Everything you need to know about vishing and how to recognize it early

What is vishing? 

Vishing (voice phishing) is a type of phishing attack carried over the phone. Instead of sending deceptive emails or texts, attackers rely on voice communication. They make unexpected phone calls, pretending to be from the victim's bank, their company's IT department, a government agency, or a family member in trouble.

The goal is always to trick victims into giving away something valuable, which means successful vishing attacks are highly damaging. The types of information scammers want include:

• Bank account and credit card details.
• Personal information like a Social Security number or home address.
• Security credentials, passwords, or PINs.

While some vishing attacks involve pre-recorded robocalls, the most damaging scams typically happen in real time, with skilled social engineers creating urgency, fear, or false reassurance to push people into sharing sensitive information.

How vishing attacks work

Most vishing attacks are carefully staged, with the scammer putting in the groundwork to make the call seem legitimate and urgent. They tend to follow a similar pattern:

• Reconnaissance. The attacker gathers as much private information as possible about the target. This information may include the target’s name, employer, job title, phone number, and recent activity, all scraped from social media, data breaches, or public databases. Let's say the attacker learns a company's invoice schedule or spots a pattern in their target's LinkedIn activity. That's all they need to produce a persuasive vishing attack, posing as the finance department of their employer, a vendor, or the CEO of the company they work for.
• Setup. The attacker sets up their tools, often spoofing a phone number and a local area code or mimicking the caller ID of a trusted entity. In more advanced cases, they may use AI-generated voices to sound like someone the victim knows.
• Execution. The scammer makes the phone call and begins the pitch. The tone may be friendly, urgent, or even threatening, depending on the scenario. The goal is always to rush the target into complying with the request before they have time to think or verify the scammer’s identity. 
• Extraction. If successful, the attacker coaxes the victim into divulging sensitive information, like bank account information, credit card details, or a mailing address.
• Aftermath. The stolen private data may be used right away or sold on the dark web. Victims can face financial loss, identity theft, credit card fraud, or reputational damage. In some cases, vishing attacks can also lead to medical identity theft, where scammers use the victim's personal data to access healthcare services or commit insurance fraud in their name.

Some vishing scammers take a more indirect approach. Instead of forcing the action on the first vishing call, they leave a voicemail telling the target to call back about their taxes, insurance claim, or "urgent legal matter." This tactic gives the illusion of legitimacy and buys the scammer more time to build trust.

If you’d like to learn more about similar scams and threats, take a look at our guide on what someone can do with your phone number.

The 8 most common types of vishing scams

Phone scams have existed for decades, but modern vishing tactics are more personalized and increasingly powered by new technologies. Because many people are cautious about answering unknown numbers, scammers adapt their approach, using urgency, emotional manipulation, or fake voices to bypass suspicion.

Let's look at a few examples of common vishing scams.

1. AI-based voice cloning scams

As voice synthesis tools become more accessible, scammers are now able to create alarmingly realistic imitations of real people.

How they work 

Scammers use AI to clone someone's voice — often a family member, friend, or company executive. They create a convincing scenario: a kidnapping, an accident, an urgent wire transfer request. Then they call the victim using this fake voice and try to obtain money or sensitive data.

Example

In 2019, an executive at a UK-based energy firm received a phone call from someone he believed was the CEO of the company's German parent organization. The caller, speaking with a familiar accent and tone, urgently requested a $243,000 transfer to a supplier in Hungary, assuring it would be reimbursed. The executive complied, only to later learn that the voice had been artificially generated using AI.

2. Robocalls and VoIP scams

Robocalls may feel like a nuisance from the past, but they're still widely used in modern vishing schemes.

How they work 

Attackers use robocalling systems to blast thousands of automated calls per hour to potential victims. Many use VoIP (voice over IP) tech to reduce the cost of vishing attacks and impede detection by law enforcement agencies. Victims are often told to "press 1 to speak with a representative" or receive fake warnings about their account being compromised.

Example

A 2022 FTC report estimated Americans lost over $1.2 billion to robocall scams, with VoIP-enabled calls making up the majority. In one widely reported scam, a robocall claims to be from Apple Support, saying the user's iCloud account has been breached. Pressing "1" connects them to a scammer who harvests their credentials.

3. Caller ID spoofing

Most people check caller ID before picking up the phone, but that's no longer a reliable safeguard. Scammers can easily fake the caller ID number.

How it works

Using widely available spoofing tools, scammers manipulate the caller ID so it looks like the call is coming from a familiar or trusted source. It could be your employer's switchboard, a customer support line, or a number already saved in your contacts.

Example

In 2024, a woman in Illinois received calls where the caller ID displayed her bank's real phone number. The scammers convinced her they were stopping fraudulent transactions, and by tricking her into reading out authentication codes sent to her phone, they gained access to her account and stole $2,000 via the bank's Zelle payment system.

4. Tech support scams

Technical support scams remain one of the most persistent types of vishing attacks. They often target older people and rely on the fear of viruses, hacked accounts, or broken software to push potential victims into quick decisions.

