Avast Academy Security Phishing What Is Vishing? Definition, Attack Methods & Prevention

What Is Vishing? Definition, Attack Methods & Prevention

Have you ever received a random phone call about your vehicle’s extended warranty? It may have been a vishing scam — a form of phishing attack that happens over the phone. Learn how vishing works and how to spot an attack. Then get a powerful security app to help protect against online phishing attacks, dangerous downloads, and other digital scams.

Editors' choice
Top Rated
Written by Crissy Joshua
Published on May 30, 2024

What is vishing?

Vishing is short for voice phishing and refers to the fraudulent use of phone calls and voice messaging services to convince someone to reveal sensitive data like their bank details, Social Security number, passwords, or other personal information. Like phishing attacks more generally, vishing attacks use social engineering techniques to manipulate people into falling for the scam.

Hamburguer menu icon

This Article Contains :

    Phishing vs vishing: what’s the difference?

    Phishing is when scammers pose as legitimate sources to manipulate targets into sharing personal information or clicking a malicious link, often via email or text message. Vishing, by contrast, uses phone calls or voice messages instead of emails and texts to phish for and steal sensitive data.

    Other types of phishing attacks include spear phishing, smishing (phishing via a fake text message), pharming, and social media phishing (for example, certain types of Instagram scams).

    Despite their differences, all phishing attacks, including vishing, have similar goals: To obtain personal information in order to steal money, commit identity theft or credit card fraud, or extort the victim. In almost all cases, whether the victim is an individual or a business, there is a financial incentive for the scammer.

    But there are other reasons why a vishing scammer, or “visher,” might target a victim, such as blackmailing individuals for political reasons. When a business is the target, the visher might be trying to steal security details to use in a large-scale cybercrime attack.

    How does a vishing attack work?

    Step 1: The disguise

    Vishing scammers usually disguise themselves by spoofing a local phone number or a trusted business number to contact you. Phone spoofing is the use of fake caller IDs to disguise the true source of the caller so fraudsters can present themself as a legitimate organization or company.

    Step 2: The manipulation

    The scammer uses phone calls or voice messaging services to impersonate the reputable person or company they chose as their disguise. For example, the vishing scammer may falsely represent a bank, a delivery company, or a government agency such as the IRS. In the popular, “extended car warranty scam” example, the visher might even have information about your vehicle, which helps them appear more legitimate.

    Vishers will often present themselves as solving a problem to build trust. For example, the scammer may say that your credit card has been compromised and that they are there to help you secure your account.

    Step 3: The request

    The scammer will then request certain credentials from you. For example, they might ask that you confirm your password and account details. If you provide answers, the vishing attack is successful as the scammer has gained the information they need to access your account.

    Vishers spoof legitimate organizations before asking for logins, credit card details, and other personal info.In a vishing attack, a scammer establishes trust before asking for personal information.

    Common vishing scam techniques

    There are various techniques and methods scammers use to conduct vishing attacks. The more you know how scammers operate, the better equipped you’ll be to identify a scam call and protect yourself against vishing.

    Caller ID spoofing

    Caller ID spoofing involves mimicking the phone number of a reputable, trustworthy organization, such as a financial institution or government agency, to trick a target into thinking the caller is a trusted source.


    Wardialing uses software that automatically scans lists of telephone numbers and dials them. Usually the program is configured to hang up after a certain number of rings, if a caller answers, or if voicemail is activated.

    Hackers may use wardialing for research before a larger, planned attack.


    Voice over Internet Protocol (VoIP) telephony works exclusively over the internet, meaning that scammers are less dependent on a specific geographical location than when using a cell phone or landline number.

    As long as there’s an internet connection, a scammer can use the same number to make multiple phone calls worldwide, all while keeping their real location and identity anonymous, which makes it easier for the visher to conduct their “work.”

    Dumpster diving

    Just as it sounds, dumpster diving is the act of going through someone else’s trash to find documents containing personal information such as names, phone numbers, credit card details, account information, etc.

    Vishers can then use details gathered through dumpster diving to appear more legitimate on the phone, sharing certain information that you’d only expect a trusted agency or business to know.

    Vishing attack examples

    Here are some real-life examples of vishing attacks. Some may sound familiar to you:

    Credit card & banking scams

    Credit card and banking scams are common. Financial security often rouses very strong emotions in people, which is exactly what vishers are looking for.

