What is Vishing: Definition, Detection and Protection

Vishing (voice phishing) is a type of social engineering attack where scammers use phone calls to trick people into revealing sensitive information, such as passwords, bank details, or business secrets. These attackers often pretend to be trusted individuals, like customer support agents, bank representatives, or IT staff, to gain the victim’s trust and manipulate them into sharing confidential data.

Unlike traditional phishing, which happens via email or text, vishing fraud relies on voice communication to deceive targets. The FBI's Internet Crime Complaint Center (IC3) reports vishing scams caused losses of over $48 million. That’s a lot of people getting scammed through phone calls!

In this blog, we’ll break down "what is vishing", teach you how to spot the signs, and share some foolproof ways to protect your organization from becoming the next headline.

Definition of Vishing

For a deeper dive into the world of vishing—how it works, why it’s effective, and how to stay protected—check out the Keepnet podcast series. You’ll hear real-life stories, expert insights, and practical tips to help you recognize and defend against phone-based scams.

Now, here’s our vishing definition: Vishing, or voice phishing, is a sneaky scam where hackers use phone calls to trick people into handing over personal or financial information. It’s phishing with a more personal touch—using real-time voice communication instead of the usual email or text tricks. These attackers love posing as bank reps, IT support, or government officials, hoping to catch you off guard.

With significant financial, operational, and reputational consequences, vishing isn’t just annoying—it’s downright dangerous. So, if a "trusted entity" calls asking for sensitive info, maybe it’s time to let your voicemail play defense.

What is the Purpose of Vishing Attempts?

The purpose of vishing attempts can be broken down into key objectives. Here's what scammers are after:

Table 1: Purpose of vishing attempts

Difference Between Phishing, Vishing and Smishing

Phishing tricks you with fake emails, vishing uses phone calls, and smishing sends scam texts. All these attack types aim to steal your data. Let's explore the differences between phishing, vishing, and smishing, shedding light on how each social engineering attack method operates and their unique characteristics:

Phishing: Email-Based Deception

• Method: Utilizes phishing emails designed to mimic legitimate communications from reputable organizations.
• Objective: Tricks people into revealing personal, financial, or login information by clicking phishing links or malicious attachments.
• Common Signs: Misspellings, unfamiliar sender addresses, urgent or threatening language requesting immediate action.

Vishing: Voice or Telephone Scams

• Method: Voice or Telephone scams, known as Vishing, use phone calls to either convince or scare people into giving away their personal information or money.
• Objective: The objective is to take sensitive information or money directly from the person targeted by pretending to be an authority figure, tech support, or financial institution.
• Common Signs: Unknown caller IDs, urgent requests for information or money, and pre-recorded messages claiming to be from official agencies to define vishing common signs.

Smishing: SMS Text Messaging Fraud

• Method: Sends text messages that trick recipients into clicking on phishing links or sharing personal information.
• Objective: Seeks to install malicious software on mobile devices or trick people into sharing important information by pretending to offer something urgent or appealing.
• Common Signs: Texts from unknown numbers, messages prompting to click on links for offers, prizes, or resolving account issues.

Understanding these differences helps individuals identify and avoid falling victim to these increasingly sophisticated social engineering attacks.

To learn more, read Keepnet's blog on What is Smishing (SMS Phishing)?

How Does Vishing Happen?

As the definition of vishing suggests, it happens when scammers use phone calls to trick people into giving away their personal information. Pretending to be from a trusted organization, they might tell you there's a problem with your account, offer you a reward that doesn't exist, or say they're doing a survey.

These calls often show up with fake numbers that look real, making the scam seem legit. If you think you're talking to someone you can trust, you might end up sharing details that could lead to losing money or stealing your identity.

Here's a quick look at how an example vishing attack happens:

• The Initial Contact: You get a call. The number looks official, maybe even one you recognize.
• The Setup: The person on the line sounds professional. They say they're from your bank, a tech company, or any organization you might trust. They've got news or an offer.
• The Ask: Here's where they want something from you. Maybe it's your account details, your social security number, or a password. Sometimes, they'll ask you to transfer money directly.
• The Pressure: They're probably in a hurry. They want you to act fast. This pressure is a key part of the scam, making you less likely to think things through.

Common Vishing Methods

Vishing attacks have various methods to trick individuals into sharing personal and financial information. Each technique is designed to exploit different vulnerabilities, ranging from technological gaps to human psychology. Here's a closer look at some of the most common vishing methods:

• Deepfakes: This method uses artificial intelligence and machine learning to clone a person's voice, creating audio that sounds like someone you know and trust. Attackers can mimic the voices of CEOs or family members to convince you to transfer money or share sensitive data.
• Robocalls: These are automated calls that deliver pre-recorded messages. Scammers use robocalls to reach a large audience quickly, often pretending to be from government agencies or legal departments to scare victims into complying with their requests.
• Tech Support Call: Here, the scammer pretends to be a tech support agent from a well-known company, claiming to have detected an issue with your computer or account. They aim to gain remote access to your device or convince you to provide personal information under the guise of fixing a non-existent problem.
• Client Call: In these scams, attackers pretend to be potential clients or partners of your business. They may request sensitive company information or direct payments, exploiting professional trust and courtesy.
• VoIP Vishing: Voice over Internet Protocol (VoIP) allows scammers to make calls over the internet, often from international locations, while displaying a local or trusted number on the caller ID. This method makes it difficult to trace the call back to the scammer.
• Caller ID Spoofing: Similar to VoIP vishing, caller ID spoofing involves changing the caller ID to a familiar or trustworthy number. This tricks victims into answering the call and trusting the caller.
• Dumpster Diving: Though not exclusively a vishing technique, dumpster diving involves searching through a person's or company's trash to find documents with personal information. Scammers can use this information to be more convincing and targeted vishing attacks.

