+1 (877) 634-6847
Customer Support
Cybersecurity Glossary

What Is Vishing?

Vishing is voice phishing, a social engineering attack that uses phone calls, voicemails, robocalls, or voice messages to deceive people. The attacker may pretend to be a bank, vendor, executive, help desk, government office, customer, or coworker.

Learn More
Glossary Index Phishing & Social Engineering
Short definition

Vishing is a phishing attack delivered through voice communication. Instead of asking the target to click a link first, the attacker uses a conversation to build trust, create pressure, and request credentials, payment, account changes, MFA codes, or confidential information.

At a glance: A vishing call can feel more believable than an email because the target is responding to a person in real time. That pressure is exactly what the attacker wants.

Vishing Meaning

The word vishing combines voice and phishing. The channel changes, but the goal stays familiar: convince someone to take an action they would reject if they had more time and context. The action may be as small as confirming a name or as serious as approving a payment.

Attackers use voice because it creates immediacy. A caller can answer objections, adjust the story, mirror the target, and make silence feel uncomfortable. That is harder to do with a static email. Even a short call can move a person away from normal verification habits.

Business vishing often borrows the language of everyday work. A caller may claim there is an urgent invoice issue, a blocked account, a customer complaint, an audit question, a benefits update, or a security alert. The request sounds practical, not dramatic, which helps the attacker blend into normal operations.

Voice attacks are also changing as synthetic audio becomes easier to create. Not every vishing call uses AI, but organizations should assume that voices, caller IDs, and short recordings can be manipulated. Verification should depend on process, not on whether a voice sounds familiar.

How Vishing Works

A vishing attempt uses conversation to move the target from trust to action.

  1. The attacker chooses a believable role. They may pose as IT, a bank, a vendor, a customer, an executive, a recruiter, or a government representative.
  2. The call creates a reason to act. The caller claims there is fraud, a deadline, a failed payment, a security issue, or a business problem.
  3. The target is kept engaged. The attacker asks questions, confirms details, gives instructions, and discourages the person from pausing.
  4. Sensitive information is requested. The caller may ask for credentials, one-time codes, account numbers, customer data, payment approval, or remote access.
  5. The call becomes part of a larger attack. Voice contact may be combined with emails, texts, fake portals, or follow-up calls to make the story feel consistent.

Common Vishing Examples

Vishing works best when the call matches something the target already expects to handle.

  • Fake bank fraud alert: A caller says suspicious activity has been detected and asks the target to confirm account details or share a one-time code.
  • Internal help desk impersonation: An attacker claims to be from IT and asks an employee to approve MFA, reset a password, or install a support tool.
  • Vendor payment pressure: A caller says an invoice, shipment, or service renewal will fail unless payment details are updated immediately.
  • Executive voice request: A short call or voice message appears to come from a leader asking for a confidential transfer, purchase, or account change.
  • Voicemail callback lure: A voicemail tells the recipient to call back about a legal, payroll, tax, delivery, or account issue.

Why Vishing Matters

A live caller can bypass habits that users have built around email security. A user may know not to click suspicious links but still feel pressured when a caller sounds confident and knows basic details.

The attack is especially relevant for teams that handle money, account recovery, customer support, HR, payroll, and vendor relationships. Those roles already involve calls where people ask for help, changes, or exceptions.

Vishing can also reduce the evidence available to security teams. A phone conversation may not leave the same trail as an email. If the employee does not capture the number, time, and request, response teams may have less context to investigate.

The practical lesson is that voice should not be treated as proof of identity. A safe organization gives employees permission to slow the call down, hang up, verify, and call back through a trusted path.

How to Reduce Vishing Risk

Make verification normal, even when a caller sounds urgent, confident, or familiar.

  • Use known callback paths. Call back through a number from an internal directory, vendor portal, official website, or saved contact instead of a number provided during the call.
  • Protect codes and passwords. Do not share passwords, MFA codes, recovery codes, or full account details with callers.
  • Create approval rules. Payment changes, account recovery, payroll edits, and executive requests should require documented verification outside the call.
  • Normalize ending suspicious calls. Employees should feel allowed to pause, end the conversation, and verify without fear of being rude.
  • Report call details quickly. The phone number, caller name, time, script, and requested action help security teams spot repeat campaigns.

What to Do After a Suspicious Voice Call

If a call led to shared information, account changes, payment discussion, or remote access, document the details before they fade.

  1. Write down the call details. Capture the number, caller name, claimed organization, time, requested action, and any follow-up instructions.
  2. Verify through a trusted path. Call the real organization or internal team using a known number, not one supplied by the caller.
  3. Protect affected accounts. Reset credentials, revoke suspicious sessions, and review MFA activity if any account information was shared.
  4. Warn likely targets. If the caller referenced a department, vendor, or executive, notify people who may receive the same script.

Related Vishing Terms

Vishing often overlaps with phone-based phishing workflows and mobile pressure.

  • Callback Phishing explains scams that start in another channel and push the target into a phone call.
  • Smishing covers text-message phishing that can lead into voice calls or callback pressure.

Vishing Takeaway

Vishing works because a live voice can make a bad request feel immediate and personal. The caller wants the target to react before the normal verification process catches up.

The strongest habit is simple: do not prove identity from the call itself. Step away from the conversation, use a trusted path, and let the process make the decision.

Navigation
Back to Glossary View Category

Share This Page

Send this glossary page to a teammate, client, or employee who needs a quick explanation.

Email Facebook LinkedIn
FAQ

Questions Teams Ask About Vishing

Quick answers about voice phishing, caller ID trust, callback safety, and business verification habits.

What is vishing?

Vishing is voice phishing. Attackers use phone calls, voicemails, robocalls, or voice messages to impersonate trusted people and pressure targets into unsafe actions.

How is vishing different from phishing?

Traditional phishing usually relies on written messages such as email. Vishing relies on voice, which can make the request feel more personal, urgent, and harder to inspect.

Can caller ID be trusted?

No. Caller ID can be spoofed, and attackers may display a familiar company name, local number, vendor number, or internal-looking extension.

What should employees do during a suspicious call?

They should avoid sharing sensitive details, end the call politely, and reconnect through a known number or approved internal channel before taking action.