bank accounts shut down, or worse.


The Cyber Security Hub

Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.

For example, during tax season, criminals will leave messages pretending to be from the IRS. And during the COVID-19 pandemic, cybercriminals called people promising vaccines and testing kits, if they provided their bank account information and mailing address.


Vishing is used to attack both individuals and organizations

A cybercriminal may research an organization, find an employee’s contact information online, and then call on behalf of the CEO asking the victim to transfer funds to pay an outstanding invoice or to email personnel files.


What is social engineering?

Social engineering is a manipulation technique used by cybercriminals to trick people into giving up confidential information. Social engineering relies on the basic human instinct of trust to steal personal and corporate information that can be used to commit further cybercrimes.

How Does Vishing Happen?

A successful vishing attack requires more than just calling random phone numbers, cybercriminals use a strategic approach to steal from victims:


The cybercriminal starts by researching their victims. This might include sending phishing emails, hoping that someone will respond and provide their phone number. Or the criminal uses specialized software to call multiple people using a phone number that has the same area code as the victims.


If the victim has already been tricked by a phishing email, they are very unlikely to be suspicious of the caller. Depending on the sophistication level of the phishing/vishing scheme, the victim is expecting a phone call. And cybercriminals know that people are more likely to answer calls from numbers that have a local area code.


Now that the cybercriminal has someone on the phone, their next move is to appeal to the victim’s human instincts of trust, fear, greed, and desire to help. Depending on the vishing scheme, the criminal may use all or just one of these social engineering techniques to convince the victim that they are doing the right thing. The cybercriminal may ask for bank account information, credit card details, and a mailing address or ask the victim to take action by transferring funds, emailing confidential work-related documents, or providing details about their employer.


The cybercrime does not stop here. Now that the cybercriminal has this information, they can proceed to commit further crimes. For example, the cybercriminal may drain the victim’s bank account, commit identity theft, and use the victim’s credit card details to make unauthorized purchases, and then email the victim’s colleagues in hopes of tricking someone into giving up confidential work information.

Some vishing cybercriminals go so far as giving victims a phone number to call if they have questions or want to follow-up for example on the processing of their taxes or to find out the results of their COVID-19 virus test. This helps legitimize the cybercriminal and gives the victim a feeling of confidence. If the victim does call the number, they may be connected to voicemail or talk to a human who continues the vishing scam.

Asset 5

1. Wardialing

The cybercriminal uses software to call specific area codes, using a message that involves a local bank, business, police department, or other local organization. When the call is answered the automated message begins, urging the person to provide their full name, credit card details, bank account information, mailing address, and even social security details. The recorded message may suggest this information is needed to confirm the victim’s account has not been compromised or to confirm valid account details.


2. VoIP

VoIP makes it very easy for cybercriminals to create fake numbers and to hide behind these. These numbers are very hard to track and be used to create phone numbers that appear to be local or that use a 1-800 prefix. Some cybercriminals will create VoIP numbers that appear to come from a government department, local hospital or police department.


3. Caller ID Spoofing

Similar to VoIP vishing, with caller ID spoofing, the cybercriminal hides behind a fake phone number/caller ID. They may list their name as Unknown or pretend to represent a legitimate caller, using an ID such as Government, Tax Department, Police, etc.

Dumpster Diving

4. Dumpster Diving

A simple and still very popular method of collecting valid phone numbers is to dig through dumpsters behind banks, office buildings, and random organizations. Often criminals will find enough information to deliver a targeted spear vishing attack against the victim.

Critical to the success of every type of phishing is social engineering. People should be suspicious of callers who use urgent, forceful, or convincing language. It’s important to remember that Microsoft tech support, Amazon, or your local hospital will never ask for your personal bank information or PIN codes.

Examples of Vishing

Vishing is extremely common, and these four examples underscore how easy it is for cybercriminals to convince victims to act.

1. Government Representative

The caller pretends to be calling on behalf of the government and is simply calling to verify personal identification details. The caller may threaten to suspend tax refunds or social security payments if the victim does not provide the information required to confirm their account and identity.

2. Tech Support Fraud

The caller pretends to be tech support for Microsoft, Amazon, or the area wireless provider. They have noticed unusual activity on the victim’s account and just want to confirm that they have the right account details. The cybercriminal may ask for an email address which they can send a software update to, telling the victim to install this to protect their computer from cybercriminals – however this actually installs malware on the victim’s computer.

