Vishing is a cyber crime that uses the phone to steal personal confidential information from victims. Often referred to as voice phishing, cyber criminals use savvy social engineering tactics to convince victims to act, giving up private information and access to bank accounts.

Like phishing or smishing, vishing relies on convincing victims that they are doing the right thing by responding to the caller. Often the caller will pretend to be calling from the government, tax department, police, or the victim’s bank.

Cyber criminals use threats and persuasive language to make victims feel like they have no other option than to provide the information being asked. Some cyber criminals use forceful conversation to frame their conversation as helping the victim avoid criminal charges. A second and common tactic is to leave threatening voicemails that tell the recipient to call back immediately, or they risk being arrested, having bank accounts shut down, or worse.


The Cyber Security Hub

Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.

For example, during tax season, criminals will leave messages pretending to be from the IRS. And during the COVID-19 pandemic, cyber criminals called people promising vaccines and testing kits if they provided their bank account information and mailing address.


Vishing is used to attack both individuals and organizations

A cyber criminal may research an organization, find an employee’s contact information online, and then call on behalf of the CEO asking the victim to transfer funds to pay an outstanding invoice or email personnel files.


What is social engineering?

Social engineering is a technique cyber criminals employ to trick people into giving up confidential information. Social engineering relies on the basic human instinct of trust to steal personal and corporate information that can be used to commit further cyber crimes.

How Does Vishing Happen?

A successful vishing attack requires more than just calling random phone numbers. Cyber criminals use a strategic approach to steal from victims:


The cyber criminal starts by researching their victims. This process can include sending phishing emails, hoping that someone will respond, and providing their phone number. Or the criminal uses specialized software to call multiple people using a phone number that has the same area code as the victims.


If the victim has already been tricked by a phishing email, they are unlikely to be suspicious of the caller. Depending on the sophistication level of the phishing/vishing scheme, the victim is expecting a phone call. And cyber criminals know that people are more likely to answer calls from numbers with a local area code.


Now that the cyber criminal has someone on the phone, their next move is to appeal to the victim’s human instincts of trust, fear, greed, and desire to help. Depending on the vishing scheme, the criminal may use all or just one of these social engineering techniques to convince the victim that they are doing the right thing. The cyber criminal may ask for bank account information, credit card details, and a mailing address or ask the victim to take action by transferring funds, emailing confidential work-related documents, or providing details about their employer.


The cyber crime does not stop here. Now that the cyber criminal has this information, they can proceed to commit further crimes. For example, the cyber criminal may drain the victim’s bank account, commit identity theft, use the victim’s credit card details to make unauthorized purchases, and then email the victim’s colleagues to trick someone into giving up confidential work information.

Some vishing schemes give victims a phone number to call if they have questions or want to follow up, for example, on the processing of their taxes or to find out the results of their COVID-19 virus test. This act helps legitimize the cyber criminal and gives the victim confidence. If the victim does call the number, they may be connected to voicemail or talk to a human who continues the vishing scam.

Asset 5

1. Wardialing

The cyber criminal uses software to call specific area codes, using a message that involves a local bank, business, police department, or other local organization. When the call is answered, the automated message begins, urging the person to provide their full name, credit card details, bank account information, mailing address, and even social security details. The recorded message may suggest that this information is needed to confirm that the victim’s account has not been compromised or confirm valid account details.


2. VoIP

VoIP makes it very easy for cyber criminals to create fake numbers and hide behind them. These numbers are tough to track and be used to create phone numbers that appear local or use a 1-800 prefix. Some cyber criminals will create VoIP numbers that appear to come from a government department, local hospital, or police department.


3. Caller ID Spoofing

Like VoIP vishing, the cyber criminal hides behind a fake phone number by spoofing the caller ID. They may list their name as Unknown or pretend to represent a legitimate caller, using an ID such as Government, Tax Department, Police, etc.

Dumpster Diving

4. Dumpster Diving

A simple and popular method of collecting valid phone numbers is to dig through dumpsters behind banks, office buildings, and random organizations. Often criminals will find enough information to deliver a targeted spear vishing attack against the victim.

Critical to the success of every type of phishing is social engineering. People should be suspicious of callers who use urgent, forceful, or convincing language. It’s important to remember that Microsoft tech support, Amazon, or your local hospital will never ask for your personal bank information or PIN codes.

Examples of Vishing

Vishing is extremely common, and these four examples underscore how easy it is for cyber criminals to convince victims to act.

1. Government Representative

The caller pretends to be calling on behalf of the government and calls to verify personal identification details. The caller may threaten to suspend tax refunds or social security payments if the victim does not provide the information required to confirm their account and identity.

