Keepnet Labs Logo
Menu
HOME > blog > what is vishing

What is Vishing: Definition, Detection and Protection

Stay ahead of voice phishing scams with our comprehensive guide on vishing. Define what vishing is, recognize the signs, and learn how to protect yourself and your organization from these vishing attacks.

What is Vishing: Definition, Detection and Protection

Vishing (voice phishing) is a type of social engineering attack where scammers use phone calls to trick people into revealing sensitive information, such as passwords, bank details, or business secrets. These attackers often pretend to be trusted individuals, like customer support agents, bank representatives, or IT staff, to gain the victim’s trust and manipulate them into sharing confidential data.

Unlike traditional phishing, which happens via email or text, vishing fraud relies on voice communication to deceive targets. The FBI's Internet Crime Complaint Center (IC3) reports vishing scams caused losses of over $48 million. That’s a lot of people getting scammed through phone calls!

In this blog, we’ll break down "what is vishing", teach you how to spot the signs, and share some foolproof ways to protect your organization from becoming the next headline.

Definition of Vishing

According to the Federal Trade Commission (FTC), vishing is "a type of phishing that uses the telephone to steal personal information or money from unsuspecting victims by pretending to be a trusted entity."

Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) defines vishing as "a social engineering attack where cybercriminals trick individuals into providing sensitive information over the phone, often by impersonating legitimate organizations."

For a deeper dive into the world of vishing—how telephone scams work, why phone scams are effective, and how to stay protected—check out the Keepnet podcast series. You’ll hear real-life stories, expert insights, and practical tips to help you recognize and defend against phone-based scams.

Now, here’s our vishing definition: Vishing, or voice phishing, is a sneaky scam where hackers use phone calls to trick people into handing over personal or financial information. It’s phishing with a more personal touch—using real-time voice communication instead of the usual email or text tricks. These attackers love posing as bank reps, IT support, or government officials, hoping to catch you off guard.

The vishing meaning lies in this deceptive approach: exploiting the trust people place in voice interactions to steal sensitive data. With significant financial, operational, and reputational consequences, vishing isn’t just annoying—it’s downright dangerous. So, if a "trusted entity" calls asking for sensitive info, maybe it’s time to let your voicemail play defense.

What is the Purpose of Vishing Attempts?

The purpose of vishing attempts can be broken down into key objectives. Here's what scammers are after:

ObjectiveExamples
Steal Sensitive InformationBank account numbers, Passwords or Personal Identification Numbers
Access and Exploit AccountsAccessing bank or online accounts, Illegally transferring funds or Making unauthorized purchases
Commit Identity TheftOpening new accounts in the victim's name or Obtaining credit or loans fraudulently
Create Urgency or FearConvincing there’s an immediate account issue, Offering fake rewards or Conducting urgent surveys

Table 1: Purpose of vishing attempts

Difference Between Phishing, Vishing and Smishing

Picture 1: Phishing vs. Vishing vs. Smishing: Key Differences
Picture 1: Phishing vs. Vishing vs. Smishing: Key Differences

Phishing tricks you with fake emails, vishing uses phone calls, and smishing sends scam texts. All these attack types aim to steal your data. Let's explore the differences between phishing, vishing, and smishing, shedding light on how each social engineering attack method operates and their unique characteristics:

Phishing: Email-Based Deception

Phishing is a common cyberattack method where scammers send deceptive emails that appear to be from trusted sources to steal sensitive information. Below are the key details on how this email-based deception works:

  • Method: Utilizes phishing emails designed to mimic legitimate communications from reputable organizations.
  • Objective: Tricks people into revealing personal, financial, or login information by clicking phishing links or malicious attachments.
  • Common Signs: Misspellings, unfamiliar sender addresses, urgent or threatening language requesting immediate action.

Read our blog to learn what is phishing and how to prevent it.

Vishing: Voice or Telephone Scams

The vishing meaning refers to voice or telephone scams—a tactic where scammers use phone calls to deceive individuals into giving up personal or financial details. Below are key details to help you recognize and avoid such attacks.

  • Method: Voice or Telephone scams, known as Vishing, use phone calls to either convince or scare people into giving away their personal information or money.
  • Objective: The objective is to take sensitive information or money directly from the person targeted by pretending to be an authority figure, tech support, or financial institution.
  • Common Signs: Unknown caller IDs, urgent requests for information or money, and pre-recorded messages claiming to be from official agencies to define vishing common signs.

Smishing: SMS Text Messaging Fraud

Smishing is a type of phishing attack delivered via text messages, aiming to trick recipients into clicking malicious links or giving away personal information. Below are the key details that explain how smishing works and how to recognize it.