3. Bank Impersonation

Using a spoofed phone number and caller ID, the cybercriminal pretends to be calling on behalf of the victim’s bank. The caller says that there has been unusual activity on the victim’s account and asks the victim to confirm their bank account details, including their mailing address for proof of identification. This information is then used by the cybercriminal to commit identity theft.

4. Telemarketing Attack

Everyone wants to win a free prize and cybercriminals take advantage of this to trick unsuspecting victims into providing confidential information. The caller claims this information is required to process the free prize and guarantee the victim receives it on time.

Cybercriminals are always changing their vishing tactics and customize their message to take advantage of recent news stories, well-known hacks/cybercrimes, or something appealing like Black Friday sales specials.

How To Recognize and Prevent Vishing

As part of your security awareness training and communication campaign, remind your employees of how to recognize and prevent vishing:

1. Never provide or confirm your personal information on the phone. Remember that your bank, hospital, police department, or any government department will never call you asking for your personal information.

2. Listen very carefully to the caller. Pay attention to the language being used and think before responding. Never provide any personal information. Do not confirm your address. Be wary of threats and urgent requests.

3. Be wary of any phone numbers the caller gives you to confirm their identity. Look up the phone number yourself and call the number using a different phone. Cybercriminals can route phone numbers and create fake numbers.

4. Do not answer phone calls from unknown numbers. Let the call go to your voicemail and then listen to the message very carefully.

5. Do not answer questions about your personal information, your workplace, or your home address.

6. Ask questions. If the caller is trying to give you a free prize or sell you something, ask them for proof that you can use to verify who they are and where they work. If the caller refuses to provide this information hang up. Make sure you confirm any information the caller gives you before providing your information.

7. Register your phone number with the Do Not Call Registry. Most legitimate companies respect this list, so if you do receive a call from a telemarketing company, this is an indicator that the call is a vishing attack.

8. Remember the information you learned about social engineering from your security awareness training. Be on the lookout for language that takes advantage of basic human behaviors of fear, greed, trust, and wanting to help others.

9. Remember that your manager or human resources colleague will never call you at home asking you to transfer funds, provide confidential information, or email documents from your personal account.

10. Do not respond to emails or social media messages that ask for your phone number. This is the first step in a targeted phishing/vishing attack. Report these emails/messages to the IT/support team.

Phishing simulation is one of the best ways to raise awareness of vishing attacks. Remember that vishing is often used along with phishing to commit a two-pronged cyber attack.

Phishing simulations help you identify which employees are at risk of cybercrimes that rely on social engineering to trick and steal from victims. Real-time phishing simulations are a key part of any successful security awareness training program.

Together security awareness training and phishing simulations help raise alertness levels to cyber security threats. Phishing simulations give people first-hand experiences that help them understand how cybercriminals work to deceive, convince, and steal.


Benchmark Report 2020


Download your complimentary report to find out.

How Can Phishing Simulations Help Prevent Vishing Attacks?

Phishing simulations help you show employees how cybercriminals use phone calls, voicemail messages, and savvy language to commit cybercrimes.

1. Increases alertness levels to how cybercriminals use manipulative language in text messages.
2. Changes human behavior to eliminate the automatic trust response.
3. Creates awareness to reduce the cyber threat level.
4. Measures and monitors the level of corporate and employee vulnerability.
5. Deploys targeted ant-phishing and vishing solutions.

6. Assesses the effectiveness of cyber security awareness training.
7. Keeps employee alertness levels to vishing high.
8. Protects valuable corporate and personal information.
9. Instills a cyber security culture and creates internal cyber security heroes.
10. Meets industry security training compliance obligations.


Uses intimidating phone calls and voicemail messages to convince victims to provide personal information and to steal from the victim.


Uses text messages to steal information and commit further cybercrimes.


Uses a range of attack methods including emails, fake websites, and text messages to steal from victims. Smishing and vishing are two types of phishing.

To learn more about vishing and how you can keep your employees and organization cyber secure, take advantage of these free cyber security awareness resources:

Contact us at 1-866-889-5806 or at [email protected] to learn more about vishing.

Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.