Vishing scams: what they are and how to avoid them

Vishing, short for voice phishing, is a type of social engineering scam enacted over phone calls and voice messages. It’s one of the fastest growing forms of fraud today—2024 saw a 442% increase in vishing attacks, especially fueled by generative AI technologies. 

Vishing perpetrators prey on our tendency to trust the human voice, also employing urgency and scare tactics in phone calls and voicemails. Add caller ID spoofing and AI-powered voice cloning, and it becomes increasingly difficult to tell a fraudster from a legitimate caller.

This guide explains what vishing is, how vishing scams work, and what you can do to protect yourself from fraudulent voice-operated exploits.

Vishing: definition and meaning

Vishing stands for the blend of voice and phishing to describe scams that involve impersonation of a credible person or company to extract sensitive information or money from the victim. Vishing scams are enacted through phone calls and voicemail messages, although they can start as an unsolicited email urging the recipient to call back using the provided phone number for some specific reason.

In a vishing attack, the bad actor is typically after some valuable information such as a bank card number, Social Security number, Medicare ID, PINs, online banking logins, or one-time verification codes. In other cases, fraudsters are looking to make you unknowingly transfer money to their account following their instructions.

How vishing scams work

Most vishing scams follow a pattern. They start with a phone call—live, a robocall, or a voicemail—that sets up an urgent problem, either with your account, taxes, device, or your loved one in an emergency.

To make their message convincing, scammers impersonate a trusted institution or a person you may know or trust. Common impersonated personas include:

• Bank representatives warning you of suspicious transactions
• Government agents demanding tax payments or threatening arrest
• Customer or tech support reps alerting you to a problem with your account or device
• Medical or benefits officials requesting that you “verify” your personal details

Scammers typically mask their real phone numbers using spoofing techniques to appear as legitimate callers. Some schemes now also use deepfake AI technology to imitate the voices of relatives and colleagues in ever more sophisticated and believable attacks.

Once they get through, scammers will try to pressure you into sharing your personally identifiable details or sending them money under some invented but convincing premise. They tend to create a sense of urgency or a looming penalty if you don’t follow their instructions, for example, saying that you’ll be fined or arrested, or that you’ll lose access to your account unless you pay, leaving you little time to double-check their request.

Once you give them what they want, scammers tend to abruptly end all communication and disappear, potentially reusing your details for other types of scams and marking you as a gullible and convenient target.

Common types of vishing scams

Vishing comes in many forms, and understanding them better can help you spot and avoid them more effectively. Here are the most common types, as listed below.

Bank impersonation 

In a bank impersonation phone scam, the fraudster pretends to be your bank’s or financial service provider’s representative. Using a plausible excuse, they will warn you about suspicious activity in your bank account, your payment card being compromised, or the need to verify whether you authorized the latest transactions. To help you “prevent” fraud, they may ask for your account login information, PINs, one-time passcodes, or identity details.

These scammers typically have personal information about their target on hand, retrieving it either from publicly available sources like data brokers or diving into the dark web to buy data on people. Their end goal is always to either get more of your sensitive information, such as your online banking credentials, or make you unwittingly send money to their account.

IRS and government impersonation

Scammers can call you pretending to be from a tax authority (such as the IRS in the U.S.) or another government agency. They may insist that you pay some outstanding charges or taxes, otherwise, you’ll risk penalties, arrest, deportation, or legal action.

These scams attempt to scare or guilt people into compliance, giving them no time to verify the information or to call the actual authorities using official contact numbers. Many victims act on the spur of the moment, pressured into paying the “authorities” using suspicious payment methods as wire transfers or instant money transfer apps like Zelle.

Customer and tech support scams

By far one of the largest categories of vishing scams, customer and tech support impersonation is also one of the most effective in gaining access to victims’ devices and personal accounts. 

Attackers may pretend to represent an internet provider (as in Xfinity scams), computer manufacturer, electronics retailer, or software service. Their typical scenarios include claiming there’s a problem with your subscription, account, or device, such as a virus infection they detected, an expiring software license, or suspicious activity in your user account.

