What Is Vishing?
Vishing is the voice-based version of phishing. Instead of sending a fake email or text, the attacker uses spoken communication to create urgency, authority, or trust.
Vishing, short for voice phishing, is a social engineering attack where an attacker uses phone calls, voicemail, or voice messages to trick someone into revealing sensitive information or taking a risky action. Common vishing goals include stealing credentials, capturing MFA codes, redirecting payments, or gaining access to business systems by pretending to be someone trusted.
If you are comparing similar attack types, see what is phishing and what is smishing for related background.
How vishing works
Vishing works because phone calls feel immediate and personal. Many people are more likely to trust a confident caller than a suspicious email, especially if the request sounds urgent or routine.
Most vishing attacks follow a familiar pattern.
Create a believable pretext
The attacker starts with a story designed to sound legitimate. Common examples include:
- “We detected suspicious activity on your account.”
- “This is IT support, and we need to verify your login.”
- “Your payroll information needs urgent confirmation.”
- “A payment is delayed and needs executive approval.”
- “You need to approve an MFA request to stop a compromise.”
The goal is to create a problem the victim feels pressure to solve quickly.
Impersonate a trusted person or organization
Attackers often use real names, job titles, company references, or recent events to sound credible. They may also spoof caller ID so the call appears to come from a known number.
This is especially effective when the attacker has gathered information from:
- Company websites
- Social media profiles
- Press releases
- Breach data
- Previous phishing attempts
- Public employee directories
Apply urgency and pressure
Once the call begins, the attacker usually tries to reduce the target’s willingness to verify independently. They may claim:
- The account will be locked
- Payroll will fail
- Legal action is pending
- A wire transfer must be approved immediately
- An MFA prompt needs urgent approval
- A security incident is actively underway
This pressure is often the most important part of the scam.
Get the victim to act
Depending on the attack, the caller may ask the target to:
- Share a password or one-time passcode
- Approve a push notification
- Reset a password and disclose the temporary one
- Install remote access software
- Send tax, payroll, or customer data
- Transfer funds
- Open a link sent by email or text
The requested action is often framed as routine support or emergency response.
Use the result for follow-on compromise
Vishing is often just the entry point. Once the attacker gets what they need, they may move on to:
- Account takeover
- Business email compromise
- Help desk-assisted password reset abuse
- Internal reconnaissance
- Financial fraud
- Further social engineering against coworkers or vendors
Why vishing is effective
Vishing can be highly effective because it bypasses many technical defenses and targets human judgment directly.
Several factors make it dangerous:
- Voice communication feels more urgent than email
- Caller ID can be spoofed
- Live callers can adapt in real time
- Users may trust “internal” sounding requests
- Employees may want to be helpful under pressure
- Phone-based scams can support MFA bypass attempts
Many modern attacks also combine channels. For example, an attacker may send a phishing email first, then call pretending to be IT support. Or they may trigger MFA prompts and follow up by phone to persuade the victim to approve one.
When you’ll encounter vishing
You are most likely to encounter vishing in situations where attackers want fast action, direct trust, or a way around security controls.
Identity and account takeover attempts
Security teams often encounter vishing when attackers already have partial access, such as a known username and password, and need the victim to provide the final step. A phone call can be used to obtain:
- MFA codes
- Push approval
- Password reset cooperation
- Session-related information
Help desk and service desk abuse
Organizations with password reset processes or support desks are common targets. Attackers may pretend to be:
- An employee who is locked out
- A contractor who needs urgent access
- An executive traveling and unable to log in
- A new hire needing immediate support
If verification processes are weak, the attacker may gain access through social engineering rather than technical exploitation.
Financial fraud and payment diversion
Finance teams, payroll staff, and executive assistants are frequent vishing targets. Attackers may pose as:
- A bank representative
- A vendor
- A senior executive
- Legal counsel
- A payment processor
The goal is often to pressure someone into changing payment details, releasing funds, or disclosing sensitive records.
Executive targeting
Senior leaders are high-value targets because they hold authority and access. Attackers may target executives directly or impersonate them to influence staff.
This is where vishing can overlap with broader fraud schemes such as CEO fraud or business email compromise.
Customer-facing industries
Banks, healthcare providers, retailers, and call centers often see vishing as both an internal and customer-facing fraud issue. In these environments, voice-based identity verification becomes especially important.
Incident response and security awareness
During incident response, teams sometimes discover that the initial compromise began with a phone call rather than malware or a malicious attachment. Vishing also appears often in security awareness programs because it is a direct test of whether staff verify requests independently.
Common vishing scenarios
Some of the most common real-world examples include:
- A caller pretending to be IT support asking for an MFA code
- A fake bank fraud agent requesting account verification
- A spoofed executive call demanding an urgent wire transfer
- A “vendor” asking to update payment instructions
- A help desk scam asking the victim to install remote access software
- A voicemail claiming a legal or tax issue requires immediate action
These attacks succeed when the requested action feels urgent enough to skip normal checks.
How to reduce vishing risk
Organizations can reduce vishing risk by combining user awareness with process controls.
Good practices include:
- Require independent verification for sensitive requests
- Never approve MFA prompts based only on a phone call
- Train help desks to follow strict identity verification steps
- Use documented payment change procedures
- Teach staff to treat urgency as a warning sign
- Encourage reporting of suspicious calls and voicemails
- Protect passwords and accounts with strong password management such as Try 1Password →
- Strengthen endpoint protection on employee systems with tools like Get Malwarebytes →
For individuals who frequently handle business communications or travel, secure network habits also matter. In some cases, a reputable VPN such as Check NordVPN pricing → may be useful when working from public or untrusted networks, though it does not prevent vishing by itself.
Conclusion
Vishing is phishing delivered by voice. It works by using trust, authority, and urgency to get people to reveal information or take risky actions they would normally question.
Because it targets people directly, vishing can bypass technical defenses and become a serious risk for identity security, fraud prevention, and incident response. The best defense is a mix of process discipline, verification culture, user awareness, and layered security controls.