Vishing is short for “voice phishing,” a type of cyberattack that uses calls or voice messages designed to trick victims into providing sensitive information, such as financial or login credentials. These details can then be used for criminal activities such as fraud, identity theft, or financial theft. Callers pretend to be from a reputable organization or authority with a story you’re likely to believe.
Vishing isn’t limited to phone calls. Many vishing attacks start with a phishing email, urging the recipient to dial a number. Once in a call, scammers use social engineering tactics to convince the target to share their personal details.
In vishing scams, attackers pretend to be from reputable organizations (such as the victim's bank, the IRS, or a package delivery service) and make unexpected phone calls. They might use toll-free numbers or use voice over internet protocol (VoIP) technology to appear as trusted organizations.
According to Cisco, phishing attacks are common and costly: In 2022, phishing was the second most common cause of data breaches, costing organizations an average of US$4.91 million in breach expenses.
Often, vishing scams target the elderly, new employees, and employees who regularly receive external calls as part of their job. Defending against vishing attacks requires vigilance, informed precautionary measures, and robust email security solutions. It’s important to recognize the signs of a vishing attempt. Here are some tips to keep in mind:
Vishing scammers often use spoofed phone numbers to appear to be from a trusted business, subtly different from a number you’d actually recognize. Always be cautious, no matter what displays on Caller ID.
Vishing and phishing tactics often incite urgency or fear, such as an urgent account problem, suspicious activity, or a final warning. They may also fake familiarity, hinting at a prior conversation, relationships, or corporate hierarchy. All of these are intended to make you act without thinking.
The goal of a vishing attack is to steal your sensitive information, such as passwords, PINs, verification codes, or financial information. Legitimate institutions will never request such details through unsolicited calls.
Scammers might have what seems like personal knowledge about you, taken from online sources or social media, to make the call seem legitimate. However, knowing your address, recent transactions, or family details does not confirm the caller's authenticity.
If a call seems suspicious even when it sounds genuine, don't act immediately. Instead of following the caller's instructions, hang up and call the institution or person directly using a verified number from their official website or your contacts. You should never use the call back number provided during the suspicious call.