What is Vishing? How to recognize and avoid voice phishing scams

As long as consumers have money to spend, there will be criminals working hard to steal it. We’ve seen a huge uptick in online fraud in the past decade, with phishing scams, in particular, gaining strength. With consumers getting savvier at picking up on the more common phishing scams, like email phishing and fake websites, cybercriminals are now turning to alternative scamming methods. If you have a mobile phone, you’ll likely need to contend with the increasing number and sophistication of vishing scams.

What is vishing?

As with other kinds of phishing, voice scams rely heavily on manipulation and social engineering to get victims to give up personal information.

With vishing, criminals typically pretend to be from an official source, such as a bank or government organization. Many vishing scams may originate outside of your own country. As such, a lot of vishing scammers will use voice-to-text synthesizers and recorded messages to mask their identity. Those based in your own country may also use a real human on the other end of the line for more targeted scams.

Regardless of the source, most vishing attempts try to convince the victim to give up PIN numbers, Social Security numbers, credit card security codes, passwords, or other personal details. That information will then be used for some type of identity fraud, or to later steal money directly from an account. In some cases, the vishing scammer will attempt to gain access to personal or financial accounts (such as a bank account) in order to steal information or money.

Most vishing scammers now rely on what’s known as “caller ID spoofing”. ID spoofing allows them to send out phone calls that appear to be from a legitimate or localized source. Victims may feel more compelled to pick up the call as a result. However, many vishing scammers also leave a pre-recorded voicemail message should the call be ignored.

You may be wondering how a vishing scammer obtained your phone number in the first place. There’s usually no simple answer to that question, but there are several possible sources. Scammers could be using stolen phone information or calling auto-generated numbers until they get a match. There have been some huge data breaches in recent years and, as such, the likelihood that your number was stolen and floating around on the Dark Web is extremely high.

In particular, the 2017 Equifax breach alone impacted 147 million Americans. More recently, some 885 million records were exposed in the 2019 First American Corporation data leak, while 553 million Facebook users also had their data compromised in the same year. And with reports that data breaches in 2021 had already topped those of 2020 by September, they aren’t going away any time soon.

If you’re like me, your email address has already been stolen in multiple breaches over the years. (You can check to see if your email has been compromised here).

Not all vishing scammers target individuals

One common misconception about vishing is that the attacks target average consumers. However, businesses are also commonly in the crosshairs. Scammers may target businesses not only to obtain private user information but also to potentially scam those businesses out of money and valuable data.

A skilled scammer can even get complete access to an individual user’s targeted accounts. The following video from CNN Business shows exactly how this might occur, and just how simple it is for a scammer to get into your personal accounts from a business-targeted vishing scam.

Unfortunately, there’s little you can do to protect against scammers who trick your bank or other businesses into giving up your information. The fault in these cases lies with business support staff who fail to follow proper procedures and instead fall victim to intelligently deceptive vishing scams.

Types of vishing

It’s normally easy to tell if you’ve received a vishing attempt based on the context of the call. The phone exchange may go something like this:

1. Your phone rings. The number that pops up appears to share your area code, or perhaps registers as the name of a business you recognize.
2. Thinking the call is from someone local, you pick it up and give a greeting.
3. On the other end of the line, a noticeably robotic voice tells you that your bank account has been compromised.
4. You’ll then be told that to secure your account, you’ll need to call the given number.
5. You’re told to hurry to avoid losing all of your money and that if you just call back or give them your account information, they can help you block fraudulent transactions before they occur.

Sound familiar? It should. Bank fraud vishing attempts are among the most common types in every country where vishing occurs. While these scams use increasingly convincing voice synthesis, some fraudsters still prefer to do things the old-fashioned way, with some very persuasive playacting. Nevertheless, common types of vishing you’re likely to run into involve:

• Supposed fraud or suspicious activity on your bank account
• Overdue or unpaid taxes to the Internal Revenue Service (IRS), HM Revenue and Customs (HMRC) or other tax agencies
• Prize or contest winnings (such as a cruise or an “all expense paid” vacation)
• Fake computer tech support calling to remotely access your PC to fix a problem
• Faked government agencies (such as a court or law enforcement agency)

For businesses, vishing scammers may be more likely to put real people on the line. The scammers may warn about fraudulent or suspicious bank transfers or pretend to represent some form of computer or IT support service. The goal is to gain access to financial account information or gain remote access to computers.

