Vishing is a phone scam. In a vishing attack, a scammer preys on human error by phoning their victims and attempting to get them to expose their personal information, money or both. The word “vishing” comes from “voice” and “phishing,” which suggests that a fraudster is dangling a hook or a lure to get unsuspecting victims to reveal usernames, passwords, or credit card details or download malware onto their devices.
Originally, phishing attacks were mostly confined to phony emails from what appear to be a trusted source. The emails are cleverly designed to lure unsuspecting folks into clicking a link and entering the data on an illicit website. The phishing lexicon has expanded to include smishing, which uses fraudulent text messaging, and pharming, which is phishing using fake websites without the email hook.
In 2023, there was a 1265% increase in malicious email sends. Similarly, the FBI lists the related social engineering attacks of phishing, vishing, smishing and pharming as among most prevalent threats in the U.S. last year, with more than 300,000 victims.
The reason vishing is so successful is that it exploits the subconscious side of human nature. As a form of social engineering, vishing uses specific or “vague enough to be real” details about the victim to get them to believe the scam caller is authentic and should be trusted.
Vishing calls may come from a blocked number or a fake or spoofed phone number used to impersonate a legitimate person or organization. Fraudsters also use robocalls to carry out vishing schemes on a larger scale.
No matter what form the phishing attack takes, social engineering thrives in times of uncertainty.
The person or robot placing the phone call uses a sense of urgency or the guise of an emergency to ask you questions confirming your identity or personal details, then they ask for even more information.
The catalyst may not always be a potentially negative situation: sometimes the urgency comes from the excitement of potentially winning money, gifts or trips. Unfortunately, it’s all fake when it comes to vishing scams. The scammer really wants your personally identifiable information (PII), financial account details, medical information or other sensitive data. And they want you to give it to them over the phone quickly before you have time to realize it’s a scam.
When victims are tricked into sharing their name, date of birth, Social Security number, bank account details and other sensitive information, fraudsters are equipped to commit credit card fraud, account takeovers, and identity theft using that information.
If you have shared your personal information, bank account, or credit card number in what you suspect was a vishing scam, report the call to your financial institution and government agencies. Several agencies are working to reduce fraud and protect consumers from scammers, including the Internet Crime Complaint Center (IC3), the Federal Trade Commission (FTC), and the Better Business Bureau (BBB).