ELI5: What is Vishing?
Vishing is a phone call scam. Someone calls pretending to be your bank or tech support, hoping you’ll believe them and hand over personal information. It’s phishing, but with a voice instead of an email.
Definition
Vishing (voice phishing) is a social engineering attack conducted via telephone or VoIP calls, where an attacker impersonates a trusted entity—such as a bank, IT helpdesk, government agency, or vendor—to manipulate the victim into revealing sensitive information, providing access credentials, or taking actions that compromise security. Vishing exploits the human tendency to trust voice communication as more authentic than written messages.
Key Details
- AI-generated voice cloning: Emerging threat—attackers can now clone a known person’s voice (executive, family member) from audio samples to increase believability.
- Common pretexts: bank fraud alerts (“suspicious activity on your account”), IT helpdesk (“we need your credentials to fix your account”), IRS impersonation (“you owe taxes”).
- Caller ID spoofing: Attackers display legitimate phone numbers (your bank’s number) as the caller ID—increases victim trust.
- Verification protocol: The defense is to hang up and call back using the official number from the organization’s website or statement.
- Combines with other attacks: vishing may be used to extract an OTP sent to a victim’s phone for a credential stuffing attack (MFA bypass).
Connections
- Parent: social-engineering — voice-based social engineering attack
- See also: phishing, smishing