  • Method: Sends text messages that trick recipients into clicking on phishing links or sharing personal information.
  • Objective: Seeks to install malicious software on mobile devices or trick people into sharing important information by pretending to offer something urgent or appealing.
  • Common Signs: Texts from unknown numbers, messages prompting to click on links for offers, prizes, or resolving account issues.

To learn more, read Keepnet's blog on What is Smishing (SMS Phishing)?

How Does Vishing Happen?

Picture 2: How Vishing Scams Work Step by Step
Picture 2: How Vishing Scams Work Step by Step

As the definition of vishing suggests, it happens when scammers use phone calls to trick people into giving away their personal information. Pretending to be from a trusted organization, they might tell you there's a problem with your account, offer you a reward that doesn't exist, or say they're doing a survey.

These calls often show up with fake numbers that look real, making the scam seem legit. If you think you're talking to someone you can trust, you might end up sharing details that could lead to losing money or stealing your identity.

Here's a quick look at how an example vishing attack happens:

  • The Initial Contact: You get a call. The number looks official, maybe even one you recognize.
  • The Setup: The person on the line sounds professional. They say they're from your bank, a tech company, or any organization you might trust. They've got news or an offer.
  • The Ask: Here's where they want something from you. Maybe it's your account details, your social security number, or a password. Sometimes, they'll ask you to transfer money directly.
  • The Pressure: They're probably in a hurry. They want you to act fast. This pressure is a key part of the scam, making you less likely to think things through.

Common Vishing Methods

Picture 3: Common Vishing Methods
Picture 3: Common Vishing Methods

Vishing attacks have various methods to trick individuals into sharing personal and financial information. Each technique is designed to exploit different vulnerabilities, ranging from technological gaps to human psychology. Here's a closer look at some of the most common vishing methods:

  • Deepfakes: This method uses artificial intelligence and machine learning to clone a person's voice, creating audio that sounds like someone you know and trust. Attackers can mimic the voices of CEOs or family members to convince you to transfer money or share sensitive data.
  • Robocalls: These are automated calls that deliver pre-recorded messages. Scammers use robocalls to reach a large audience quickly, often pretending to be from government agencies or legal departments to scare victims into complying with their requests.
  • Tech Support Call: Here, the scammer pretends to be a tech support agent from a well-known company, claiming to have detected an issue with your computer or account. They aim to gain remote access to your device or convince you to provide personal information under the guise of fixing a non-existent problem.
  • Client Call: In these scams, attackers pretend to be potential clients or partners of your business. They may request sensitive company information or direct payments, exploiting professional trust and courtesy.
  • VoIP Vishing: Voice over Internet Protocol (VoIP) allows scammers to make calls over the internet, often from international locations, while displaying a local or trusted number on the caller ID. This method makes it difficult to trace the call back to the scammer.
  • Caller ID Spoofing: Similar to VoIP vishing, caller ID spoofing involves changing the caller ID to a familiar or trustworthy number. This tricks victims into answering the call and trusting the caller.
  • Dumpster Diving: Though not exclusively a vishing technique, dumpster diving involves searching through a person's or company's trash to find documents with personal information. Scammers can use this information to be more convincing and targeted vishing attacks.

Vishing Attack Examples

Let's look at a few real-life examples of vishing to understand how these attacks work and their impacts. Each story shows how scammers use phone calls to trick people into giving them money or personal information.

1. The Deepfake Voice Heist on a UK Energy Company (2019)

Okay, this one’s straight out of a spy movie. Back in 2019, the CEO of a UK energy company got a phone call from his “boss” in the German headquarters. The problem? The voice wasn’t his boss at all—it was a deepfake, a high-tech audio clone created by scammers. The fake boss demanded an urgent transfer of €220,000 (about $243,000) to a “supplier” in Hungary. Thinking it was legit, the CEO complied. Spoiler: it wasn’t legit.

The scam wasn’t uncovered until it was too late, leaving the company with a fat financial loss and a “well, that sucked” moment. The moral of the story? If your boss suddenly sounds like a James Bond villain demanding money, maybe double-check before hitting "send."

2. Twitter’s Vishing Nightmare Hits the Big Names (2020)

In July 2020, Twitter became the victim of a next-level vishing attack that made international headlines. Hackers targeted Twitter employees with fake phone calls, convincing them to share access credentials to internal systems. Sounds sneaky? Oh, it gets better.

Using this access, the hackers took over 130 high-profile accounts, including those of Barack Obama, Joe Biden, Elon Musk, and Kanye West. What did they do with this newfound power? They tweeted out Bitcoin scams, promising to “double” any Bitcoin sent to a certain wallet. The scammers made off with about $110,000 before being caught. Lesson learned: Even the world’s most famous people (and platforms) aren’t safe from vishing.

