Vishing isn’t a misspelling of fishing. It’s a common form of phishing—fishing for information. Unfortunately, you could fall prey to this increasingly successful method of data theft if you aren’t careful. From making calls look regional with caller ID spoofing to using AI-generated voice software, attackers are finding more convincing ways to get you to hand over your information using voice-based attacks.
Fortunately, we have all the information you need to avoid becoming a victim of vishing, including in-depth descriptions of what it is and how it works. You’ll also learn about different types of vishing and what to do if you’re a victim.
What is vishing?
Vishing uses voice technology to fraudulently collect personally identifiable information (PII) by pretending to be a known source like credit card, internet, or government services. Attackers perform vishing via phone calls done via mobile devices and VOIP software. Vishers may use fraudulent phone numbers, AI, social engineering, smishing (text/SMS attacks), and voice-altering software to appear more credible.
Attackers use voice-altering software to mask their true voice and any regional accent they may have. The fact that many legitimate 2FA methods use automated calls to provide one-time pins (OTPs), makes it harder to determine if a number or call is malicious.
Why is vishing a growing cyber threat?
Advanced technologies like voice-altering and caller ID spoofing make convincing victims that vishing calls come from a legitimate source easier. Caller ID spoofing can make vishing numbers look like trusted numbers, and voice-altering software can remove or replicate a caller’s accent.
Robocalls can now use AI technology to sound more realistic. With all the deepfake technology available on the market, it’s getting more difficult to distinguish between real communications and vishing attempts. Worse yet, most of these tools are free and accessible to anyone.
How does a vishing attack work?
Common steps in a vishing attack
Target identification
This step may sound like cybercriminals seek you out specifically, but it’s more of a blitz attack. Vishers make hundreds of calls to known numbers using autodialers, hoping the line is active and a potential victim will answer. They obtain phone numbers from data breaches, data brokers, people search sites, and individual methods like parsing social media sites and web browsers.
While they don’t specifically seek out individuals, vishers may target certain age groups. The elderly are a primary target as they tend to fall for urgency-based messaging and may not be as informed on potential scams.
Impersonation
Vishers claim to be services you use every day or government agencies like the IRS to lend legitimacy to their call. Caller ID spoofing can eliminate the shadiness of an unknown number and make the scammer seem more trustworthy.
Voicemails often include official language tinged with urgency to elicit a prompt response. Advanced AI deepfake technology can easily mask accents and translate one language to another. These technologies further reduce the risk of setting off alarm bells and give the attacker a better chance at snagging a victim.
Psychological manipulation
Once these sleuths have you on the line, it’s not unusual for vishers to use psychological manipulation to keep you there. If the pleasant approach doesn’t work, most vishers have no issue using guilt or threats to try and obtain your sensitive information.
Guilting is more of an attack on your character and may include comments like ‘you received the service and need to pay for it’. Threats are more consequence-based or frightening and usually center around legal action like arrest, a lawsuit, or jail time if you don’t comply.
Data theft and exploitation
If all of the vishers steps are a success, the attacker reaches the end goal of obtaining your sensitive data, which is never a good thing. Once the attacker has your account or personal information, they can use it to create new lines of credit, engage in identity theft, commit financial fraud, and more.
Vishers are also known to sell data on the dark web to other criminals, multiple people search engines, and data brokers. Essentially, your data is a gift with infinite possibilities, and they know how to exploit it for maximum gain if you don’t take steps to protect your identity.
Technologies used in vishing attacks
Technologies used for vishing attacks make it easy for attackers to steal information from unsuspecting targets. The more knowledge you have, the less likely you fall prey to vishing tactics. Knowing a bit about vishing technology could make all the difference between being a victim and avoiding a scam. Let’s look at some of the most common technologies vishers use:
Voice over IP (VOIP) spoofing
VoIP spoofing is a vishing technique that masks caller ID information (e.g., true number or location) over network connections. It’s extremely popular among vishers and number spoofing is responsible for around 70% of all spam calls in the U.S. alone.
The goal is to get you to answer the call and verify your account by making the call look like it’s from a reputable source. One example of this method is a visher manipulating information to make it appear the call originates from your region even if they are halfway around the world.
AI-generated voices (deepfake)
A mix of technology and human interaction makes AI-generated voices seem very realistic. Changes in the recording and processing of audio and the ability to ‘train’ AI to replicate regional speech patterns and accents have made deepfake voices sound more like humans than machines.
Many vishers even create scripts that make the AI voice cloning sound more like a professional customer service representative. The evolution of AI from a robotic, choppy cadence to a realistic-sounding human has increased the success rate of vishing attempts.
