-
Vishing –
recognizing and avoiding phone phishing
Vishing – phishing via telephone – is a widespread scam in which cybercriminals try to trick you into revealing sensitive information through skilful conversation. They often use psychological manipulation, spoofed phone numbers, or even AI-generated deepfake voices to build trust.
In the following article we will show you how vishing works, what methods fraudsters use, and how to best protect yourself.
Key points:
In vishing, fraudsters attempt to obtain sensitive information like passwords or login credentials over the phone.
They often use spoofed numbers, AI-generated voices, and psychological pressure.
Never share confidential data over the phone or be persuaded to visit a mentioned website or grant remote access to your computer. Question the validity of unexpected calls.
What is vishing?
Vishing (a blend of “voice” and “phishing”) refers to fraudulent phone calls where criminals attempt to obtain sensitive information such as login credentials, credit card numbers, or personal data. These attacks often use social engineering techniques to build trust and manipulate victims into revealing confidential information.
How to recognize vishing attacks
Vishing attacks can take many forms. Common signs indicating a vishing attack include:
Unexpected calls:
You receive a call urging immediate action.
Pressure tactics:
The caller pushes you to act quickly, often under threat of consequences.
Claimed authority:
Callers pose as police, government, or official representatives to gain credibility.
Requests for sensitive data:
You’re asked to provide passwords, PINs, or other confidential information.
Caller ID may be spoofed:
through “caller ID spoofing” a trusted number appears on your screen, though the call originates from a different number.
Deception via deepfake – a new dimension of vishing
With advancing technology, fraudsters use AI to realistically mimic voices. These “audio deepfakes” can make you believe you’re speaking with someone you know, when it’s actually a criminal. Such techniques increase credibility of fake calls and make vishing harder to detect. Fake voices are often nearly indistinguishable from the real person over the phone. See the knowledge base entry “Deepfakes” for clues to watch for and how to expose fraudulent calls through targeted questions.
TOAD – fraudulent messages prompting callbacks
TOAD (Telephone-Oriented Attack Delivery) is a method where cybercriminals first send an email, SMS, or messenger message prompting you to call a number. During the call, they try to extract sensitive data, get you to download malware, or visit a fraudulent website. This combination of message and phone manipulation significantly increases the attackers’ success rate.
Typical signs:
- Sender appears credible (e.g. known brand names and email addresses).
- Callback number is prominently displayed in the message.
- On the call, you’re asked to share confidential data, visit a website, or grant remote access to your computer.
Psychological tricks used by fraudsters
- Urgency: “Act now or face consequences!”
- Authority: “I’m calling on behalf of IT management.”
- Likeability: callers appear to share your interests or values.
- Emotion over reason: attackers exploit emotional triggers instead of logic.
- Trust: callers know details about your work or environment – via social engineering.
How to protect yourself from vishing
- Be sceptical of unexpected calls: especially if the caller demands immediate action.
- Never share sensitive information: don’t disclose passwords, PINs, or confidential data over the phone.
- Verify identity: ask for the caller’s name and position and call back using an official number.
- Don’t call back suspicious numbers: if you doubt the authenticity of a message, don’t call the number provided.
- Keep software up to date: make sure that your operating systems are up to date.
- Training and awareness: stay informed about fraud tactics (e.g. via consumer protection agencies) and attend security trainings if possible.
By staying alert and following these precautions, you can significantly reduce the risk of falling victim to a vishing attack.
Recognizing warning signs of vishing
Watch for these red flags:
- Unsolicited calls with urgent demands
- Suspicious emails, SMS, or messages prompting a callback
- Requests for confidential information during the call
- Verbal instructions to manually enter a web address
- Caller refuses to allow a callback or verify their identity
- Familiar-sounding voice in an unexpected call
Conclusion – take vishing seriously!
Vishing is a serious threat in digital communication. Attackers use increasingly sophisticated methods like spoofed numbers, deepfake voices, and emotional manipulation to gain trust and steal information. Being aware of these tactics, staying calm during suspicious calls, and never sharing confidential data over the phone can greatly reduce your risk.
Frequently asked questions about vishing
Show content of Can vishing occur via voice assistants like Alexa or Google Assistant?
Yes, there are reports of cybercriminals targeting smart speakers to extract information – for example through fake calls, transmitted numbers, or intercepted callbacks. The more connected devices you have, the greater the attack surface.
Show content of How can I report a suspected vishing attempt if I’m unsure it was an attack?
If in doubt, note the time, number, and content of the call. Report it to your IT or security department at work, or to national authorities like the consumer protection agency or police. Better to report once too often than too few.
Show content of Are there technical solutions or apps to prevent vishing?
Yes, there are call-filtering apps and security tools that block suspicious calls or protect against spoofing. Mobile providers also often offer anti-spam and fraud call services. However, your best defence remains your own vigilance.