>

Glossary Home

What will I learn?

  1. What is vishing?
  2. Vishing vs. Phishing
  3. Why is vishing more dangerous?
  4. How does vishing work?
  5. Common types of vishing attacks
  6. How to prevent vishing attacks?

Related Content

Glossary Home

Vishing

What is vishing?

Vishing, short for voice phishing, is a type of social engineering attack in which cybercriminals use phone calls or voicemails to trick individuals or employees into sharing sensitive information such as bank account numbers, passwords, credit card details, or system credentials. It is one of the most deceptive and emotionally manipulative forms of phishing attacks.

Vishing vs. Phishing

While phishing relies on fake emails, text messages, or websites, vishing happens over voice calls. Both are forms of social engineering, but vishing is more dangerous because it uses real-time conversation to manipulate victims, making it harder to detect or pause and reflect.

Why is vishing more dangerous?

Vishing attacks are more dangerous than other types of phishing because they:

  • Use real-time voice interactions to apply emotional pressure on victims.
  • Leverage urgency, authority, and fear to override logical thinking.
  • Bypass email filters and firewalls, making them harder to detect through technical means.
  • Often involve impersonation of trusted institutions like banks, law enforcement, or the IRS.
  • Now AI-generated voice deep fakes are allowing scammers to mimic real people such as a CEO or family member, making vishing scams far more convincing and difficult to identify.

How does vishing work?

  1. The attacker spoofs a legitimate phone number.
  2. They claim there’s a problem: a hacked account, unpaid tax, or an urgent technical issue.
  3. The caller demands personal information, payment, or remote access.
  4. Once the victim complies, the scammer steals money, data, or gains system access.

Common types of vishing attacks

  • Bank impersonation: Scammers pose as bank representatives, warning of suspicious activity. They ask for account credentials or persuade the victim to transfer funds to an account, they have control over.
  • Tech support scam: The caller pretends to be from reputed organizations like Microsoft, saying the computer is infected. Victims are told to install remote-access tools or pay for fake repairs.
  • Scams targeting the elderly: Criminals pose as grandchildren or officials, claiming an emergency and asking for urgent financial help. These scams rely heavily on emotion.
  • Executive impersonation (whaling): Attackers impersonate a company's top executives and instruct employees to send money or sensitive information, claiming it's an urgent business matter.
  • Government or IRS scam: The caller pretends to be from the IRS or law enforcement, threatening arrest or legal action unless payment is made immediately.
  • Healthcare or insurance scam: Victims are told their insurance is expiring or needs verification. Scammers ask for medical or financial details under false pretenses.
  • Delivery scam: The scammer claims a package is undeliverable unless the victim confirms their personal details or pays a small fee.
  • Prize or lottery scam: Victims are told they’ve won a lottery or contest but must pay taxes or processing fees before receiving their prize amount.

How to prevent vishing attacks?

  • For individuals:
    • Be cautious of unexpected calls: Legitimate institutions rarely ask for personal or financial information over the phone.
    • Verify the caller: If a call seems suspicious, hang up and call back using the official number listed on the organization’s website, not the one provided during the call.
    • Don’t trust caller ID: Scammers can fake numbers using spoofing tools to make calls look like they’re coming from a trusted source.
    • Avoid calling back numbers given during a suspicious call: Fraudsters often provide fake callback numbers that connect you directly to them or their crime partners.
    • Limit personal information shared on social media: Scammers often gather details from public profiles to sound convincing during calls.
    • Use call-blocking features: Most smartphones and mobile carriers offer tools or apps to filter spam and robocalls effectively.
    • Report suspicious calls: Notify your phone provider and national cybercrime authorities to help warn others and track scam patterns.
  • For organizations:
    • Train employees on vishing and social engineering threats: Regular awareness sessions, role-playing, and phishing simulations can help employees recognize and resist vishing attempts.
    • Establish strong internal verification policies: Require employees to verify high-risk requests such as payment approvals or data access through secure channels.
    • Use Multi-Factor Authentication (MFA): MFA adds an essential layer of security, making it much harder for attackers to exploit stolen or leaked credentials.
    • Restrict public access to employee information: Avoid publishing direct phone numbers, job titles, or contact lists that scammers could use to impersonate executives or employees.
    • Monitor and audit sensitive communications: Set up oversight protocols for activities like wire transfers, access changes, and data sharing.
    • Use cybersecurity tools: Although vishing happens over voice calls, email security tools like Zoho eProtect play a crucial role in defending against phishing emails that initiate or support vishing attempts. Zoho eProtect helps filter malicious emails, block phishing links, and prevent credential harvesting.