Interactive Voice Response (IVR)
Banks and other businesses use IVR systems to automate customer service. These systems let you select a department by pressing a number on the phone or using voice commands to make navigating your account services more efficient. This way you can quickly go straight to the correct department or get information on your account via automated response without constant holds or having to call back.
Vishers on the other hand set up fake IVR systems using real ones as blueprints. Most IVR calls pretend to be from banks and other financial services like credit card companies. The IVR will ask you to confirm your identity and then enter your credentials to access more information. Some even ask for payment directly and will tell you the matter is urgent if you want to keep your account open or in good standing.
What is the difference between phishing, smishing, and vishing?
The end goal is always the same whether attackers use vishing, phishing, or smishing, but the methods and reasons for using a specific form of attack vary. The attackers are always seeking account and/or personal information they can use to commit ID theft or financial fraud.
All three methods also include bombarding you with the tool of choice (e.g., emails, phone calls, SMS/texts) attempting to get a response and may use scare tactics, official language, convincing messages, or prize claims to get you to divulge sensitive data. Unfortunately, each form of attack can also be used in combination with another. Here’s how vishing differs from phishing and smishing:
| Category | Method | Common tactics | How it works | Technology used | Target devices | Prevention tips |
| Phishing | Email-based | Uses scare tactics, looks official/professional, may contain links to malware, poses a security risk, frequent contact, seeks PII | Emails contain malicious links or attachments, impersonate trusted entities, use urgent language to trick recipients | Spoofed email addresses, malware, phishing websites, social engineering | Computers, smartphones | Verify sender email addresses, avoid clicking unknown links, use spam filters, enable two-factor authentication |
| Vishing | Voice-based | Uses scare tactics, looks official/professional, may use AI or voice-altering software, caller ID spoofing, seeks PII | Phone calls impersonate trusted sources, may use AI-generated voices, request sensitive information, pressure victim | Caller ID spoofing, AI-generated voices, VoIP, social engineering | Landlines, mobile phones | Do not answer unknown calls, verify caller identity, avoid sharing sensitive data over the phone |
| Smishing | SMS-based | Uses scare tactics, looks official/professional, may include links to malware, poses a security risk, frequent contact, seeks PII | Text messages contain links to phishing websites, impersonate businesses or government agencies, request sensitive data | Spoofed SMS senders, phishing links, social engineering | Mobile phones | Avoid clicking on links in unsolicited messages, verify senders, enable SMS spam filters |
Phishing vs. vishing—Key differences
Vishers use VOIP software and cold calling to enact their scams. Approximately 85% of vishing attempts target mobile numbers, with the remainder going to landlines. This is because mobile vishing success rates are much higher. Most people don’t expect their mobile numbers to be readily available to just anyone, so the call seems more trustworthy.
The new form of fishing for information is a bit harder to detect, too, because many 2FA methods provide the option of receiving a code via call or SMS/text. That means it isn’t unusual to get a notification about your account via a phone call, especially if you added your mobile number to an account.
A phishing attack is email-based and includes malware-ridden links disguised as contact information. An example of phishing might be an email claiming to be from a larger company like Amazon or PayPal with a link that says contact us now that leads to a malicious site. Attacks using phishing are becoming less successful if not combined with another form of attack because detecting them is a bit easier.
For example, a quick check of the sender’s email address can tell you if it’s from a legitimate company. Most legitimate companies send information via do-not-reply addresses and an Amazon order or account notification wouldn’t be sent from a Gmail address. Additionally, email scams are well known, so people are less likely to fall for phishing attempts now.
Read more: How to spot common red flags in phishing emails
Smishing vs. vishing—How attackers use phones differently
Now that you know vishing is a voice-based attack, let’s discuss its closest counterpart—smishing. A smisher uses text or SMS messages to gather information by posing as a business, government agency, or service you subscribe to.
Since OTP via text and SMS is a standard form of 2FA, a text message from a random number doesn’t seem very threatening. After all, you do it all the time to confirm you’re attempting to access accounts requiring additional verification methods, right? Sadly, that’s exactly what smishers are counting on. It can be hard to spot a legitimate text verification from a scam.
The similarities between these methods of attack mean they work well together. Vishers often call first and then send a text with a link to follow to download an app or access a site to resolve any issues or gain a reward. Smishers have the same goal only they message first via SMS or text, with a phone number or link. Using the two attacks together makes the process seem safer and more legitimate. Verbal verification of the issue followed by personal verification via SMS/text (or vice versa).
