TRY NOW
book meeting

What Is Vishing?

Vishing, short for voice phishing, is a social engineering attack in which criminals use phone calls or voice messages to trick people into sharing sensitive information, sending money, or granting access to their accounts and systems.

The name blends “voice” and “phishing,” and the tactic works much like email phishing does, by impersonating someone you trust and pushing you to act fast. What makes vishing especially hard to catch is the human element: A live, confident voice on the line can feel more convincing than any email. And, as AI voice-cloning tools become widely available, attackers can mimic a familiar voice closely enough to fool the person who hears it, which means a recognizable voice is no longer proof of who’s really calling.

How Vishing Works

A vishing attack follows a simple playbook: Build trust, create urgency, and extract something valuable before the victim has time to think. Most attacks move through the same stages:

  • Pretext: The attacker picks a believable cover story, like a bank fraud alert, an overdue invoice, a tech support ticket, or an urgent request from a manager.
  • Spoofing: Using caller ID spoofing, they make the call appear to come from a real bank, government office, or internal extension.
  • Pressure: They manufacture urgency or fear, warning that an account will be locked, a payment is overdue, or law enforcement is involved.
  • Extraction: They ask for the payoff: A one-time passcode, a password, a payment, a gift card, or remote access to a device.

Vishing rarely travels alone. In a telephone-oriented attack delivery (TOAD), the victim gets a phishing email first, then a follow-up call that makes the scam feel legitimate. Attackers also pair voice calls with smishing (SMS phishing) to reach victims across more than one channel.

Types of Vishing Attacks

Vishing shows up in several recognizable forms, each tuned to a different victim and goal.

  • Tech support scams: The caller claims your device is infected and talks you into installing remote-access software or paying for fake support.
  • Financial and bank fraud: Posing as your bank’s fraud team, the attacker says your account is compromised and asks you to “verify” credentials or move funds to a “safe” account.
  • Government and tax impersonation: The caller pretends to be a tax authority or law enforcement and threatens fines or arrest unless you pay immediately.
  • AI voice cloning and deepfakes: Attackers clone a familiar voice, such as an executive approving a wire transfer or a relative in distress, to authorize fraud. Because cloning tools are inexpensive and easy to use, a voice you recognize is no longer reliable proof of identity.
  • Help desk and IT impersonation: Attackers call a company’s help desk, impersonate an employee, and trick staff into resetting credentials or MFA. This technique has fueled high-profile enterprise breaches and is a common initial-access route for ransomware crews.
  • Robocall vishing: Automated calls play a recorded message and route anyone who responds to a live operator or a malicious phone tree.

Vishing vs. Phishing and Smishing

Phishing, vishing, and smishing are the same kind of social engineering attack delivered through different channels. Here’s how they compare:

Attack type Channel How it reaches you Typical goal
Phishing Email A message that looks like it’s from a trusted brand or contact Click a malicious link, open an attachment, or enter credentials on a fake site
Vishing Voice call or voicemail A live or automated call, often with a spoofed caller ID Reveal a passcode or password, make a payment, or grant remote access
Smishing SMS or text message A text with a malicious link or a request to reply Tap a link, share information, or call a fraudulent number

The defense is the same across all three: slow down and verify the request through a channel you trust before you act.

How to Recognize Vishing

Most vishing calls share a handful of red flags. Treat a call as suspicious when you notice any of these signs:

  • The call is unexpected and pushes you to act right now.
  • The caller asks for a one-time passcode, password, PIN, or full card number.
  • You’re pressured to pay by gift card, wire transfer, or cryptocurrency.
  • The caller wants remote access to your computer or phone.
  • The story involves threats, such as arrest, fines, or account suspension.
  • The caller discourages you from hanging up, calling back, or checking with anyone else.
  • A “familiar” voice makes an out-of-character request, especially one involving money or credentials.

A legitimate bank, vendor, or government agency won’t object if you hang up and call back on an official number. Attackers will.

Vishing Prevention Best Practices

You can’t stop scammers from dialing, but you can make their calls fail. A layered approach that combines people, process, and technology works best. Here are some examples.

Verify Through a Trusted Channel

Hang up and call back on a number you look up yourself, not one the caller gives you. Calling back for verification on a known, independent number is the single most effective control against vishing, including AI voice-cloning attacks.

Never Share Secrets by Phone

Treat one-time passcodes, passwords, and full payment details as off-limits on any inbound call. No legitimate organization needs you to read them aloud.

Set a Verification Step for Sensitive Requests

For payments, wire transfers, and credential resets, require a second form of confirmation. A pre-agreed code word or a callback policy stops a cloned voice from being enough on its own.

Train Your Team and Test It

Run vishing simulations alongside phishing training so staff can practice spotting pressure tactics. Pay special attention to help desk and finance teams, who are frequent targets.

Harden Identity Verification at the Help Desk

Require strong, scripted identity checks before any password or MFA reset. This closes one of the most exploited doors in enterprise vishing.

Use Strong Multifactor Authentication (MFA)

Enable MFA on important accounts, and favor app-based or hardware authenticators over SMS codes, which are easier for attackers to intercept or talk a victim into sharing.

Report Suspicious Calls

In the U.S., report vishing to the FBI’s Internet Crime Complaint Center (IC3) and the FTC. Reporting helps investigators track campaigns and warn others.

FAQs

Is vishing the same as phishing?
Not quite. Phishing is the umbrella term for social engineering that impersonates a trusted source. Vishing is the voice-based version, carried out over phone calls or voice messages instead of email.
What’s the difference between vishing and smishing?
The channel. Vishing uses voice calls and voicemails, while smishing uses SMS or text messages. Attackers often combine the two in a single campaign.
Can criminals really clone someone’s voice?
Yes. Modern AI tools can produce a convincing clone from a small sample of recorded audio, so a familiar voice is no longer proof of identity. Always verify surprising requests through a second channel.
What should I do if I think I received a vishing call?
Hang up. Don’t share information or follow instructions. Call the organization back on an official number and report the call to the FBI IC3 and the FTC.

How Veeam Can Help

Vishing is often the opening move in a larger attack. A single convincing call can hand over the credentials an attacker needs to deploy ransomware or steal data. Veeam can’t stop the phone from ringing, but it makes sure a successful scam doesn’t become a catastrophe. With secure, immutable backups and fast, reliable recovery, Veeam helps you bounce back from ransomware and data loss so your business keeps running. Learn more about ransomware protection and building true data resilience with Veeam.

Related content

What is phishing?   ·   What is ransomware?   ·   What is malware?