Vishing (Voice Phishing)

High Threat Level

Phone-based phishing using voice calls, voicemails, and caller ID spoofing to steal information or money

$15K

Average loss per vishing victim

68B

Robocalls in US during 2023

$39.5B

Total losses to phone scams (2023)

What is Vishing?

Vishing (voice phishing) uses phone calls instead of emails to trick victims into revealing personal information, transferring money, or granting remote access to computers. Attackers often use caller ID spoofing to appear as banks, government agencies, or trusted companies.

Vishing often works in combination with email phishing: victim receives email saying "urgent issue with your account", provides phone number to call, then vishing attack occurs on the phone. Or voicemail instructs victim to call back or click link in follow-up email.

Common Vishing Scenarios

1. IRS/Tax Scam

"This is the IRS. You owe back taxes and a warrant will be issued unless you pay immediately via gift cards/wire."

2. Tech Support Scam

"Microsoft detected virus on your computer. We need remote access to fix it before data loss occurs."

3. Bank Fraud Alert

"Suspicious activity on your account. Verify your identity by providing account number and online banking password."

4. Social Security Suspension

"Your Social Security number has been suspended due to suspicious activity. Press 1 to speak with agent to resolve."

Detection Red Flags

Caller ID spoofing: Number shows as government agency/bank but isn't verified
Unsolicited calls: IRS, SSA, banks don't call unexpectedly demanding action
Urgency and threats: "Act now or face arrest/account closure/prosecution"
Request for immediate payment: Especially gift cards, wire transfers, cryptocurrency
Request for personal information: SSN, account numbers, passwords over phone
Pressure tactics: Won't let you hang up, call back, or verify independently
Robotic voice or accent inconsistencies: "IRS agent" with heavy foreign accent
Request for remote access: Never give control of your computer to unsolicited callers

Prevention Strategies

1. Never Trust Caller ID

Caller ID can be easily spoofed to show any number/name
Hang up and call back using official number from company website
Don't call numbers provided in voicemail or text message
Don't press any numbers when prompted by robocalls

2. Verification Protocol

Ask for callback number and employee ID, verify on company website
Tell caller you'll call back using official company number
Real organizations won't pressure you to stay on the line
Call your bank directly if they supposedly called about fraud

3. Never Provide on Unsolicited Calls:

Social Security number
Bank account numbers or credit card details
Online banking passwords or PINs
Remote access to your computer
Payment via gift cards, wire transfer, or cryptocurrency

4. Technical Protections

Enable spam call blocking on mobile carrier (T-Mobile Scam Shield, AT&T Call Protect)
Use call screening features (Google Phone app, iOS Silence Unknown Callers)
Register on National Do Not Call Registry (donotcall.gov)
Install call blocking apps (RoboKiller, Nomorobo, Hiya)

Email + Vishing Combination Attacks

Attackers often combine email and phone tactics:

Pattern 1: Email → Phone Call

Phishing email says "urgent account issue" with phone number. When you call, vishing attack occurs.

Pattern 2: Voicemail → Email Link

Voicemail says "suspicious charge on card, click link in email we sent to dispute."

Pattern 3: Phone → Email "Confirmation"

Scammer calls pretending to be IT, then sends "confirmation email" with malicious link.

Defense: Use HeaderScope

When you receive email supposedly from company that called you, or email with phone number to call, use HeaderScope to verify authentication and origin before trusting the communication.

Verify Emails Related to Phone Calls

When phone calls and emails work together in an attack, use HeaderScope to verify any related emails before clicking links or providing information. Check sender authentication and origin.

Analyze Email Headers →