Types of vishing attacks
Vishing attacks vary by what the attacker is after. Not all vishers are looking to steal your identity or money; most attackers can make more selling personal information with people-search sites or data brokers. Regardless of what a visher does with your information, there’s no shortage of ways for them to steal it.
Banking and financial fraud
Fake bank call scams
In this attack, vishers claim to be from your bank and ask you to confirm your credentials due to some issue with your account. They may use tactics like saying the bank had a data breach and needs all account holders to verify their identity or claim a suspicious charge was made to your account. This fosters trust and makes it appear they’re simply protecting your account.
Loan and investment scams
Unsolicited calls for investments or low-interest loans are common financial scams vishers use to obtain account information. The offer could include investing in property or a new product, low-interest refinancing for loans, or claims they can decrease your student loan debt by a large sum. Remember, if you didn’t request a call regarding loan or investment opportunities, it’s most likely a vishing attempt.
Credit offer scams
Vishers use the draw of low APR credit rates and high credit line offers to get you to sign up for credit cards that don’t exist. Once they have all the information they need to steal your identity, they bolt, and you’re left empty-handed, dealing with the repercussions of credit fraud.
Tech support scams
Fake Microsoft or Apple support calls
These scams often start as phishing or smishing. You may receive a message to your email or text/SMS service claiming your OS license has expired, the device has a virus, or you’ve violated the Terms and Conditions for using the software and need to call tech support immediately to resolve the issue. When you call, they ask for sensitive personal and system information they can manipulate to infiltrate your device.
Remote access scams
These vishing attempts generally follow the same initial path as fake support calls, only once the attacker has you on the line they use extreme scare tactics. They claim the issue is too severe to handle via voice support and ask for remote access to your device so they can pinpoint exactly where the problem is. Once they have access they can install ransomware on your device and hold it hostage until you pay whatever they ask.
Government and tax agency impersonation
IRS and other tax authority scams
IRS and tax scam vishing attempts may include promises to settle tax debt for significantly less than you own or offering to file forms for unclaimed tax refunds. If you refuse to give them the information they want, the pressuring tactics start. Vishers may insist that their ‘service’ is the only one offering the tax relief service or try to scare you by threatening you with jail time if you don’t pay immediately.
Medicare and Social Security scams
Calls requesting you verify your Social Security or Medicare account information may be vishing attempts. A huge red flag is if they ask you to confirm a ton of information before they discuss the supposed issue or new plan offer, or threaten to arrest you. Government agencies like the IRS, Medicare, and Social Security will never contact, pressure, or threaten you via unsolicited calls.
Corporate and business vishing attacks
CEO fraud (Whaling)
In this attack, the visher attempts to imitate the CEO of an organization, however, instead of calling random individuals, they target an employee within the company. Once the visher has identified an employee they want to exploit, they take time getting to know more about them and the organization via social media and job search platforms like Facebook or LinkedIn.
More effort is put into sounding official and may include urgency surrounding time constraints. For example, a request to send important legal documents to the vishers email address or call them to resolve an issue with a payment. CEO fraud may also be used to commit corporate espionage, with the vishers selling sensitive information they gather to rival corporations.
HR and payroll scams
HR and payroll vishing attempts are often combined with phishing by requesting an email containing employee or payroll information to what looks like a corporate email account. The process of finding a target and the end goal are the same as CEO fraud, to gather as much information as possible.
How to spot a vishing scam
Vishing technology is ever-evolving, and the techniques attackers use make the attacks far less obvious. So, how do you spot a vishing scam when the tactics attackers use are so effective?
Red flags of a vishing attack
Caller ID spoofing and unknown numbers
Unknown numbers or VOIP calls to mobile devices are one of the biggest red flags. Voicemails from unknown numbers that request you call a service provider on a specific line may also be spam.
Requests for personal information and OTPs
Most initial account inquiries only require your name and address and may use a secret password or security questions to confirm your identity. No legitimate company representative will request you provide them with an OTP you receive as a part of 2FA.
They will never ask for your security questions and answers or require a password to access your account or verify your identity. A true representative can see your security questions and check your account without a password or OTP because they can directly access the account.
Urgency and fear tactics
Requests from unknown numbers that stress the importance of immediate response or payment should be considered major warning signs. Likewise, any call in which the individual guilts, belittles, berates, talks down to you, or uses bullying tactics like raising their voice or making threats is likely a vishing attempt.
Not all customer service agents are equally patient and helpful but companies spend big money to train them to be professional, so it’s unusual for one to be outright mean if they want to keep their job.