Vishing Attack Examples

Let's look at a few real-life examples of vishing to understand how these attacks work and their impacts. Each story shows how scammers use phone calls to trick people into giving them money or personal information.

1. The Deepfake Voice Heist on a UK Energy Company (2019)

Okay, this one’s straight out of a spy movie. Back in 2019, the CEO of a UK energy company got a phone call from his “boss” in the German headquarters. The problem? The voice wasn’t his boss at all—it was a deepfake, a high-tech audio clone created by scammers. The fake boss demanded an urgent transfer of €220,000 (about $243,000) to a “supplier” in Hungary. Thinking it was legit, the CEO complied. Spoiler: it wasn’t legit.

The scam wasn’t uncovered until it was too late, leaving the company with a fat financial loss and a “well, that sucked” moment. The moral of the story? If your boss suddenly sounds like a James Bond villain demanding money, maybe double-check before hitting "send."

2. Twitter’s Vishing Nightmare Hits the Big Names (2020)

In July 2020, Twitter became the victim of a next-level vishing attack that made international headlines. Hackers targeted Twitter employees with fake phone calls, convincing them to share access credentials to internal systems. Sounds sneaky? Oh, it gets better.

Using this access, the hackers took over 130 high-profile accounts, including those of Barack Obama, Joe Biden, Elon Musk, and Kanye West. What did they do with this newfound power? They tweeted out Bitcoin scams, promising to “double” any Bitcoin sent to a certain wallet. The scammers made off with about $110,000 before being caught. Lesson learned: Even the world’s most famous people (and platforms) aren’t safe from vishing.

3. Hong Kong’s $41 Million Vishing Scam (2020)

This one is as painful as it is impressive (from the scammers’ perspective, anyway). In 2020, a 90-year-old woman in Hong Kong became the victim of one of the largest vishing scams ever recorded. The scammers posed as law enforcement officers, claiming her identity had been used in crimes in China. Over multiple phone calls, they pressured her into making 10 payments totaling $41 million to “resolve” the issue.

The audacity of these scammers is wild, but here’s the twist: the woman eventually caught on and reported it to the police. This led to the arrest of a 19-year-old scammer involved in the plot. (Seriously, what were you doing at 19?) It’s a reminder that vishing can target anyone, and the stakes can be sky-high.

4. The MGM Resorts Vishing Attack (2023)

One of the biggest cybersecurity breaches of 2023 kicked off with—wait for it—a vishing attack. Scammers impersonated an MGM IT helpdesk employee and called an unsuspecting staff member. Using social engineering tactics, they convinced the employee to share their login credentials, giving the attackers access to sensitive systems.

The result? A ransomware attack that took down MGM’s operations for nearly a week, disrupting casino floors, hotel bookings, and payment systems. The fallout was massive—millions in lost revenue, lawsuits from frustrated customers, and a PR disaster. The MGM vishing breach is now a textbook example of how one phone call can cost a company millions.

5. Okta’s Support Team Breach (2023)

In a similar attack in 2023, Okta, a well-known identity management company, fell victim to a vishing fraud. Scammers called the company’s support team, impersonating employees and persuading them to bypass standard security protocols. This clever social engineering trick allowed the attackers to gain access to sensitive Okta tools and resources, which they later used to compromise clients' data.

This breach had ripple effects across Okta’s customer base, damaging trust in their services and sparking serious concerns about the vulnerability of even the most security-focused organizations. It’s a classic reminder that human error is still a major cybersecurity weak spot.

6. Microsoft Teams Vishing Attack Deploys DarkGate Malware (2024)

In a recent incident, attackers impersonated a client during a Microsoft Teams call to distribute DarkGate malware. The scam began with the victim receiving thousands of emails, followed by a Teams call from someone claiming to be an employee of an external supplier. The attacker persuaded the victim to download a remote desktop application, which facilitated the deployment of the malware, granting the attacker remote control over the victim’s computer network.

Please check out our blog on real vishing attack examples to learn more.

What are the Signs of Vishing Attacks?