3. Hong Kong’s $41 Million Vishing Scam (2020)

This one is as painful as it is impressive (from the scammers’ perspective, anyway). In 2020, a 90-year-old woman in Hong Kong became the victim of one of the largest vishing scams ever recorded. The scammers posed as law enforcement officers, claiming her identity had been used in crimes in China. Over multiple phone calls, they pressured her into making 10 payments totaling $41 million to “resolve” the issue.

The audacity of these scammers is wild, but here’s the twist: the woman eventually caught on and reported it to the police. This led to the arrest of a 19-year-old scammer involved in the plot. (Seriously, what were you doing at 19?) It’s a reminder that vishing can target anyone, and the stakes can be sky-high.

4. The MGM Resorts Vishing Attack (2023)

One of the biggest cybersecurity breaches of 2023 kicked off with—wait for it—a vishing attack. Scammers impersonated an MGM IT helpdesk employee and called an unsuspecting staff member. Using social engineering tactics, they convinced the employee to share their login credentials, giving the attackers access to sensitive systems.

The result? A ransomware attack that took down MGM’s operations for nearly a week, disrupting casino floors, hotel bookings, and payment systems. The fallout was massive—millions in lost revenue, lawsuits from frustrated customers, and a PR disaster. The MGM vishing breach is now a textbook example of how one phone call can cost a company millions.

5. Okta’s Support Team Breach (2023)

In a similar attack in 2023, Okta, a well-known identity management company, fell victim to a vishing fraud. Scammers called the company’s support team, impersonating employees and persuading them to bypass standard security protocols. This clever social engineering trick allowed the attackers to gain access to sensitive Okta tools and resources, which they later used to compromise clients' data.

This breach had ripple effects across Okta’s customer base, damaging trust in their services and sparking serious concerns about the vulnerability of even the most security-focused organizations. It’s a classic reminder that human error is still a major cybersecurity weak spot.

6. Microsoft Teams Vishing Attack Deploys DarkGate Malware (2024)

In a recent incident, attackers impersonated a client during a Microsoft Teams call to distribute DarkGate malware. The scam began with the victim receiving thousands of emails, followed by a Teams call from someone claiming to be an employee of an external supplier. The attacker persuaded the victim to download a remote desktop application, which facilitated the deployment of the malware, granting the attacker remote control over the victim’s computer network.

Please check out our blog on real vishing attack examples to learn more.

7. AIB Bank Fraud Incident (€41,000 Attempted Theft)

In February 2025, a business customer of AIB received a call from someone claiming to be from the bank's fraud team, warning of unauthorized transactions. The caller directed the customer to a fake website, leading to the installation of remote access software. This allowed the fraudster to initiate a €41,000 payment, which was fortunately intercepted by AIB staff. (Source)

8. Operation "GAITSCHE" in Spain (€25,480 Stolen)

In early 2025, Spanish authorities conducted Operation "GAITSCHE," targeting a coordinated criminal network involved in vishing scams across six regions. Nine individuals impersonated bank representatives to deceive victims into revealing sensitive banking credentials. In one case, a victim suffered €25,480 in losses through unauthorized account access, credit card issuance, fund transfers, and loan applications. The group operated across decentralized locations but used shared digital tools to execute the fraud. The case is being prosecuted in Palencia under Spain’s cybercrime laws. (Source)

What are the Signs of Vishing Attacks?

Picture 4: Signs of Vishing Attacks
Picture 4: Signs of Vishing Attacks

Knowing the signs of a vishing attack can help you avoid falling for one. Here’s what to watch out for:

  • Unexpected Calls: If you get a call out of nowhere from someone claiming to be from your bank, a government agency, or any service provider, be wary. Especially if they're asking for personal or financial info.
  • Urgency: The caller presses you to act fast. They might say your account will be closed or you'll face legal action if you don't respond immediately.
  • Request for Personal Information: Be suspicious if the caller asks for sensitive details like your password, PIN, or bank account numbers.
  • Quality of the Call: Sometimes, vishing calls might have poor call quality or sound like they're coming from a long distance, despite claiming to be from a local number.
  • Spoofed Caller ID: The caller ID might look legitimate, but scammers have ways to fake these. Just because it looks real doesn't mean it is.

Scammers takes their craft to a whole new level, leveraging advanced AI to sound as convincing as your best friend. Gone are the days of awkward robotic voices—you know, the kind that made you roll your eyes before hanging up.