Poor audio quality and AI-generated voices
Static, audio that breaks up, constant disconnects, and unnatural or robotic-sounding voices are all big indicators of scam phone calls. If the visher uses VoIP software to make the call, their network connection may not be strong enough. This can cause poor call quality, disconnects, and other interference. The same applies to mobile phones used in vishing attempts.
Incoming calls that put you on hold immediately
If you pick up a call from an unknown number and are immediately put on hold, especially by an automated voice, just hang up. Any company willing to call you to discuss an urgent payment or account issue doesn’t ask you to hold immediately. Immediate requests for holds are made when you call a company, not when they call you, and generally only after you select the department you want to speak with.
How to protect yourself from vishing attacks
Personal protection tips
Scammers often use tactics that feel urgent or intimidating, but knowing what to watch for can help you stay safe. If something seems suspicious, it’s always best to verify before responding. Here are some key steps to protect yourself:
- Ignore calls from unknown numbers. If you receive a voicemail from an unfamiliar number and can’t identify the caller, don’t return the call. Legitimate companies usually provide minimal details in voicemails for privacy reasons. Read more: How to block unknown callers.
- Be wary of automated holds. If you answer a call and are immediately put on hold with a generic “please hold” message, it’s likely a scam. Real companies don’t put you on hold right away when they are the ones calling you.
- Verify the caller’s identity. If someone claims to be from a company you do business with, tell them you’ll call back using the official number from their website or account portal.
- Hang up if the caller pressures or threatens you. Vishers use aggressive tactics, like threats of legal action, account closure, or urgent payment demands, to force a quick reaction. No legitimate company will pressure you this way.
- Use spam call filters and number blocking. Many mobile carriers offer spam filters and fraud warnings. Activating these features can help you avoid suspicious calls.
- Never share sensitive information over the phone. Companies won’t ask for passwords, OTPs, or personal details over a call. If someone requests this information, it’s a red flag.
- Trust your instincts. If something feels off, it’s safer to hang up and check directly with the company instead of taking the risk.
Business protection strategies
Vishing attacks can harm both individuals and businesses, especially when scammers impersonate a company to gain trust. If your business is being used in a vishing scam, it’s important to take action to protect your customers and employees. Here’s how:
- Warn users about ongoing scams. If vishing attacks are being carried out using your company’s name, inform your customers and encourage them to report any suspicious calls. Staying ahead of the issue helps you protect others from falling victim.
- Clearly define how and when you contact users. Display this information on your company’s website or app so customers know what to expect. For example, if you only send OTPs via text when requested, users will recognize an unsolicited OTP call as a scam.
- Provide an FAQ on verifying suspicious calls. Offer clear guidance on how customers can check if a call is legitimate. Encourage them to compare the caller’s number with the official contact details on your website.
- Direct users to live chat or official support channels. If possible, offer a way for users to quickly verify whether your company actually contacted them. Real-time verification through live chat or customer service can prevent scams from succeeding.
- Educate employees about vishing and scam tactics. Train your staff on how vishing, phishing, and smishing scams work so they can help customers recognize fraud and know what details to collect for fraud reports.
- Make sure employees reassure customers who verify calls. If a customer calls to check whether a request is real, ensure your staff encourages this behavior. Letting users know they did the right thing makes them more likely to verify future calls instead of taking risks.
What to do if you’ve been a victim of a vishing attack?
If you suspect you’ve fallen for a vishing scam, act quickly to limit any damage. Scammers may try to use your personal information to access accounts, commit financial fraud, or sell your data. Taking immediate steps can help protect yourself and prevent further harm. Here’s what you should do:
Report the scam
Notify the company the visher was impersonating so they can warn others of the scam. Include as many details as you can remember, paying special attention to the type of information they asked for and any obvious tactics they used.
For example, account closure threats or claiming someone has gained access to your account. The more information the company has, the more informed employees will be on the situation and how to best help other customers.
How to report vishing scams
Step 1: Write down as much information as you can about the call including:
- Phone number
- Reason for the call
- Individual/company the caller was attempting to impersonate
- What information they requested
Step 2: Contact the company the attacker was impersonating and make them aware of the vishing attempt. If you live in the U.S., you can also report the attempted fraud to the Federal Trade Commission (FTC) using their online form. Note: You can use the same process in this step to report phishing and smishing scams.
Step 3: Block the phone number, then continue to monitor your credit and account to ensure your identity hasn’t been compromised.
