Vishing
Vishing, short for voice phishing, is a form of phishing where attackers use phone calls or voicemail messages to trick victims into revealing sensitive information or performing fraudulent actions.
Table of Contents
What is vishing?
Vishing attacks rely on impersonation and urgency. Attackers pretend to be banks, IT support, government agencies, or other trusted entities. The goal is to persuade victims to disclose information such as passwords, credit card numbers, or one-time authentication codes.
How it typically works
- Pretext creation: attacker develops a convincing scenario such as account problems or billing issues.
- Contact: victim receives a call or voicemail, often with spoofed caller ID.
- Manipulation: attacker uses authority, fear, or urgency to pressure the victim.
- Exploitation: victim provides information, approves transactions, or installs remote access tools.
Common techniques and variants
- Caller ID spoofing: forging numbers to appear as trusted contacts
- Tech support scams: pretending to be IT staff requesting remote access
- Banking and government impersonation: demanding verification or payments
- Hybrid attacks: vishing combined with phishing or smishing for credibility
Impact
Vishing can lead to identity theft, financial fraud, and unauthorized access to systems. It is especially dangerous when used against employees with privileged access. Because calls are harder to verify than emails, vishing bypasses many traditional security controls and remains a significant risk for organizations.