One curious variation of the tech support scam is a refund scam, which doesn’t even start with a phone call. In a refund scam, fraudsters send out a phishing email impersonating a certain company and claiming there’s a pending charge on the recipient’s account. They then request the recipient to contact them back using the provided phone number to cancel or dispute the charge.

Of course, scared of losing money on a transaction they can’t remember making, victims call back and get pressured into sending money to the scammer’s account or giving away sensitive information. Common examples of such refund scams are Geek Squad impersonation and Norton LifeLock scam emails.

Wangiri (one-ring) scams

Wangiri (a Japanese term for “one ring and cut”) is a technique where scammers give you a call with just one or two rings and then hang up, leaving you with a missed call. Out of curiosity, you might call back, but in this case you will be heavily charged for long-haul international calls, as this will connect you to a premium-rate international or foreign number.

VoIP (voice over IP) technologies are now used to automate these calls in large numbers. Once you call back, the scammers will try to make you stay on the line for as long as possible—playing recorded messages or putting you on hold—so they can earn more fees.

“Grandparent scams”

“Grandparent scams” (sometimes called “grandchild” or “emergency” scams) target older people, often in their 70s and 80s, by playing on their fear and care for family members, especially children and grandchildren.

Scammers impersonate the victim’s relative or someone in authority, such as a lawyer, doctor, or police officer, and spin a story about this relative getting into a major trouble (a medical emergency, a car accident, legal issues, being stranded abroad). The scammers then urge the victim to send money to rescue the relative as soon as possible, often asking that no other family members know about the issue.

Financial losses in “grandparent scams” can run as high as hundreds of thousands of dollars. As scammers use emotional leverage, urgency, and secrecy, victims often bypass logical skepticism and rush to act without verifying the information first.

Medicare scams

Scammers also target older individuals by posing as Medicare representatives, doctors, or Social Security officials. Medicare scams involve scenarios in which the victim is asked to verify their identity and personal data or provide the caller with their Medicare ID or Social Security number for reasons such as subscribing to a better Medicare plan, booking an appointment, requesting a new Medicare card, and so on. None of these scenarios materialize, as scammers only call to steal your Medicare number and identity for their financial gain.

These imposter scams exploit the trust that Americans place in official government authorities and programs, as well as the fact that many rely on these programs and may be more susceptible to related requests, even if they’re unsolicited.

Fraudulent business services

In many cases, scammers cold-call random people, offering them services they might not have thought about but may be persuaded to buy. Of course, these services turn out to be overpriced, unnecessary, or even non-existent, as scammers never follow up on their promises after taking a hefty advance payment.

Examples of such fraudulent business services advertised over the phone include timeshare scams targeting timeshare property owners or duct cleaning scams— all involving unqualified or outright fake service providers, exorbitant fees, large deposits paid upfront, and unpredictable, if any, outcomes.

Real examples of vishing scams

Phishing and spoofing scams were the top reported complaints in 2024, with total losses of over $70 million, according to the Internet Crime Complaint Center. Voice phishing is a major category of these scams, too.

In 2024, the FBI reported that over 17 thousand people had complained about government impersonation scams, totaling in financial losses of over $405 million. In these scams, fraudsters typically reached out by phone and posed as well-known government agencies such as the FBI, making urgent demands that victims pay immediately to avoid arrest or law enforcement investigation.

In the U.K., one jeweller was tricked into transferring £50,000 ($67,000) in an AnyDesk scam after the scammers cloned a caller ID, impersonated a bank fraud prevention employee, and installed remote access software on the victim’s computer.

In 2025, a scam ring of 25 Canadian nationals was charged with participation in a large-scale “grandparent scam” that defrauded individuals in more than 40 U.S. states. The scammers operated from 2021 to 2024 from call centers in Montreal, Canada, tricking victims into transferring them more than $21 million.

