Home
  /  
Learning Center
  /  
What is vishing? Examples and how to avoid it

What is vishing? Examples and how to avoid it

The BILL Team
Table of contents
Get more from BILL
Subscribe to finance insights and thought leadership content delivered straight to your inbox.
By continuing, you agree to BILL's Terms of Service and Privacy Notice.

What is vishing?

Vishing, short for “voice phishing”, is a type of scam that involves impersonating a trusted person or organization over the phone, like a bank or a family member, to gain unauthorized access to sensitive information.

The process of initiating a vishing attack is not particularly complex; however, scammers may use a variety of techniques, such as caller ID spoofing and AI voice cloning, to make their phone calls appear more legitimate. 

Attackers are also known to use emotional manipulation and urgency to pressure victims to share credentials, financial information, and other sensitive data. 

Key takeaways

Vishing (voice phishing) is a type of scam in which bad actors impersonate trusted individuals over the phone to trick targets into sharing sensitive personal information.

Attackers are known to use a sense of urgency and emotional manipulation to panic victims and pressure them into making irrational decisions.

Keep yourself safe from vishing attacks by screening unknown phone numbers and verifying callers’ identities before providing any sensitive information over the phone.

How vishing works

Vishing scams tend to follow a basic phone call pattern that can be hard to parse out from legitimate phone calls. This is made possible by the use of the following tactics: 

  • Caller ID spoofing: Using technology to make the number appear to be from a familiar caller.
  • Manipulation: Exploitation of fear and urgency to get the victim to act quickly without critical thinking.
  • Social engineering: Uncovering information that’s relevant to the target to make the call appear more legitimate.
  • AI voice cloning: Using AI technology to make the “caller’s” voice appear more natural and like that of a trusted individual.

Again, a vishing attack is meant to come off as a typical phone call. As such, it follows a fairly standard pattern as scammers attempt to collect sensitive financial or personal information from the victim: 

1. Research on the target

For the call to appear legitimate, the attacker will first research the targeted victim to gather enough information to construct a reasonable scenario. 

They might use social media, records from past data breaches, and other sources to uncover this information. 

For instance, if they plan to use a scenario in which the victim’s internet service is cut off unless they pay, it’s more convincing to know which provider the person uses. 

2. Initiating the call

Once the scammer has the necessary context, they will initiate the call. Rather than simply dialing the target’s phone number from their personal phone, they may use technologies like caller ID spoofing or a VoIP service to appear more legitimate. 

Assuming the target answers the phone, they can continue the attack. 

3. Fabricating an urgent scenario

With the victim on the phone, the attacker will share the fabricated scenario for which they are calling them and the specific information they are requesting. 

Again, they’ll often convey a sense of urgency, aiming to make the target act without critical thinking. 

4. Collecting and exploiting information

If the attack is successful, the victim will be unaware that they’re speaking to a bad actor and will share the requested information over the phone. 

Upon receiving the information, the attacker will exploit this information for personal gain, whether to resell to other attackers, fuel future schemes, gain access to a network, or log into financial accounts.

What are examples of vishing scams?

  • Fake bank fraud alert: The scammer calls, acting as the victim’s “bank”, reporting suspicious activity on their account. They may ask the target to verify or provide sensitive account details to “secure” the account.
  • Government impersonation: The attacker impersonates a trusted government agency, like law enforcement or the IRS, demanding immediate payment or face immediate arrest or other legal action. 
  • Tech support scam: The target receives a call from an attacker pretending to be a tech support rep from a provider. The scammer may have the victim install malware or provide credentials so they can access their account.
  • Prize/lottery scam: The scammer will call to inform the target they’ve won a major “prize”, but they must pay taxes or fees upfront before receiving the payout.
  • Family emergency: The attacker uses AI technology to clone the voice of a family member, asking the target for money to get out of an emergency situation. 

4 steps on how to protect yourself from vishing

As scammers’ techniques become more sophisticated with the help of modern technology, follow these best practices for safeguarding personal information: 

  1. Screen incoming calls

Do not answer phone calls from unknown numbers. Rather, let these calls go to voicemail. If the caller is legitimate, they will typically leave a message with verifiable information so you can call them back. 

Even still, be wary of caller ID, as scammers can use technology to make their phone numbers appear as if they’re from local businesses, individuals, or family members. 

  1. Verify the caller

If and when you answer the phone, hang up if you feel suspicious of the caller and their intentions. 

To verify they are who they claim to be: 

  1. Ask for their name and the organization they’re associated with (whether a bank, credit card company, or government agency).

  2. After hanging up, look up the organization's phone number on its official website.

  3. Call back using the phone number from the website, not the phone number provided by the caller.  

3. Be cautious of sharing personal information 

Do not provide sensitive banking or personal information on an incoming call. For the utmost security, only provide this information when you initiate the call to a verified phone number. 

As mentioned above, scammers running a vishing attack will use urgency and emotional manipulation to try to limit rational decision-making. Keep this in mind whenever you receive a request to provide sensitive information over the phone.  