Today’s vishing scammers have charm, style, and an alarming amount of sophistication. Don’t just take our word for it—this is backed by groundbreaking research published in September 2024 by Lisbon University. The study explores how vishing tactics have evolved and their alarming success in exploiting human vulnerability.

AI-Powered Vishing Bots: Smooth Operators

The AI bots of 2025 are not just smarter; they’re scarily human-like. These aren’t your old-school robocalls. Lisbon University researchers found:

  • Uncanny Realism: These bots sound like real people, complete with emotion, accents, and even fake empathy. By studying thousands of human conversations, scammers have programmed bots that are eerily convincing.
  • Dirt-Cheap Scams: Each bot-driven call costs a fraction of a penny, but the payout for scammers can be enormous. With low costs, scammers are now able to target thousands daily.
  • Shockingly Convincing: According to Lisbon University's study, 52% of test subjects thought they were speaking with a real person. Imagine accidentally pouring your life story—or worse, sensitive data—to a bot that feels like your long-lost pal.

Humans vs. Bots: Who’s Winning?

If you think you can easily outsmart these bots, think again. The Lisbon University study uncovered some pretty unsettling truths about how unprepared most people are:

  • Default Trust: Many people instinctively trust polite, professional-sounding callers. AI bots exploit this to extract information with alarming success.
  • Training Helps Big Time: Those who had undergone vishing awareness training were way less likely to fall for scams. The study showed training slashed scam success rates from 77% to 33%.
  • Flying Blind is Risky: Without training or awareness, individuals are nearly twice as likely to give away sensitive information. It’s like walking into a scammer’s trap blindfolded.

What We Can Learn from this Vishing Research

Not all hope is lost! Researchers at Lisbon University didn’t just analyze scams—they also identified ways to fight back:

  • Realistic Simulations: Businesses are using vishing simulations to teach employees how to spot scams. Think of it as a controlled test that strengthens your defenses.
  • AI as a Hero: Companies are deploying AI tools to detect and block scam calls before they even hit your phone. It’s a bot-on-bot battle, and thankfully, the good bots are winning.
  • Public Awareness Matters: The research emphasizes the need for broader education. Simple steps, like verifying the identity of callers and hesitating before sharing sensitive information, can significantly reduce the success of scams.

How to Prevent Vishing Attacks

Staying safe from vishing attacks requires caution, knowledge, and taking the right steps. Here’s how to prevent vishing fraud:

  • Verify the Caller: If you're unsure about a caller's identity, hang up. Then, contact the organization directly using a number you trust, like one from their official website.
  • Don't Share Personal Info: Never give out personal or financial information over the phone unless you're sure of the caller's identity.
  • Use Call-Blocking Services: Many phone companies offer services to block unknown or suspicious numbers. Taking advantage of these can reduce the number of vishing calls you receive.
  • Stay Informed: Knowing the latest vishing tactics and scams can help you recognize a potential attack before it's too late.
  • Report Suspicious Calls: If you think you've received a vishing call, report it to the appropriate authorities. This can help prevent others from falling victim to the same scam.

By keeping these signs and prevention tips in mind, you can protect yourself and your loved ones from falling victim to vishing fraud. Read our blog to learn more about preventing vishing attacks using eight strategies.

Protect Against Vishing Attacks with Keepnet

Keepnet offers comprehensive solutions to guard against voice phishing attacks. Here’s how Keepnet can help you stay safe from vishing attempts:

  • Simulated Vishing Attacks: To prepare you for real-world vishing scenarios, Keepnet provides simulated vishing tests. These vishing simulations are safe, controlled ways to experience a vishing attempt, ensuring you're ready to act correctly when faced with a real vishing attempt.
  • Security Awareness Training: Keepnet emphasizes the importance of education in cybersecurity. They offer training modules designed to increase security awareness about vishing scams, teaching you how to effectively recognize and respond to phishing calls.
  • Incident Reporting Tools: Keepnet offers tools that make it easy to report suspected phishing attempts. Quick reporting can help analyze and prevent future attacks, making it a significant part of any defense strategy.
  • Community and Intelligence Sharing: Keepnet fosters a community of users and cybersecurity experts to share intelligence about new and emerging vishing threats. This collective knowledge acts as an early warning system, giving you a heads-up about scams as they develop.

Please read Teknosa's fight and how they prevented vishing attacks here.

Editor's Note: This article was updated on June 3, 2025.

SHARE ON

twitter
linkedin
facebook

Schedule your 30-minute demo now!

