Vishing is a phishing attack conducted entirely over the phone. Americans face millions of scam calls every month, thanks in part to new technologies that make vishing easy and effective.
Vishing is a type of phishing attack where scammers make phone calls pretending to be someone else, often a legitimate business, to steal private information or money. Vishing stands for voice phishing, since this scam is done over phone calls.
There’s a good chance you’ve received one of these calls yourself. If you’ve ever gotten a spam call from someone pretending to be your bank, the IRS, or a Medicare office, that call was probably a vishing attempt.
It’s not just businesses and official institutions that vishers impersonate. Some vishing calls pretend to be a friend or family member facing a dangerous situation, like a car accident or police arrest.
Learn about how to identify vishing calls, examples of the most common types of vishing attacks, and how to stop them.
Vishing is a type of phishing attack that relies on human error rather than technical exploits. In a vishing attack, a criminal calls the victim, pretending to be from a legitimate organization like a bank or government agency, and tricks the victim into providing sensitive information such as credit card numbers, PINs, or login credentials.
Scammers may even ask for direct payments through gift cards or cryptocurrency transfers.
Some vishing attacks impersonate a victim's friend or family member. Here are two common examples:
A stranger calls, claiming they found your family member in a car accident. They might pose as a paramedic asking for money to take them to the hospital or as a lawyer threatening a lawsuit.
Someone pretends to be a family member (e.g., a grandson) claiming they’ve been arrested and need bail money. This can involve multiple scammers pretending to be police officers.
Like other social engineering attacks, vishing relies on urgency to manipulate victims into acting quickly without thinking. Vishing often employs the same tactics as phishing. In other words, threat actors create a sense of immediate danger, such as a legal threat or account closure, to confuse victims into divulging sensitive information.
Technological advances, such as Voice over Internet Protocol (VoIP) and caller ID spoofing, have made vishing easier and more prevalent. These tools allow scammers to make calls from fake numbers, sometimes mimicking area codes or phone numbers similar to the victim’s. Attackers may also use automated software to make thousands of calls a day, increasing the chances of success.
While vishing attacks vary, there are some common scam signals across most calls:
Automated Messages: Many vishing calls begin with a prerecorded message, often from a robotic voice, like "You've won a free stay at Hilton Hotels! Press one to claim your offer." If you respond, you'll be connected to a live scammer.
Urgent Threats: Vishing scammers create a sense of urgency, threatening things like arrest, fines, or an expiring prize, which tricks victims into acting hastily.
Requests for Sensitive Information: Scammers may ask for personal information, such as passwords, Social Security numbers, or your mother's maiden name. They may also try to verify seemingly innocent details like your birthdate or address.
Impersonating Federal Agencies: Scammers often impersonate organizations like the IRS or the Social Security Administration. But remember, federal agencies never call you demanding payment or asking for personal information.
Vishing is a significant problem. For instance, vishing attacks rose by 442% in the latter half of 2024.
The rise in vishing is a concern not just for individuals but for businesses as well. Attackers may trick employees into sharing company login credentials, which can lead to data breaches or password leaks.
Social engineering attacks like vishing are often the first step in large-scale data breaches, as attackers need credentials to gain access to your systems.
The quick answer: vishing happens over the phone, while phishing is usually conducted by email.
Vishing and phishing are both social engineering attacks. They rely on manipulation to deceive people into sharing information, and they’re hard to detect because they can look and feel legitimate.
Vishing does this through a phone call. Phishing, on the other hand, is usually performed through email. For instance, an attacker sends an email with a similar sender name to a reputable company or organization. They can even go as far as to craft a legitimate-looking website to match.
Phishing and vishing are often complementary to each other. For example, an attacker will usually begin with a phishing email to get personal information from a victim, which they can leverage in a vishing call.
Here are a few of the most prevalent types of vishing scams:
Bank Account Issues: A call from someone claiming to be from your bank informs you that there’s a problem with your account and asks for your credit card number or bank account details to resolve the issue.
Suspended Social Security Number: Scammers impersonating the Social Security Administration inform you that your Social Security number has been suspended and ask you to confirm the number. They may also demand payment to "fix" the issue.
Software Expiry: Attackers pose as customer service agents from major companies like Amazon, Microsoft, or Apple, claiming your software is out of date or at risk. They may ask for payment to renew your software or send you a malicious update file.
Prize Scams: Vishing calls may claim you’ve won a free prize, but to claim it, you need to provide personal information or pay a "small fee."
Tax Scams: Scammers impersonating the IRS claim you owe overdue taxes and threaten arrest if you don’t pay immediately.
If you receive a suspicious phone call, take these three steps:
Be Wary of Unknown Numbers: If the caller is unknown, don't automatically assume they are legitimate.
Don’t Provide Sensitive Information: Never share personal information, passwords, or payment details over the phone unless you have verified the caller’s identity.
Register with the National Do Not Call Registry: This can help reduce unsolicited robocalls.
Abnormal can help stop phishing and vishing attacks by protecting your organization from socially engineered email threats. Schedule a demo to learn how we can help safeguard your business from these attacks.