    In this scenario, a visher might impersonate a representative from a financial institution to convince you to share your bank account or credit card details to verify your identity so they can resolve a supposed issue with your account. If the scammer is successful, they can gain access to your bank account or credit card. If you find yourself in this situation, freeze your credit and cards immediately.

    Medicare and Social Security scams

    Vishers masquerading as Medicare or Social Security representatives are another common example of a vishing attack. For example, they might call or leave a voicemail to say that your Social Security number has been suspended due to suspicion of illegal activity. They will ask you to confirm personal details urgently to keep your number active and clear your name.

    Tax and IRS scams

    Tax and IRS scams involve bad actors posing as government officials to inform you of an issue with your tax return. They may say that you owe more tax or have paid too much tax and are owed money.

    These scammers will try to scare you into sharing personal details using false threats of arrest or the removal of certain benefits. The information you share can be used to steal money or commit tax identity fraud.

    Loans & get-rich-quick scams

    Some vishers offer get-rich-quick schemes, large prizes, or unrealistic loans. After explaining the proposition, the visher might ask for some kind of initial fee or request personal information and financial details to get things set up. Remember, if it sounds too good to be true, it usually is.

    Technical support scams

    Another example of vishing is the tech support scam. This vishing attack involves the scammer calling you to flag a problem with your device and that they’re working on fixing it. In some cases, a pop-up on your screen will indicate an apparent problem with your computer, like a scareware pop-up telling you about a supposed malware infection, and it will urge you to call the (fake) support team.

    Either before or after the issue has been “fixed,” they’ll ask you to share your financial details so you can pay them for repairing the non-existent problem.

    In a technical support vishing scam, a user is prompted to call (or is called by) a fake IT support team.In a technical support scam, a user might be prompted to call a fake IT support department.

    How to detect a vishing attack

    Vishers are master manipulators, and a well-targeted vishing attack can be difficult to spot. To help you avoid becoming the victim of a vishing attack, here are a few signs to look for:

    The call is unexpected

    Be cautious if you get an unprompted call from a government agency or company, and they start asking for personal details. The surprise of being contacted about a problem with your account or computer can catch you off-guard.

    Don’t provide any information and hang up immediately. Contact the company via an official channel to check if they need any of the data the caller requested. In most cases, official help should be requested by you — not the other way around. If you’re called unprompted, it’s very likely a scam.

    There is a sense of urgency

    Vishers often use social engineering and psychological tactics to evoke fear or anxiety. Doing this makes the target more likely to act quickly before questioning or verifying the caller.

    Vishing scammers often stress the immediacy and seriousness of the issue to pressure the target and persuade them to hand over details quickly. If you experience anything like this, keep calm, think critically, and hang up the phone.

    You are asked to call back

    To plant a seed of concern in a target’s mind, phishers might leave a voicemail or send spam text messages describing the issue and including a phone number to call them on.

    For example, a visher might leave a voicemail saying that an unauthorized person has tried to access your bank account. The visher might then send a follow-up message saying that the bank account is locked due to suspicious activity, and to verify your identity and unblock your account you need to call the number provided.

    Never respond to messages like this, and never call the number provided. It’s most likely a scam. Only contact an organization via their official phone number.

    How to prevent vishing attacks

    Thankfully, you can help protect yourself from becoming a victim of voice phishing scammers. Follow these tips to stay safer online — and on the phone:

    • Never share personal information or sensitive data over the phone.

    • Always check the legitimacy of phone numbers to verify the caller’s identity.

    • Never allow remote computer access.

    • Report suspicious incidents immediately.

    • Don’t answer phone calls from suspicious numbers or those you don’t recognize.

    • If something doesn’t feel right then just hang up.

    • Join the National Do Not Call Registry to restrict access to your number.

    Help protect your data with Avast

    Keeping your private data secure is increasingly difficult. That’s where powerful online security software comes in. Avast One is your all-in-one online guardian, helping to protect your data, privacy, and sensitive personal details. Plus, it includes a built-in VPN to encrypt your online connection and keep your browsing activity safer.

    Protect your Android against phishing attacks and other threats with Avast One

    Free install

    Protect your iPhone against phishing attacks and other threats with Avast One

    Free install
    Crissy Joshua