What Is Vishing? How to Detect & Prevent Social Engineering Phishing Phone Attacks

Vishing is a type of phishing attack where scammers make phone calls pretending to be someone else–often a legitimate business–to steal private information or money. The name vishing stands for voice phishing, since it’s done over phone calls.

There’s a good chance you’ve received one of these calls yourself. If you’ve ever gotten a spam call pretending to be from your bank, or the IRS, or a Medicare office, for example, it was probably a vishing attempt.

It’s not just businesses and official institutions that vishers impersonate. Some vishing calls pretend to be a friend or family member facing a dangerous situation like a car accident or police arrest.

Learn about how to identify vishing calls, examples of the most common types of vishing attacks, and how to stop them.

Vishing, meaning “voice phishing,” is a type of phishing attack where a criminal calls a victim and manipulates them into divulging sensitive information like credit card numbers, PINs, or login credentials. Often, the attacker will pose as an agent from a legitimate business or agency, such as a bank or the IRS. Scammers may ask for direct payments through crypto transfers or gift card codes.

Some vishing attacks even impersonate a victim’s friend or family member. Two common examples include:

1. A stranger calls saying they’ve found your family member in a car accident. They pose as a paramedic and ask for money to take them to the hospital, or as a lawyer and threaten to sue for injuries.

2. Someone pretends to be a scared family member–a grandson, for example–and says they’ve been arrested and need money for bail. This can involve multiple scammers who pretend to be police officers.

Vishing is a type of social engineering attack because it relies on human error rather than technical hacking. Like phishing, it relies on manufactured urgency (like impending legal trouble, account closure, or fines, for example) to confuse and scare victims. In addition, because it uses a phone call as part of its modus, vishing is also called a voice scam.

Improvements in technology are part of the reason why vishing calls are increasing in frequency. Voice over Internet Protocol (VoIP) allows people to make phone calls through the internet and caller ID spoofing makes it easy to hide behind fake phone numbers. Many vishing calls come from your same area code, and some even have numbers almost identical to yours. And vishing attackers also use automated software to make thousands of calls a day.

While vishing attacks can vary quite a bit, there are some common scam signals across most calls.

• It starts with a prerecorded message. Many vishing calls open with an automated message, either from a real human or a robotic sounding digital voice. “You’ve won a free stay at Hilton Hotels! Press one to claim your offer,” for example. If you press one, you’ll be transferred to a real human, where the scam starts.

• There’s an extreme sense of urgency. Every phishing attack relies on extreme urgency to trick a victim into overlooking suspicious signs of a scam. Vishing is no exception. Vishing calls will threaten you with impending arrest or fines, or a soon to expire free prize.

• It asks for sensitive information. Scam callers may pry for your passwords and social security number, which is a strong red flag. They may also ask to “verify” seemingly innocuous information like your birthday and address. In some cases, vishing scammers may even have some of your information on hand, making the call seems legit.

• It comes from a federal agency. Vishing scams commonly impersonate the Social Security Administration or the IRS. But government agencies won’t call you for money or personal information.

To put it plainly: extremely. The FCC reports that Americans got nearly 4 billion robocalls per month in 2020. Combined with other social engineering attacks, vishing costs people an estimated $44 million in 2020, according to the FBI's IC3 report.

Vishing is a concern both on individual and organizational levels. It can trick employees into giving out their work credentials. It’s a possible attack vector to compromise an organization’s network and initiate a data breach or password leak.

Social engineering attacks like vishing are often the first step to any large-scale data breach. They provide the necessary credentials for attackers to gain access to your system.

The quick answer: vishing happens over the phone, while phishing is usually conducted by email.

Vishing and phishing are both social engineering attacks. They rely on manipulation to deceive people into sharing information, and they’re hard to detect because they can look and feel legitimate.

Vishing does this through a phone call. Phishing, on the other hand, is usually performed through emails. An attacker sends an email with a similar sender name to a reputable company or organization, for example. They can even go as far as craft a legitimate-looking website to match.

Phishing and vishing are often complementary to each other. For example, an attacker will usually begin with a phishing email to get personal information from a victim, which they can leverage in a vishing call.

Of the 50 billion robocalls Americans get every year, these are some of the most common examples of vishing scams:

• Something is wrong with your bank account. Your bank calls to inform you that something is wrong with your account. To verify and fix the problem, they just need your credit card number or bank account information. Of course, once they have this data, the attacker can siphon funds off the account or use your credit card number.

• Your Social Security Number is suspended. Someone calls from the Social Security Administration office warning you that your SSN is suspended. They’ll ask you to confirm the number, which opens the door to identity theft. They may also offer to fix the issue in exchange for payment via cash, gift cards, crypto, or wire transfer.

• Your software is expired or at risk. The attacker pretends to be support staff from a big company like Amazon, Microsoft, or Apple, saying you need to update their software or pay to renew the software. They’ll ask for payment, or send an update file containing malware.

• You won a free prize! Callers from hotel chains, travel agencies, or well known companies call to let you know that you just won a big prize. You just need to give their personal information or pay a small fee to claim it.

• You owe a bunch of taxes. The IRS calls you to inform you that you have unpaid, overdue taxes. If you don’t pay right away, you’re going to owe a ton of money and you might even get arrested.

Take these three steps with any potential vishing calls:

1. Be weary of unknown phone numbers.

2. Don’t give out any sensitive information unless you've verified the caller.

3. Put your name on the National Do Not Call Registry.

Abnormal Security can stop the socially engineered phishing attacks that put your organization at risk. Schedule a demo to see how we do it.