Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Vishing

Overview

Vishing is phishing over voice—a scam where criminals call you (or leave voicemails) while pretending to be someone trustworthy so they can trick you into sharing information, giving them access, or sending money. The word combines “voice” and “phishing.”

In plain terms, vishing is when someone lies to you over the phone, using pressure and believable stories, to get what they want.

What Vishing Calls Sound Like

Vishing calls often claim to be from:

  • Your bank or credit card company

  • Tech support (e.g., “Microsoft,” “your IT department”)

  • Government agencies or law enforcement

  • Delivery or utility companies

  • Your employer, HR, or a “manager” in another office

Typical themes:

  • “We detected suspicious activity on your account.”

  • “You owe back taxes / fees and must pay now to avoid legal action.”

  • “We need to verify your identity / reset your account / fix a problem on your computer.”

  • “There’s been a security incident at work; we need your login to confirm something.”

How a Vishing Attack Typically Works

Most vishing scams follow a similar pattern:

  1. The caller builds trust

    • They introduce themselves as a bank employee, tech support, government official, or company staff.

    • They may know your name, partial account details, or public information (from data leaks or social media) to sound more believable.

  2. They create urgency or fear

    • They say your account will be frozen, you’ll be charged a fee, arrested, fired, or lose access if you don’t act quickly.

  3. They ask you to do something specific

    • Share personal details (date of birth, address, Social Security number).

    • Provide card numbers, CVV codes, PINs, or one‑time codes sent to your phone.

    • Log into a website they give you, or install software on your computer.

    • Move money, buy gift cards, or send a payment “to fix the problem.”

  4. They reassure and pressure at the same time

    • They sound helpful but keep you on the line, telling you not to hang up, call anyone else, or check with your bank or IT.

  5. Once they have what they want, they disappear

    • They may immediately use your information, or combine it with other data for future fraud.

Common Types of Vishing Scams

  • Bank or card security calls

    • Fake “fraud departments” asking to verify transactions and then asking for full card details, PIN, or one‑time codes.

  • Tech support scams

    • Callers claim there is a virus or problem with your computer and instruct you to install remote‑control tools or pay for fake fixes.

  • Government or law enforcement threats

    • Claims of unpaid taxes, warrants, or jury‑duty issues, demanding immediate payment by card, wire, or gift cards.

  • Workplace vishing

    • Attackers pose as IT, HR, or managers, asking employees for passwords, MFA codes, VPN details, or sensitive business information.

  • “Customer service” callbacks

    • Scammers send emails or texts with a fake support number; when you call, you reach the scammer, not the real company.

What Vishing Scammers Want

Their main goals are to:

  • Steal money directly

    • By getting you to transfer funds, buy gift cards, or authorize fraudulent charges.

  • Steal credentials and personal data

    • Logins, PINs, one‑time codes, identity details that can be used for account takeovers or identity theft.

  • Gain access to systems

    • Especially in businesses, vishing can be used to get remote access to computers or internal systems.

Why Vishing Works

Vishing is effective because:

  • Voice feels more personal and convincing than email or text.

  • Caller ID can be spoofed to show familiar names or local numbers.

  • People are conditioned to cooperate with “authority figures” (bank staff, police, HR, IT).

  • Callers can adjust their script in real time based on your answers, making the story feel tailored and real.

Red Flags in Vishing Calls

Be suspicious if a caller:

  • Contacts you unexpectedly about urgent problems with money, accounts, or legal issues.

  • Asks for passwords, full card numbers, CVV codes, PINs, or one‑time passcodes.

  • Pressures you to act immediately and not to hang up or call back on another number.

  • Asks you to pay with gift cards, cryptocurrency, or wire transfers.

  • Wants you to install remote‑access software or visit a website they dictate over the phone.

  • Gets angry, threatening, or overly emotional if you hesitate or ask to verify.

Business Impact

For organizations, vishing can lead to:

  • Compromised employee accounts (email, VPN, HR systems).

  • Data breaches if attackers get access to internal tools or customer records.

  • Financial fraud, such as fake vendor payments or payroll changes.

  • Reputational damage and regulatory issues if sensitive data is exposed.

Key Prevention Tips (Plain‑Language)

For individuals and staff:

  1. Never give passwords, PINs, or full codes over the phone

    • Legitimate organizations do not need your password or full one‑time code.

  2. Do not trust caller ID alone

    • Numbers and names can be faked. Treat unexpected calls as unverified, no matter what the display shows.

  3. Hang up and call back using official contact details

    • Use the phone number on your bank card, company directory, or the organization’s official website—not the number the caller gives you.

  4. Refuse high‑pressure tactics

    • If someone insists you must act “right now,” that’s a strong sign of a scam.

  5. Be cautious with remote access requests

    • Don’t install software or grant remote access unless you initiated the support request and are sure of who you’re dealing with.

  6. Follow workplace policies

    • If a caller claims to be from IT, HR, or a vendor, follow your company’s verification procedures before sharing any information.

What Organizations Should Do

Businesses can reduce vishing risk by:

  • Setting clear rules that no one will ever ask for passwords or full MFA codes.

  • Training staff to recognize and handle suspicious calls.

  • Providing internal phone lists and verification steps so employees can safely call back.

  • Encouraging employees to report vishing attempts to security or IT instead of dealing with them alone.

What To Do If You Think You Fell for Vishing

If you shared information or followed instructions you’re now worried about:

  1. If you gave account details, change them immediately

    • Change passwords and PINs, and enable or review multi‑factor authentication.

  2. Contact your bank or provider

    • Report any financial or card information you shared, and watch for unusual transactions.

  3. Inform your employer’s IT/security team (if it involved work accounts)

    • They can help secure accounts, check for unusual activity, and alert others.

  4. Monitor your accounts

    • Watch for password reset messages, login alerts, or charges you don’t recognize.

  5. Record what happened

    • Note the number, time, and what the caller asked for; this can help investigations and training.