2. Tech Support Fraud

The caller pretends to be tech support for Microsoft, Amazon, or the area wireless provider. They have noticed unusual activity on the victim’s account and want to confirm that they have the correct account details. The cyber criminal may ask for an email address to which they can send a software update, telling the victim to install this to protect their computer from cyber criminals. However, this installs malware on the victim’s computer.

3. Bank Impersonation

Using a spoofed phone number and caller ID, the cyber criminal pretends to be calling on behalf of the victim’s bank. The caller says that there has been unusual activity on the victim’s account and asks the victim to confirm their bank account details, including their mailing address, for proof of identification. This information is then used by the cyber criminal to commit identity theft.

4. Telemarketing Attack

Everyone wants to win a free prize, and cyber criminals take advantage of this to trick unsuspecting victims into providing confidential information. The caller claims this information is required to process the free prize and guarantee the victim receives it on time.

Cyber criminals are constantly changing their vishing tactics and customizing their message to take advantage of recent news stories, well-known hacks, or something appealing like Black Friday sales specials.

How To Recognize and Prevent Vishing

As part of your security awareness training and communication campaign, remind your employees of how to recognize and prevent vishing:

1. Never provide or confirm your personal information on the phone. Remember that your bank, hospital, police department, or any government department will never call you asking for your personal information.

2. Listen very carefully to the caller. Pay attention to the language being used and think before responding. Never provide any personal information. Do not confirm your address. Be wary of threats and urgent requests.

3. Be wary of any phone numbers the caller gives you to confirm their identity. Look up the phone number yourself and call the number using a different phone. Cyber criminals can route phone numbers and create fake numbers.

4. Do not answer phone calls from unknown numbers. Let the call go to your voicemail and listen carefully to the message.

5. Do not answer questions about your personal information, workplace, or home address.

6. Ask questions. If the caller is trying to give you a free prize or sell you something, ask them for proof that you can use to verify who they are and where they work. If the caller refuses to provide this information, hang up. Make sure you confirm any information the caller gives you before providing your information.

7. Register your phone number with the Do Not Call Registry. Most legitimate companies respect this list, so if you do receive a call from a telemarketing company, this is an indicator that the call is a vishing attack.

8. Remember the information you learned about social engineering from your security awareness training. Be on the lookout for language that takes advantage of basic human behaviors of fear, greed, trust, and wanting to help others.

9. Remember that your manager or human resources colleague will never call you at home asking you to transfer funds, provide confidential information, or email documents from your personal account.

10. Do not respond to emails or social media messages that ask for your phone number. This is the first step in a targeted phishing/vishing attack. Report these emails/messages to the IT/support team.

Phishing simulations are one of the best ways to raise awareness of vishing attacks. Remember that vishing is often used along with phishing to commit a two-pronged cyber attack.

Phishing simulations help you identify which employees are at risk of cyber crimes that rely on social engineering to trick and steal from victims. Real-time phishing simulations are crucial for any successful security awareness training program.

Security awareness training and phishing simulations help raise alertness levels to cyber security threats. Phishing simulations give people first-hand experiences that help them understand how cyber criminals work to deceive, convince, and steal.


Find Out How Your Click Rate Stacks Up! 

Reserve Your Copy of The 2021 Gone Phishing Tournament Report Now

How Can Phishing Simulations Help Prevent Vishing Attacks?

Phishing simulations help you show employees how cyber criminals use phone calls, voicemail messages, and savvy language to commit cyber crimes.

1. Increases alertness levels to how cyber criminals use manipulative language in text messages.
2. Changes human behavior to eliminate the automatic trust response.
3. Creates awareness to reduce the cyber threat level.
4. Measures and monitors the level of corporate and employee vulnerability.
5. Deploys targeted anti-phishing and vishing solutions.

6. Assesses the effectiveness of cyber security awareness training.
7. Keeps employee alertness levels to vishing high.
8. Protects valuable corporate and personal information.
9. Instills a cyber security culture and creates internal cyber security heroes.
10. Meets industry security and privacy compliance obligations.


Uses intimidating phone calls and voicemail messages to convince victims to provide personal information and steal from the victim.


Uses text messages to steal information and commit further cyber crimes.


Uses a range of attack methods, including emails, fake websites, and text messages, to steal from victims. Smishing and vishing are two types of phishing.

To learn more about vishing and how you can keep your employees and organization cyber secure, take advantage of these free cyber security awareness resources:

Contact us at 1-866-889-5806 or at [email protected] to learn more about vishing.

Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.