  1. Secure accounts with multi-factor authentication (MFA)

An additional security step to take is enabling multi-factor authentication (MFA) on sensitive accounts like email, banks, and workforce solutions. 

This way, even if victims do provide credentials like a username and password during a vishing attack, the bad actor will still be unable to access the account without the additional authentication step. 

What is the goal of vishing attacks?

Ultimately, bad actors use vishing attacks to gain unauthorized access to key financial and personal information for their own personal gain. Some of the data targeted by these attacks include: 

  • Bank account numbers
  • Credit card information
  • PINs
  • Routing numbers
  • Social Security numbers
  • Dates of birth
  • Addresses
  • Usernames and passwords
  • Security question answers
  • Employee data

Gaining access to this information may be the initial goal of a vishing attack, but it’s certainly not all that a bad actor is after. They’ll use this data to enable other scams and attacks, which we’ll cover in more detail below. 

Financial gain

One of the main goals of a vishing attack is personal financial gain. The scammer may seek out a victim’s bank account credentials, payment details, or other information to make discreet payments to themselves. 

Access to credentials

Another goal of vishing is to gain access to sensitive credentials to carry out other attacks in the future. This might include the username and password for an email account, which can help bypass multi-factor authentication for future logins of various account types. 

The scammer may collect the data for themselves or with the intention of selling the information on the black market. 

Identity theft

It’s also possible that the scammer is looking to exploit enough personal data to steal a victim’s identity. 

This may occur in a phased attack aimed at farming the target’s Social Security number, address, date of birth, and more. 

What are the signs of vishing attempts?

Here are some of the red flags to look out for when on a phone call: 

A sense of urgency

Vishers often create a sense of urgency to pressure victims into making a rash decision. They want to bypass victims’ rational thinking, putting them into an emotionally heightened state of fear, distress, or anxiety. 

The attacker might use the threat of financial damages, legal consequences, or harm to a loved one to lead victims to comply with their requests. 

Unusual requests

Also, be wary of any unusual or strange requests that a caller makes over the phone. This includes requests for payment or personal information. 

Going one step further, payment requests via gift cards, wire transfers, or cryptocurrency should be further warning signs. 

Unsolicited calls from banks or government agencies

Calls from unknown numbers aren’t always malicious; however, it is smart to screen such calls and let them go to voicemail. 

Be particularly cautious if the caller claims to be associated with a bank, government agency, or law enforcement when you weren’t expecting any correspondence from the organization. 

Scammers often attempt to leverage the public trust in these major institutions to their advantage. 

Poor speech quality

If the person on the other line sounds robotic, speech is delayed, or otherwise seems suspicious or unnatural, it may be a sign of an attempted vishing attack. 

Look out for the repetitive use of certain phrases and unnatural pauses or pronunciations. Hang up immediately if you are suspicious of the caller on the other line. 

Frequently asked questions

What information do vishers try to steal?

Vishers are interested in gaining access to sensitive personal or financial information that will allow them to carry out additional attacks or gain access to protected accounts or networks. This includes information like bank account login details, email account credentials, and Social Security numbers. 

How can you tell if a call is vishing?

Targets of vishing attacks can look out for a few potential red flags to help determine if the call is legitimate. Possible warning signs include the caller having a robotic-sounding voice, the use of urgency or intense emotions to secure information, suspicious caller ID information, and unusual requests from trusted organizations like banks or government agencies. 

What should you do if you shared information during a vishing attack?

If you shared sensitive information during a vishing attack, act quickly to minimize potential damage. Secure the account for which you provided the information by changing the password and any other security measures that may have been compromised. Where relevant, contact the financial institution to place a fraud alert and prevent the unauthorized use of your accounts. 

Author
The BILL Team
At BILL, we supercharge the businesses that drive our economy with innovative financial tools that help them make big moves. Our vision-driven team makes a real impact on growing businesses. We operate with purpose and curiosity—because that’s what drives innovation.
Author
The BILL Team
At BILL, we supercharge the businesses that drive our economy with innovative financial tools that help them make big moves. Our vision-driven team makes a real impact on growing businesses. We operate with purpose and curiosity—because that’s what drives innovation.
Get more from BILL
Subscribe to finance insights and thought leadership content delivered straight to your inbox.
By continuing, you agree to BILL's Terms of Service and Privacy Notice.
Security

Continue learning with BILL

Dashboard mockup
BILL and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on, for tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction. BILL assumes no responsibility for any inaccuracies or inconsistencies in the content. While we have made every attempt to ensure that the information contained in this site has been obtained from reliable sources, BILL is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information in this site is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied. In no event shall BILL, its affiliates or parent company, or the directors, officers, agents or employees thereof, be liable to you or anyone else for any decision made or action taken in reliance on the information in this site or for any consequential, special or similar damages, even if advised of the possibility of such damages. Certain links in this site connect to other websites maintained by third parties over whom BILL has no control. BILL makes no representations as to the accuracy or any other aspect of information contained in other websites.