Top red flags of vishing scams

These are the top warning signs that appear frequently in vishing scams:

• Unsolicited phone calls. Scammers always call uninvited, with requests that make victims stop in their tracks and respond to the immediacy and urgency. They may also use spoofed caller IDs and have plenty of personal information about you on file to make their requests all the more believable.
  
• Requests for sensitive information, like Social Security or identity numbers, PINs, online banking credentials, credit card numbers, or one-time verification codes. Real businesses, from banks to Medicare officials, never request such sensitive information over the phone.
  
• Pressure to act immediately. Be it a “fraud alert” from a bank or a call about a relative in crisis, scammers want you to act right now while on the phone with them, without taking a break to verify the information independently.
  
• Secrecy is another component necessary to make vishing victims act on impulse without consulting anyone who can talk them out of sharing money or information with the scammer.
  
• Payment requests via untraceable methods, such as prepaid cards, wire transfers, cryptocurrency ATMs, gift cards, or cash in mail. Surprisingly, such requests may come from government impersonators too, and many victims do make these irreversible transactions, cornered by scammers’ scare tactics.

What to do if you fall victim to a vishing scam

If you realize you’ve answered a vishing call, take the following steps to minimize the damage:

• Stop all communication with the scammer. Don’t respond to further calls, emails, or voice messages.
  
• Contact your bank or credit card company immediately. Let them know your account has been compromised and ask to reissue the affected card.
  
• Change passwords and set up two-factor authentication for all affected accounts. If you reused the passwords anywhere, change them too.
  
• File a complaint with the relevant anti-fraud authority, such as the Federal Trade Commission or the Internet Crime Complaint Center in the U.S.
  
• If applicable, contact the impersonated company to let them know about the scam. This will help educate other customers, and the company may be able to offer remediation assistance in certain cases.
  
• Warn your network of friends, relatives, and colleagues about the scam and share your experience so they know what to avoid.

How to protect yourself from vishing scams

Protecting yourself from vishing is similar to curbing phishing attacks in general. Start by removing your personal information from publicly available sources, such as data brokers, Google, and people-search websites, so scammers have a harder time identifying your contacts and personal details. Onerep is one such service you can use for automatic personal data removal from the internet.

Other safety practices include the following:

• Register with the National Do Not Call Registry to opt out of telemarketing calls. This will reduce the number of unsolicited phone calls and help you filter out scammers more effectively.
  
• Use call-blocking tools and spam call filters built into your smartphone or offered by your carrier to prevent scammers from reaching you.
  
• Never share your sensitive details over the phone with anyone, even bank representatives. No legitimate official ever asks for full credit card numbers, CVVs, or account credentials.
  
• If you’re forced to act immediately, pause and think. This is a common pressure tactic used by scammers. If in doubt, hang up and verify their request using the official contact number of the organization or person in question.
  
• Educate older relatives, friends, or less tech-savvy people in your circle, as they may be especially at risk of falling victim to vishing and impersonation.

In any case, don’t be afraid to hang up—there’s nothing wrong with being cautious when it comes to protecting your money and identity.

FAQs

What is vishing in cybersecurity?

Vishing (voice phishing) is a type of cyber attack where scammers use phone calls and voicemail to defraud people and make them transfer money or share sensitive personal information for the scammers’ gain.

What is the difference between phishing and vishing?

Phishing is a broader category of scams involving “fishing” for personal information or the victim’s money, while vishing is a subcategory of phishing attacks enacted via phone or voice messages.

What are signs of a vishing scam?

Top signs of vishing include unsolicited calls from spoofed phone numbers impersonating officials, businesses, or relatives, urgent demands for money or personal information, and instructions to stay on the phone and not tell anyone about the issue.

Can vishing happen via email or only by phone?

Classic vishing is voice-based, but vishing attacks can also start as emails, especially in tech support impersonation scams. These emails contain a phone number to call, and this is how scammers get a chance to get on the line with their victims to trick them into revealing personal information or transfer funds.