A guide to vishing

Vishing, a combination of “voice” and “phishing,” is a common strategy used by cyber criminals to exploit unsuspecting individuals. In this blog, we explore how to identify and protect yourself against these attacks.

Soham Bakore

17th May 2024

How does vishing work?

Vishing works by exploiting human psychology to obtain confidential information, also known as social engineering. As opposed to traditional phishing, which typically involves deceiving emails, vishing leverages voice communication via phone calls or voice messages to deceive individuals.

Key characteristics of vishing:

1. Caller ID spoofing:

Vishing is a type of scam that involves the use of caller ID spoofing, an advanced technology that manipulates caller ID information to deceive the recipient. This technique is used to make the call appear as if it is coming from a trusted source, such as a bank, government agency, or technical support team which greatly increases the chances of the victim being tricked into falling for the scam.

2. Urgency and fear tactics

Vishing calls commonly use urgency or fear tactics to force individuals into immediate action. For instance, the caller might pretend that there is a suspicious activity on the victim’s account and threaten legal consequences if sensitive information is not provided immediately. It’s essential to realise that legitimate organisations never ask for instant action over the phone. Being aware of this fact is critical in identifying such scams.

3. Impersonation of trusted entities:

Threat actors frequently impersonate legitimate organisations like banks, government agencies, or tech support services. By leveraging trust in these entities, threat actors attempt to manipulate victims into sharing personal details or performing actions that compromise their security. Verifying the legitimacy of the caller before divulging any information is essential.

Protecting yourself against vishing:

Verify caller identity:

Always verify the identity of the caller, especially if they claim to represent a trusted organisation. Avoid sharing personal information over the phone. Calling the organisation directly using a trusted phone number from their official website or correspondence is the best way to verify caller identity.

Be skeptical of urgency:

It’s important to stay calm and evaluate the situation carefully, particularly if the person on the phone is trying to create a sense of urgency or panic. Genuine organisations usually do not insist on immediate action or make severe threats over the phone. Take some time to verify any claims independently before taking any action.

Enable two-factor authentication (2FA):

As development lifecycles become more agile the shift left approach becomes pivotal. Early integration of security measures is seamlessly interconnected with vulnerability management. Identifying and addressing vulnerabilities during the development phase reduces overall risk and creates a smooth flow from development to deployment.

Report suspicious activity:

If you come across a vishing attempt, report it to the relevant authorities and the organisation being impersonated. This will help protect you and contribute to the collective effort to combat cyber crime.

Examples of vishing scam:

1. Tech support fraud:

A caller claims to be from a tech company and says your computer has a virus. They offer to fix it remotely, but they’re really trying to gain access to your computer or personal information.

2. Bank verification scam:

You get a call from someone posing as your bank, asking for your account details to “verify” your identity. They’re trying to steal your banking information.

3. IRS threats:

Someone pretending to be from the IRS calls, saying you owe back taxes and must pay immediately to avoid legal action. They’re attempting to steal your money or personal information.

4. Utility Disconnection:

A caller claims to be from your utility company, threatening to disconnect your service unless you make an immediate payment over the phone. They’re trying to steal your money or personal information.

5. Fake Lottery Winnings:

You receive a call saying you’ve won a lottery or prize but need to pay taxes or fees upfront to claim it. There is no prize, and they’re trying to steal your money.


Voice phishing (vishing) is a serious threat in today’s world. To protect yourself from these scams, you need to be vigilant, aware, and take proactive measures. Understanding the characteristics of vishing and implementing protective measures can help.

Knowledge is a powerful defense against evolving cyber threats. Stay informed, be skeptical of unsolicited calls, and prioritise the security of your personal information. As technology advances, our awareness and defenses must keep pace to ensure a safe and secure online environment. So, stay safe, stay informed, and contribute to creating a more secure online environment.

If you want to test your organisation against threats such as vishing attacks, check out our red team page.

Subscribe to receive the latest cyber insights


New critical SSH vulnerability released


New critical SSH vulnerability released

In this blog, we cover the new SSH vulnerability CVE-2024-6387 (“regreSSHion”), its impact, and essential actions to secure your systems.

The biggest cyber attacks and vulnerabilities from June 2024


The biggest cyber attacks and vulnerabilities from June 2024

Insights and trends from recent cyber threats and vulnerabilities from June.

Key features your vulnerability management platform must have


Key features your vulnerability management platform must have

In this blog, we delve into the core concepts of vulnerabilities and the significance of a robust vulnerability management platform.