For an idea of what this might look like, GetSafeOnline.org has a number of audio reconstructions from real vishing attempts. Here’s just one example:

One frightening tactic fraudsters also employ in vishing scams is called the “no-hang up” or “delayed disconnect”. Using this method, vishing scammers will call a victim using any of the above methods. While the victim believes the call ended, the fraudster will instead hang on the line, maintaining that connection while producing a faked dial tone. The victim will then call the given number or their bank, and instead of speaking to their intended institution will be speaking to another scammer. This type of scam has resulted in some individuals losing tens of thousands of dollars.

There are more examples, of course. In July 2018, US law enforcement agencies broke up the largest IRS phone scam in the country, sentencing 21 Americans to many years behind bars. The scam tricked thousands of Americans to give up millions of dollars over the past decade, as the scam artists pretended to be IRS agents warning unsuspecting Americans that they faced jail time over unpaid taxes.

How to avoid vishing scams

Unfortunately, there’s little you can do to fully avoid vishing scammers. Fraud against the businesses and institutions that house your private information is completely out of your control. And as we discussed with SMS phishing or smishing, fraudsters tend to ignore established “do not call” registries, as they aren’t legitimate businesses concerned about government regulations or legal consequences. You’re likely to lose your number to scammers in a data breach at some point if you haven’t already. That’s because your number is likely associated with many accounts.

There are steps you can take to avoid vishing scams. Some employ technical means, while others involve being proactive.

1. Never answer a call from an unknown number

It may be tempting to answer calls from unknown numbers. However, doing so could lead you right into a scammer’s waiting arms. Additionally, picking up may only alert the vishing scammers that the number is active, leading to more calls down the road.

Instead, let the call go to voicemail. The rule of thumb is that any real person, business, or government institution that was calling for something important will invariably leave a voicemail or call back later. Many vishing scams will also leave a pre-recorded voicemail message, which will give you a chance to properly vet the whether the caller is a legitimate source.

Do note, however, that many vishing scammers will now call back immediately. The purpose of the call back is to counter the above advice. We are more likely to pick up an unknown number that calls back, as traditionally this has indicated that the caller is not only someone that we know, but that the call is important. This tactic helps define why vishing is considered a type of social engineering.

For my own part, I once received a number of calls from a vishing scammer that consistently went to voicemail with a silent message. At one point, the scammer (clearly frustrated) left a 30-second voicemail that was again silent until the last second, in which he whispered: “You will someday”. Super creepy? Yes. But it’s also a good example of why you should not answer calls from those unknown numbers.

2. If you do answer, never give personal information over the phone

Banks and government institutions should never ask for personal information over the phone. That said, banks will call you if they believe fraud may be occurring on your account. However, they will typically only call to confirm your location and alert you to the event. They won’t ask for private information in a call you receive from them. Government institutions like the IRS almost exclusively communicate by mail or occasionally email to conduct official business.

If you are asked to give personal information, ask for the caller’s name and let them know you’ll call back after acquiring an official number. The suspicious caller may try to give you a number to call back on. If that occurs, cross-reference this number with information available online. If the numbers differ, call the number you found through your online search made available from the business or institution’s website. Once you call back, inquire about the original caller to verify identity.

3. Use a caller ID app

Google and Apple have done a lot of work over the years to improve their native caller ID methods. However, neither the Android nor iOS operating systems can effectively handle most spam calls or spoofed IDs. Thanks to the many voice over internet protocol (VoIP) options available now, scammers can easily create spoofed numbers. Hidden identities allow them to leave little to no trace of where they’re actually calling from.

A good caller ID app can help boost your phone’s spam call detection and blocking capabilities. For both Android and iOS phones, your best option may be Truecaller. Downloaded and used by over 280 million people worldwide, Truecaller has over 2 billion spam numbers locked into its database. Confirmed spam numbers are blocked, while good numbers are allowed through. If a number does end up being a vishing scam, you can add it to their database.  

4. But don’t completely trust caller ID

Even with a more effective caller ID app installed, avoid numbers that are not in your phone book. You may still receive fraud calls from spoofed numbers that appear to be legitimate. Even with a caller ID app installed, let any calls not in your phone book go directly to voicemail.

5. Treat vishing scams as you would smishing scams

Vishing and smishing scams are all in the same family. Both utilize your mobile device to target you. As with smishing, vishing scams rely on the personal nature of mobile phone contact to try to extract valuable information. However, it’s important to know that your personal cell phone number is not private. Both phone calls and text messages you receive could be from anyone, including scam artists.

We recommend reading our detailed guide on how to avoid smishing scams to learn more about how you can best avoid both common scams targeting mobile devices. That includes detailed information regarding how to protect your phone number in the US, UK, Canada, and Australia. We also provide information on how to report scammers to the proper authorities.