What is a vishing attack?

It sounds like phishing. Literally. Learn about the phenomenon of “voice phishing,” how to tell when you’re under a vishing attack, and how to avoid taking the bait.

Phishing with a ‘v’

Voice phishing—the “v” in “vishing” stands for voice—works the same way as regular phishing, but over a phone rather than a questionable email. Vishing is when someone you don’t know prompts you to give up personal information under the threat of consequences, or by fooling you into sharing more than you should under false pretenses.

Microsoft Defender

Stay safer online with one easy-to-use app¹

¹Microsoft 365 Personal or Family subscription required; app available as separate download

Learn More

While both rely on social engineering, vishing can feel much more high-stakes than regular phishing. You can detect a phishing email with diligence and a gut check, and once you identify its trickery, you can delete it or forward it to IT before moving on with your day, satisfied that you didn’t fall for the ploy. But with vishing, you’ve picked up the phone, someone wants something from you, and you may not have time to reflect or react. The caller may be convincing or threatening, and you might not realize you’re on the hook until you’ve said too much.

“By knowing what vishing sounds like in action and what tactics voice phishers use, you can prepare to wriggle away unharmed, with your account and data security intact.”

How voice phishers try to trick you

By knowing what vishing sounds like in action and what tactics voice phishers use, you can prepare to wriggle away unharmed, with your account and data security intact. Here’s what you should know.

Vishing scammers do research

They may have looked up your organization’s contact info online and charted a path to confidential information. They may be following up on a previous phishing scam that included a phone number and seeing who gives them a call, or cold-calling themselves. Or, they may have literally climbed into a dumpster and looked for intact documents that reveal phone numbers or other personal info that no one thought to shred before tossing.

Vishing scammers cast a wide and tricky net

They may be scoping out a chunk of area codes and hiding behind a VOIP or caller ID spoofer, so their number looks familiar or legitimate, and you’re more likely to pick up.

Vishing scammers come prepared

In a technique called “wardialing,” a voice phisher may play a recorded, stern, official sound that asks for personal details that you would only normally give out when trying to access accounts, like SSN, full name, addresses, and banking info. They urge you to give them this information by saying things like, “You need to call us back right away,” “Your account has been compromised”, or “Please confirm your account details for access.”

Vishing scammers will lean on authority and threats

They want to access data they can exploit to commit theft, so they’ll pretend to represent authoritative organizations like banks and the IRS to lull you into a false sense of security. Vishing scammers will often play the roles of government and law enforcement agencies to use scare tactics and threaten you to relay sensitive information. Other vishing scammers will play on your desire for success—like false tech support calls or calls that let you know you’ve won a prize for a contest you’ve never entered.

Ways to avoid vishing attacks

So how can you respond with confidence in the moment and not budge an inch in the face of the scammer’s demands? Here’s some examples of how to avoid falling for vishing attacks.

Commit to not giving out information

The best way to avoid falling for a vishing attack is to do nothing. If you’ve confirmed your name, fine, it happens, but no more than that. Or consider not answering the phone if you don’t recognize the number. No one can scam, cajole, or threaten you if you refuse to be their target, and if they leave a message, you are better able to take your time evaluating its intent.

Realize this call is not normal

Rarely, if ever, will any of government agencies or services call you and ask for your personal details, let alone demand them or pry to an unusual level, especially without previous contact. If you are expecting a call from your bank or customer service and someone calls you, but the situation feels off, hang up and place a call yourself to a number you can verify, preferably on a different phone in case your number has been routed to the fake one.

Slow down the situation

Give yourself time to think or assess the situation. Ask clarifying questions, but don’t let yourself be lulled into comfort or agreement. Listen for language that sounds salesy, too good to be true, or that gives you a feeling of being manipulated. But also, feel free to not engage since that is overall the safest option.

Do a gut check

If the person identifies themselves by name as someone you know, but you don’t think they sound familiar, hang up. Try giving the person a call yourself. And remember there’s no reason for certain people in your workplaces to call asking for personal, account-compromising details, especially during after-work hours or to your personal phone.

Vishing is a new twist on an old fraud, but with a little awareness and a lot of thoughtful security practices and discretion, you can disarm the scammer and perhaps catch them in their own net of lies.