eastbaycyber

What Is Vishing?

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Vishing is the voice-based version of phishing. Instead of sending a fake email or text, the attacker uses spoken communication to create urgency, authority, or trust.

Vishing, short for voice phishing, is a social engineering attack where an attacker uses phone calls, voicemail, or voice messages to trick someone into revealing sensitive information or taking a risky action. Common vishing goals include stealing credentials, capturing MFA codes, redirecting payments, or gaining access to business systems by pretending to be someone trusted.

If you are comparing similar attack types, see what is phishing and what is smishing for related background.

How vishing works

Vishing works because phone calls feel immediate and personal. Many people are more likely to trust a confident caller than a suspicious email, especially if the request sounds urgent or routine.

Most vishing attacks follow a familiar pattern.

Create a believable pretext

The attacker starts with a story designed to sound legitimate. Common examples include:

  • “We detected suspicious activity on your account.”
  • “This is IT support, and we need to verify your login.”
  • “Your payroll information needs urgent confirmation.”
  • “A payment is delayed and needs executive approval.”
  • “You need to approve an MFA request to stop a compromise.”

The goal is to create a problem the victim feels pressure to solve quickly.

Impersonate a trusted person or organization

Attackers often use real names, job titles, company references, or recent events to sound credible. They may also spoof caller ID so the call appears to come from a known number.

This is especially effective when the attacker has gathered information from:

  • Company websites
  • Social media profiles
  • Press releases
  • Breach data
  • Previous phishing attempts
  • Public employee directories

Apply urgency and pressure

Once the call begins, the attacker usually tries to reduce the target’s willingness to verify independently. They may claim:

  • The account will be locked
  • Payroll will fail
  • Legal action is pending
  • A wire transfer must be approved immediately
  • An MFA prompt needs urgent approval
  • A security incident is actively underway

This pressure is often the most important part of the scam.

Get the victim to act

Depending on the attack, the caller may ask the target to:

  • Share a password or one-time passcode
  • Approve a push notification
  • Reset a password and disclose the temporary one
  • Install remote access software
  • Send tax, payroll, or customer data
  • Transfer funds
  • Open a link sent by email or text

The requested action is often framed as routine support or emergency response.

Use the result for follow-on compromise

Vishing is often just the entry point. Once the attacker gets what they need, they may move on to:

  • Account takeover
  • Business email compromise
  • Help desk-assisted password reset abuse
  • Internal reconnaissance
  • Financial fraud
  • Further social engineering against coworkers or vendors

Why vishing is effective

Vishing can be highly effective because it bypasses many technical defenses and targets human judgment directly.

Several factors make it dangerous:

  • Voice communication feels more urgent than email
  • Caller ID can be spoofed
  • Live callers can adapt in real time
  • Users may trust “internal” sounding requests
  • Employees may want to be helpful under pressure
  • Phone-based scams can support MFA bypass attempts

Many modern attacks also combine channels. For example, an attacker may send a phishing email first, then call pretending to be IT support. Or they may trigger MFA prompts and follow up by phone to persuade the victim to approve one.

When you’ll encounter vishing

You are most likely to encounter vishing in situations where attackers want fast action, direct trust, or a way around security controls.

Identity and account takeover attempts

Security teams often encounter vishing when attackers already have partial access, such as a known username and password, and need the victim to provide the final step. A phone call can be used to obtain:

  • MFA codes
  • Push approval
  • Password reset cooperation
  • Session-related information

Help desk and service desk abuse

Organizations with password reset processes or support desks are common targets. Attackers may pretend to be:

  • An employee who is locked out
  • A contractor who needs urgent access
  • An executive traveling and unable to log in
  • A new hire needing immediate support

If verification processes are weak, the attacker may gain access through social engineering rather than technical exploitation.

Financial fraud and payment diversion

Finance teams, payroll staff, and executive assistants are frequent vishing targets. Attackers may pose as:

  • A bank representative
  • A vendor
  • A senior executive
  • Legal counsel
  • A payment processor

The goal is often to pressure someone into changing payment details, releasing funds, or disclosing sensitive records.

Executive targeting

Senior leaders are high-value targets because they hold authority and access. Attackers may target executives directly or impersonate them to influence staff.

This is where vishing can overlap with broader fraud schemes such as CEO fraud or business email compromise.

Customer-facing industries

Banks, healthcare providers, retailers, and call centers often see vishing as both an internal and customer-facing fraud issue. In these environments, voice-based identity verification becomes especially important.

Incident response and security awareness

During incident response, teams sometimes discover that the initial compromise began with a phone call rather than malware or a malicious attachment. Vishing also appears often in security awareness programs because it is a direct test of whether staff verify requests independently.

Common vishing scenarios

Some of the most common real-world examples include:

  • A caller pretending to be IT support asking for an MFA code
  • A fake bank fraud agent requesting account verification
  • A spoofed executive call demanding an urgent wire transfer
  • A “vendor” asking to update payment instructions
  • A help desk scam asking the victim to install remote access software
  • A voicemail claiming a legal or tax issue requires immediate action

These attacks succeed when the requested action feels urgent enough to skip normal checks.

How to reduce vishing risk

Organizations can reduce vishing risk by combining user awareness with process controls.

Good practices include:

  • Require independent verification for sensitive requests
  • Never approve MFA prompts based only on a phone call
  • Train help desks to follow strict identity verification steps
  • Use documented payment change procedures
  • Teach staff to treat urgency as a warning sign
  • Encourage reporting of suspicious calls and voicemails
  • Protect passwords and accounts with strong password management such as Try 1Password →
  • Strengthen endpoint protection on employee systems with tools like Get Malwarebytes →

For individuals who frequently handle business communications or travel, secure network habits also matter. In some cases, a reputable VPN such as Check NordVPN pricing → may be useful when working from public or untrusted networks, though it does not prevent vishing by itself.

Conclusion

Vishing is phishing delivered by voice. It works by using trust, authority, and urgency to get people to reveal information or take risky actions they would normally question.

Because it targets people directly, vishing can bypass technical defenses and become a serious risk for identity security, fraud prevention, and incident response. The best defense is a mix of process discipline, verification culture, user awareness, and layered security controls.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.