Vishing is a type of phishing attack that relies on human error rather than technical exploits. In a vishing attack, a criminal calls the victim, pretending to be from a legitimate organization like a bank or government agency, and tricks the victim into providing sensitive information such as credit card numbers, PINs, or login credentials.
Scammers may even ask for direct payments through gift cards or cryptocurrency transfers.
Some vishing attacks impersonate a victim's friend or family member. Here are two common examples:
A stranger calls, claiming they found your family member in a car accident. They might pose as a paramedic asking for money to take them to the hospital or as a lawyer threatening a lawsuit.
Someone pretends to be a family member (e.g., a grandson) claiming they’ve been arrested and need bail money. This can involve multiple scammers pretending to be police officers.
Like other social engineering attacks, vishing relies on urgency to manipulate victims into acting quickly without thinking. Vishing often employs the same tactics as phishing. In other words, threat actors create a sense of immediate danger, such as a legal threat or account closure, to confuse victims into divulging sensitive information.
Technological advances, such as Voice over Internet Protocol (VoIP) and caller ID spoofing, have made vishing easier and more prevalent. These tools allow scammers to make calls from fake numbers, sometimes mimicking area codes or phone numbers similar to the victim’s. Attackers may also use automated software to make thousands of calls a day, increasing the chances of success.