Change your passwords
Update your account passwords and other security credentials if you feel the information was compromised. Use best practices for creating a new password, including using a mix of capital and lowercase letters, numbers, and special characters.
Strong passwords have a minimum of 10-12 characters and don’t use any information that is easy to guess. This includes social media tags, sequential letters or numbers, and any part of your name.
Use multi-factor authentication (MFA)
Using MFA methods decreases your chances of falling victim to vishing attempts. If you did provide your password to the visher before recognizing the scam, they would still need the second form of authentication to access your account.
Remember, if the call is legitimate, the company can verify your account with basic information including your address, phone number, and full name or a pre-established security word. No legitimate company will ask for your password and 2FA code.
Monitor your accounts
Please remove any non-essential personal information from the compromised account by submitting a removal request or simply deleting data from non-essential fields. Then, continue to monitor the account for any suspicious activity.
Filling out data removal requests and monitoring accounts regularly can be time-consuming. You may want to consider using a go-between like ExpressVPN’s data removal feature. It submits all the required data removal requests, provides fraud alert attempts, and continues to monitor the account for suspicious activity.
FAQ: About vishing attacks
What is vishing attack?
A vishing attack is performed using voice-based methods like phone or VoIP calling. The goal is to obtain personal or financial information from the victim that can be used to commit multiple forms of fraud or sold to third parties for profit.
What is vishing vs. phishing?
Vishing is an offset of phishing that uses voice-based methods instead of the email-based attacks used by phishers. Regardless of the difference between the methods, both attacks have the same end goal—to obtain as much information as possible.
What is an example of vishing?
One example of vishing is a call from an unknown number claiming to be a government tax agency like the IRS. The caller will express a sense of urgency to resolve issues like past-due taxes or unclaimed refunds. It’s important to remember the IRS and other government agencies don’t make unsolicited calls and won’t threaten you with jail time or request immediate payment over the phone.
What is another word for vishing?
Vishing is also known as call or voice phishing. The term vishing is simply a shortened version of voice phishing and refers to any voice-based phishing attempt, including those using VoIP software.
What is AI vishing?
Artificial Intelligence (AI) vishing uses advanced technology to disguise an attacker’s voice to simulate/remove accents, change their gender, or even translate scripts to another language. Advancements in AI technology have made it harder to determine if a caller’s voice is AI-generated, as the fabricated voices now sound less robotic than previous software.
How can I tell if a phone call is a vishing attempt?
While spotting vishing isn’t always easy anymore, it does throw up some obvious red flags. Calls from unknown numbers, immediate holds after picking up, poor call quality, and callers using psychological manipulation like guilting and scare tactics all indicate vishing attempts.
Does a VPN prevent vishing?
No, a VPN doesn’t prevent vishing because it doesn’t monitor your calls. It does protect outgoing/incoming VoIP calls via app services like WhatsApp and Zoom by providing strong data encryption, but it doesn’t cover calls that come directly to your landline or mobile phone.
Why are people vulnerable to vishing?
People are most vulnerable to vishing attacks because they lack knowledge and general information about the types of vishing attacks and how to spot them. The elderly are a major target for vishing, phishing, and smishing scams because they may not be as knowledgeable about the technology used in the attacks or cyber threats in general.
Even younger generations are at risk as they’re often careless when downloading apps that could install malicious software like scareware on their devices. Scareware may include pop-up messages with links to follow or notifications asking you to call to get remote assistance for a virus infection on your device. All of which are attempts to steal your personal, device, network, or financial information. Many younger individuals follow the prompts because they don’t want to lose access to devices or risk upsetting their parents.
How can I block vishing calls?
Your mobile or landline provider may allow you to block unknown numbers, and using caller ID can also help you identify potential vishing attempts. If your mobile provider offers spam filtering, take advantage of the service. That way, your caller ID will show a ‘potential spam’ or ‘spam risk’ message if a number looks suspicious. You can also block unfamiliar numbers manually.
Can vishing happen over WhatsApp, Telegram, or social media?
Vishing can happen over any app that allows you to use voice calling services, including WhatsApp, Telegram, and social media services like Facebook Messenger. The good news is you’re more protected against vishing if you use these services because most mainstream messaging apps provide end-to-end encryption (E2E) to mask the voice and text communications to and from devices.
You can also pair them with a trustworthy VPN. Using ExpressVPN, you can hide your IP address and encrypt all your network traffic – not just app traffic. This makes it harder for vishers to attack you or obtain usable information if your data is intercepted.
Privacy should be a choice. Choose ExpressVPN.
30-day money-back guarantee
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