You'll learn how to:
tickUse AI text-to-speech to create your vishing template, with the option to incorporate your voice.
tickEvaluate your team's preparedness for actual voice phishing attacks.
tickGenerate detailed, customized reports to analyze your employees' responses and measure your organization's security posture across other industries

Frequently Asked Questions

What is vishing in cybersecurity?

arrow down

In cybersecurity, vishing means voice-based threats targeting human vulnerabilities rather than technical systems. It underscores the importance of awareness training to mitigate risks.

How will AI-driven "emotional mirroring" in vishing scams exploit human psychology?

arrow down

By 2025, attackers may use AI to analyze a victim’s vocal tone, stress cues, or social media behavior to mirror their emotional state in real-time during calls. This could create false trust, making targets more likely to comply with urgent requests (e.g., "Your child’s school is locked down—verify credentials now").

Could decentralized identity systems (e.g., blockchain-based IDs) inadvertently fuel vishing attacks?

arrow down

Yes. As decentralized IDs gain traction, attackers might pose as "verification agents" to trick users into sharing private keys or biometrics via voice calls. Scams could mimic legitimate platforms, claiming, "Your digital wallet requires re-authentication to avoid suspension."

How will 5G-enabled "deepfake vishing farms" operate?

arrow down

With 5G’s low latency, attackers could deploy scalable, cloud-based systems generating thousands of simultaneous deepfake voice calls. These systems might clone voices from public videos or leaked data, targeting entire organizations or regions with hyper-personalized scams (e.g., impersonating CEOs during earnings season).

Can "ambient vishing" via IoT soundscapes (e.g., smart TVs, wearables) become a threat?

arrow down

Absolutely. Hackers might hijack connected devices to play background sounds (e.g., sirens, office noises) during calls, adding legitimacy to urgent scenarios. Imagine a scammer triggering a fake "fire alarm" via your smart speaker while demanding evacuation details.

Will "neuroadaptive authentication" counter AI-driven emotional manipulation in vishing?

arrow down

Emerging neuroadaptive systems could analyze a user’s cognitive response (e.g., attention shifts, decision-making patterns) during sensitive calls. By 2025, wearable neurotech or AI assistants might flag mismatches between a caller’s urgency and the user’s baseline behavior, interrupting interactions that trigger abnormal stress signals. For example, a "digital guardian" app could freeze a transaction if it detects coerced compliance.

Can "zero-knowledge voice proofs" protect decentralized identity users from vishing?

arrow down

Yes. Zero-knowledge proofs (ZKPs) embedded in voice authentication systems could allow users to verify credentials without revealing sensitive data (e.g., private keys or biometric templates). By 2025, ZKP protocols might enable responses like, “Prove you’re my bank without accessing my account number,” shutting down phishing attempts that demand unnecessary information.

What are common vishing attack examples?

arrow down

Examples of vishing attacks include fake calls from “bank fraud departments” asking to verify account activity or tech support scams requesting remote access to your device. These scenarios often use fear or urgency to pressure quick responses. Read our guide to learn most spoofed brands in phishing attacks.

Vishing meaning: What does it really involve?

arrow down

The vishing involves deceptive phone calls aimed at manipulating people into sharing confidential data. Unlike email-based phishing, vishing relies on real-time conversation to build trust or create urgency.

What should I do if I receive a vishing call?

arrow down

If you suspect a vishing call, hang up immediately. Don’t share any information. Verify the caller’s identity through official channels and report the incident to your IT or security team.

Is vishing illegal?

arrow down

Yes, vishing is illegal. It involves fraudulent impersonation and identity theft, both of which are criminal offenses punishable by fines or imprisonment in most jurisdictions.

Why is vishing more dangerous than phishing?

arrow down

Vishing can be more dangerous because it involves real-time human interaction, which may manipulate victims more effectively than emails. The urgency and voice tone often increase the pressure.

How is vishing detected in cybersecurity systems?

arrow down

While harder to detect than email phishing, vishing can be mitigated through behavioral monitoring, call logging, employee reporting mechanisms, and simulated vishing exercises to train staff to identify threats.

Why is vishing becoming more common in recent years?

arrow down

Vishing is on the rise due to the increased availability of personal data online and the use of AI-generated voice tools. These advancements make it easier for attackers to sound convincing and target victims at scale.

What should organizations include in vishing awareness training?

arrow down

Effective vishing training should cover real-world examples, role-playing exercises, caller verification protocols, red flag identification, and reporting procedures. Regular simulations can help reinforce behavior change.

Can vishing be part of a multi-channel phishing attack?

arrow down

Yes, attackers often combine vishing with phishing and smishing in coordinated campaigns. For example, a victim may receive an email, followed by a phone call pretending to “verify” the information they just saw.