What is Vishing?

Vishing (Victim Identity Theft) is a tactic used by attackers to steal personal and financial data over the telephone. Common vishing attacks involve individuals impersonating government representatives from organizations like IRS, Medicare or Social Security in an effort to gain information or money.

Scammers typically call victims and claim their account has been compromised or that they owe an enormous sum of money. Furthermore, they often target businesses to gain access to confidential user data.

Why is vishing?

Vishing (voice phishing) involves criminals impersonating legitimate organizations in an attempt to gain access to your personal data. Vishing attacks can take place over landline or mobile phone lines and use social engineering tactics in order to trick victims into divulging private details. Criminals might call and pretend they represent businesses needing passwords or account numbers for password protection or account updates, IT departments, law enforcement, the IRS or even claim you've won a prize and ask you for money or credentials in order to "claim it", while suggesting your computer or software has been compromised and asked you for money or credentials in order to "claim it". Finally they might ask you to update and install it via landline or mobile phone lines with criminals using social engineering tactics in order to get information out of you or compromise it further.


Fraudsters looking to gain PIN numbers, credit card security codes or passwords often claim that they need the information urgently – pretending they represent banks, insurance providers or government offices and scaring you into thinking immediate action must be taken or legal consequences could ensue – including losing your job or jail time.

One popular method of vishing is known as no-hang up or delayed disconnect, where scammers hold onto a phone line while simultaneously installing a false dial tone. If someone tries to call their bank or card company number, they might think they have disconnected successfully, only to discover later they were connected with another scammer who can listen in on their conversation and steal confidential data from them.

How Does Vishing Happen?

Vishing attacks, often known as vishing scams, use text messages or phone calls to impersonate banks, government agencies, businesses or even friends and relatives in order to gain confidential information or money from individuals. The goal of these attackers is simple – take your information or money.

Cybercriminals often use psychological tactics such as fear or greed inducing to get victims to reveal sensitive information or give money over. Vishing scammers typically ask for sensitive data like their mailing address, credit card number or social security number as well as trying to convince victims to share passwords or login data with them.

Vishing is an acronym combining voice-calling and phishing; this form of attack leverages voicemail calls or other methods of voice contact to gain the victim's attention; some attempts may even use email and online channels instead of strictly telephone contact. Vishing attacks belong to a wider category known as social engineering attacks that often combine different techniques into one attack method.

Some vishing attackers pose as trusted acquaintances to build rapport and steal from them, while other times they target businesses to access private data of employees and their coworkers.

As the best defense against vishing attacks, it is wise to register with the National Do Not Call Registry or its equivalent in your country and refrain from providing personal information to unknown callers. Should an unfamiliar number call, let it go directly to voicemail or contact them directly instead of giving out any personal data. Businesses should consider conducting cybersecurity awareness training sessions with employees so they understand its dangers and how to spot potential attacks.

What happens during a vishing attack?

Vishing (voice phishing) attacks can take various forms, with criminals trying to convince victims into sharing confidential information via telephone. Vishing attackers use various social engineering techniques designed to instil curiosity, fear or trust among victims into sharing data over the phone with them. Criminals in business settings may even pose as legitimate tech support technicians to collect this data directly.

Fraudsters may pose as IRS officials and falsely accuse victims of owing back taxes, threatening tax collectors to their home unless payment is made immediately. Victims then transfer funds directly into fraudsters' bank accounts before realizing their funds have vanished when their financial institution tells them their funds have vanished.

Vishing attacks often include attempts at installing malware onto their victim's computer. Attackers then gain entry and collect passwords, MFA numbers and financial data in an effort to access and gain entry. Such an attack could then be used to steal money, commit credit card fraud or take over corporate networks altogether.

Businesses should teach employees not to disclose personal data over the phone when calling businesses, which includes encouraging them to let unknown numbers go directly to voicemail before returning the call or calling back if suspicious of who's calling back. Furthermore, companies must implement security solutions which stop attackers from even making phone calls in the first place and can prevent attacks such as Smishing that use SMS text messages against victims from occurring altogether. Mobile application security solutions offer great protection from this form of attack.

How Common Is Vishing?

Vishing is an emerging cyber security threat. It's simple to implement, scales well and requires less technical skill than other forms of attacks; plus it gives attackers an opportunity to use information gleaned in previous cyber attacks in order to gain victims' trust.

Vishing attacks typically take the form of phone calls or voicemails purporting to come from a trusted organization and demanding sensitive data, such as credit card PIN numbers, Social Security or identity numbers, bank account security codes or wire funds or invoice payments. Attackers may even pose as company representatives and demand victims wire funds or pay invoices before using fake technical support contacts to convince victims to install software that would allow them access into a business' computer systems.

Vishing attacks often utilize social engineering tactics that involve manipulating victim emotions in order to make quick and unwary decisions. Attackers might imply that their victim has violated tax laws or will face serious legal consequences without immediate action; or create urgency by suggesting their computer has become infected and demanding remote access in order to fix it.

Though many vishing attacks target consumers, businesses have also come under attack from fraudsters impersonating clients or members of a company to obtain financial information or money from new or unfamiliar employees.

One effective strategy against vishing is two-person approval for invoice payments and wire transfers, so that two individuals must verify whether an invoice is valid before it can be paid or money transferred. Companies should also train employees how to identify vishing attacks so they can respond swiftly when an attack comes their way.

How to Recognize Vishing?

Vishing (or "vicing") attacks aim to gain personal information that can be used for identity fraud or withdrawing money from bank accounts. Understanding their mechanisms and recognising these attacks will help keep you safe from becoming an easy target of these scams.

Cybercriminals may pose as IRS employees, Medicare Office employees, local police department officers, businesses that manage payroll or credit card companies or even friends or family in need of financial support.

"Wardialing" is an increasingly common tactic used to launch vishing attacks, where cybercriminals target multiple individuals in an area code and use automated messages to create an impression of urgency, before asking the victim for personal data such as credit card security codes, passwords and social security numbers or bank account details.

Vishing attacks use caller ID spoofing software to present themselves as legitimate businesses or organizations, making it hard to distinguish between a genuine company call and a vishing scam. Therefore, it is crucial that individuals remain vigilant and remember that legitimate companies would never solicit sensitive personal data over the phone.

An effective way to avoid vishing is through cybersecurity awareness training for employees. Simulations of such calls will make employees aware of what to look out for, while it is also wise to register your business on the National Do Not Call Registry so as to reduce telemarketing and vishing calls received by your business.

Make it a rule never to provide personal data over the phone, no matter how urgent a caller seems. Instead, hang up and verify if an organization is calling from online searches or their official contact info from their website before giving out your data.