Knowing the signs of a vishing attack can help you avoid falling for one. Here’s what to watch out for:

• Unexpected Calls: If you get a call out of nowhere from someone claiming to be from your bank, a government agency, or any service provider, be wary. Especially if they're asking for personal or financial info.
• Urgency: The caller presses you to act fast. They might say your account will be closed or you'll face legal action if you don't respond immediately.
• Request for Personal Information: Be suspicious if the caller asks for sensitive details like your password, PIN, or bank account numbers.
• Quality of the Call: Sometimes, vishing calls might have poor call quality or sound like they're coming from a long distance, despite claiming to be from a local number.
• Spoofed Caller ID: The caller ID might look legitimate, but scammers have ways to fake these. Just because it looks real doesn't mean it is.

Vishing Trends in 2025: The Rise of Smooth-Talking Scammer Bots

Scammers takes their craft to a whole new level, leveraging advanced AI to sound as convincing as your best friend. Gone are the days of awkward robotic voices—you know, the kind that made you roll your eyes before hanging up.

Today’s vishing scammers have charm, style, and an alarming amount of sophistication. Don’t just take our word for it—this is backed by groundbreaking research published in September 2024 by Lisbon University. The study explores how vishing tactics have evolved and their alarming success in exploiting human vulnerability.

AI-Powered Vishing Bots: Smooth Operators

The AI bots of 2025 are not just smarter; they’re scarily human-like. These aren’t your old-school robocalls. Lisbon University researchers found:

• Uncanny Realism: These bots sound like real people, complete with emotion, accents, and even fake empathy. By studying thousands of human conversations, scammers have programmed bots that are eerily convincing.
• Dirt-Cheap Scams: Each bot-driven call costs a fraction of a penny, but the payout for scammers can be enormous. With low costs, scammers are now able to target thousands daily.
• Shockingly Convincing: According to Lisbon University's study, 52% of test subjects thought they were speaking with a real person. Imagine accidentally pouring your life story—or worse, sensitive data—to a bot that feels like your long-lost pal.

Humans vs. Bots: Who’s Winning?

If you think you can easily outsmart these bots, think again. The Lisbon University study uncovered some pretty unsettling truths about how unprepared most people are:

• Default Trust: Many people instinctively trust polite, professional-sounding callers. AI bots exploit this to extract information with alarming success.
• Training Helps Big Time: Those who had undergone vishing awareness training were way less likely to fall for scams. The study showed training slashed scam success rates from 77% to 33%.
• Flying Blind is Risky: Without training or awareness, individuals are nearly twice as likely to give away sensitive information. It’s like walking into a scammer’s trap blindfolded.

What We Can Learn from this Vishing Research

Not all hope is lost! Researchers at Lisbon University didn’t just analyze scams—they also identified ways to fight back:

• Realistic Simulations: Businesses are using vishing simulations to teach employees how to spot scams. Think of it as a controlled test that strengthens your defenses.
• AI as a Hero: Companies are deploying AI tools to detect and block scam calls before they even hit your phone. It’s a bot-on-bot battle, and thankfully, the good bots are winning.
• Public Awareness Matters: The research emphasizes the need for broader education. Simple steps, like verifying the identity of callers and hesitating before sharing sensitive information, can significantly reduce the success of scams.

How to Prevent Vishing Attacks

Staying safe from vishing attacks requires caution, knowledge, and taking the right steps. Here’s how to prevent vishing fraud:

• Verify the Caller: If you're unsure about a caller's identity, hang up. Then, contact the organization directly using a number you trust, like one from their official website.
• Don't Share Personal Info: Never give out personal or financial information over the phone unless you're sure of the caller's identity.
• Use Call-Blocking Services: Many phone companies offer services to block unknown or suspicious numbers. Taking advantage of these can reduce the number of vishing calls you receive.
• Stay Informed: Knowing the latest vishing tactics and scams can help you recognize a potential attack before it's too late.
• Report Suspicious Calls: If you think you've received a vishing call, report it to the appropriate authorities. This can help prevent others from falling victim to the same scam.

By keeping these signs and prevention tips in mind, you can protect yourself and your loved ones from falling victim to vishing fraud. Read our blog to learn more about preventing vishing attacks using eight strategies.

Protect Against Vishing Attacks with Keepnet

Keepnet offers comprehensive solutions to guard against voice phishing attacks. Here’s how Keepnet can help you stay safe from vishing attempts:

• Simulated Vishing Attacks: To prepare you for real-world vishing scenarios, Keepnet provides simulated vishing tests. These vishing simulations are safe, controlled ways to experience a vishing attempt, ensuring you're ready to act correctly when faced with a real vishing attempt.
• Security Awareness Training: Keepnet emphasizes the importance of education in cybersecurity. They offer training modules designed to increase security awareness about vishing scams, teaching you how to effectively recognize and respond to phishing calls.
• Incident Reporting Tools: Keepnet offers tools that make it easy to report suspected phishing attempts. Quick reporting can help analyze and prevent future attacks, making it a significant part of any defense strategy.
• Community and Intelligence Sharing: Keepnet fosters a community of users and cybersecurity experts to share intelligence about new and emerging vishing threats. This collective knowledge acts as an early warning system, giving you a heads-up about scams as they develop.

Please read Teknosa's fight and how they prevented vishing attacks here.

Editor's Note: This article was updated on April 3, 2025.