How they work 

The potential victim is told that their computer or device is infected with a virus or suffers from some other issue. The caller offers to fix it (often for a fee) and asks their target to download remote access software. Once connected, the attacker can steal data, install malware, or demand payment to "unlock" the device. 

Example

In 2020, a Florida resident reportedly lost $16,000 after answering a call from someone posing as Apple Support. The scammer gained remote access to the victim's computer and used their personal data to facilitate the theft.

5. Bank/government impersonation

One of the most effective vishing tactics is impersonating authority figures. These scams often target people who are already anxious about taxes, benefits, or fraud alerts and exploit their fears to manipulate them into revealing their private data.

How it works 

​​Scammers may claim to represent government agencies, such as the Social Security Administration, the FBI, or Medicare, or financial institutions, like banks and credit card companies. They often say there's a problem with the target’s account or a legal issue that needs immediate attention.

To fix that problem, the caller asks the target for personal or financial information, like their account number or login credentials. Some scammers also send text messages before or after the call to make the request seem more legitimate.

Example

In 2025, a Delhi-based individual received a call from someone posing as a bank representative. The caller claimed a check had bounced and offered to help "verify" the check images by sending a WhatsApp link. The scammers gained access to the target’s accounts and prematurely closed two fixed deposits, stealing around $13,000.

6. Charity or disaster relief scams

Scammers often take advantage of times when people are eager to help. In the wake of natural disasters or major crises, legitimate relief efforts ramp up quickly, and so do fake ones.

How they work 

Following events like hurricanes, wildfires, or humanitarian emergencies, scammers pose as charity workers or representatives of organizations such as the Red Cross or UNICEF. They typically reach out by phone but may also send text messages or show up in person.

The appeal is always urgent because funds are needed now to help those affected, provide shelter, or supply medical aid. To make the scam more convincing, they may spoof caller IDs, provide fake websites, or use names and logos of real charities.

Example

After Hurricane Ian struck in 2022, the FBI's Columbia field office in South Carolina issued a public warning about a rise in disaster-related fraud. Scammers were contacting residents by phone, text, or door-to-door, posing as volunteers and soliciting donations that never reached real relief organizations.

7. Prize/lottery scams

Everyone likes the idea of a lucky break: winning a car, a vacation, or a cash prize. Scammers know this and use it to their advantage.

How they work 

Victims are told that they've won a prize but need to pay a processing fee or verify their identity to claim it. Sometimes, scammers ask for their victims’ bank account details to "deposit" the winnings, then use this information to steal money instead.

Example

Attorneys in San Diego prosecuted a sweepstakes fraud operation that duped multiple seniors into paying supposed "release fees" for non-existent prizes. The scam spanned from 2020 to 2022 and cost 22 victims over $395,000.

8. Business executive fraud ("CEO scams")

CEO scams exploit authority and urgency. This type of fraud is especially dangerous in larger organizations because not every employee personally knows the senior leadership.

How it works 

An attacker poses as an executive and contacts an employee in finance, HR, or IT with a time-sensitive request, usually involving a wire transfer, payroll change, vendor payment, or sensitive document. The caller may spoof the executive's number or follow up with messages that appear to come from a legitimate company email or messaging platform.

Example

In a high-profile attack, a Hong Kong-based employee in a multinational company received a deepfake video call that looked and sounded like the CFO of the company's European headquarters. He ended up authorizing 15 payments totaling $25 million. The attacker used a pre-recorded AI video with a script matching known company procedures.

How to recognize a vishing attempt

Vishing works because it feels personal. The caller sounds confident, the story is urgent, and the pressure to act quickly leaves little room to think. But even the most convincing vishing scams tend to follow common patterns, and learning to recognize them is your strongest line of defense.

These are some of the red flags that often signal phone scams:

• The caller pressures you to act immediately.
• They ask for personally identifiable information like your Social Security number or address.
• The caller ID shows a familiar number, but the voice or context feels off.
• You're asked to download software or give remote access to your device.
• The caller refuses to send a written confirmation or allow you to call them back through official channels.
• You're told you've won something but must pay to receive it.

How to protect yourself from vishing

While vishing attacks are evolving, staying protected is entirely possible. You just need to know what to look out for and how to respond when something doesn't feel right. Follow these practical steps to prevent vishing attacks:

• Don't share sensitive information over the phone unless you confirm the number independently. This includes personal information such as account numbers, PINs, passwords, or any other confidential data. Make sure to protect your Social Security number — it's a prime target for identity theft.
• Let unsolicited calls go to voicemail. Never answer calls from unknown numbers or, if you must, be very careful with what the person on the other end of the line asks you.
• Verify the caller independently. If your "bank representative" calls and mentions some of your personal information, hang up and call the official phone number from the bank's website.
• Use call-blocking and spam-detection apps. Most smartphones and carriers offer built-in or third-party options that can detect and label known scam numbers.
• Enable two-factor authentication for all accounts. This step adds an extra layer of security, even if a cybercriminal steals your password in a vishing scam.
• Educate your family and coworkers so they understand the danger that vishing presents. Make sure they understand that banks, government agencies, and tech support teams don't make unsolicited calls asking for personal details or payments.
• Report vishing attacks to your phone carrier, local authorities, or cybercrime units.