In this article:
Vishing—a word created by combining "voice" with "phishing"—is a form of fraud that uses phone calls and voicemail messages to trick victims into revealing personal information for criminal purposes. Here are some tips on how to recognize and avoid vishing scams.
How Vishing Attacks Happen
Vishing attacks involve fraudulent calls that claim to be from reputable sources such as major companies, financial institutions or government agencies. A vishing call may come from a live person or in the form of a prerecorded "robocall" message. The criminals behind vishing attacks can be quite sophisticated and professional-sounding, so it can be difficult to tell a vishing call from a legitimate business or telemarketing call.
Vishing is a type of phishing scam—a scheme designed to extract personal information for purposes of fraud. Criminals may use the information they obtain for purposes of identity theft, including taking out a loan or credit card in your name. Vishing is closely related to smishing, which uses text messages to entice victims into disclosing personal information.
The exact content will vary, but a typical vishing call or message pretends to notify you that you must take action in one of the following common scenarios:
- To prevent a lapse in service: This might include cancellation of insurance coverage or closure of a credit card or bank account.
- To collect money: You may be informed you've won a sweepstakes or lottery prize, have an unclaimed bank account or will receive an inheritance from a long-lost relative.
In the case of a live caller, the vishing scammer typically explains that addressing the "urgent" matter requires you to provide your Social Security number (SSN), bank account information, credit card number or other personal information. This is required, they say, to confirm your identity, enable a money transfer or cover a missed payment that's putting your service at risk.
If you receive a vishing robocall, it will likely prompt you to press a number on your phone keypad to be connected with a live person, while a vishing voicemail will tell you to call a number, which will be answered by a vishing scammer.
How to Protect Yourself From Vishing Attacks
Whether you answer a call, press your keypad or return a message, you're typically at greatest risk when connected with a live vishing scammer, as these are typically professional con artists—practiced, persistent and persuasive. Here are some tips for avoiding their tricks.
- Be wary if a caller asks for personal information. If a business or agency that already has your personal information calls you, it should already know who you are. So, if a caller urges you to disclose account numbers, passwords or other personal information, you should immediately be on the alert. Say you prefer to call back to confirm that you're talking to the organization they claim to represent, and then do so, using a number retrieved from account paperwork or the organization's website (not a number supplied by the potential crook). A caller from an organization that cares about keeping your data safe should accept that willingly, while a scammer will press you to stay on the call. In that case, hang up fast.
- Don't rely on caller ID. As easily as they lie with their voices, vishing fraudsters can use the trick of caller ID "spoofing" to falsely identify themselves on your phone display. Just because caller ID says a call is from Social Security, your financial institution, or a major company doesn't necessarily mean that's true. So instead of trusting caller ID to assure you a call originates from an official source, take it as a warning to be on guard.
- Don't trust based on what a caller knows about you. Sophisticated scammers may have acquired some of your personal information through data breaches or other fraudulent means, and their vishing expedition could be an attempt to gain additional information they need to steal your identity. Just because a caller knows an account number, your mother's maiden name, the last four digits of your SSN or even the whole nine-digit number doesn't necessarily mean you can trust them.
- Avoid the conversation altogether. A good tactic for calls that aren't flagged by caller ID as coming from friends or family is to let them all go to voicemail. Even the most convincing vishing voicemail is far less treacherous than speaking live with a seasoned scammer.
- Question the source. If you receive a call or retrieve a message that urges immediate action to avoid calamity (or claim a fortune), pause a moment before responding and ask yourself a few questions:
- Do you have a relationship with this company or organization that would prompt them to be calling you? If you haven't entered any sweepstakes lately, for example, you can't have won a prize. If the message seems to come from an organization you know, does the message contradict anything you know about them? For instance, does a caller's claim track with your latest credit card or bank statement?
- Is the subject of the call something that shouldn't be addressed by phone? If the IRS is seeking back taxes, a financial institution is considering closing your account or a lawyer has information about an inheritance, they'll notify you by mail, not over the phone.
- Does anything about the call just feel "off"? Is the caller promising to fix a problem with a computer or phone that's working fine? Are they demanding payment on an account you know is current (or that you're not even sure you have)?
If the answers to any of these questions give you pause, the call is likely bogus. If you're concerned there may really be an issue with whatever organization the caller claims to represent, call them yourself using a number you've verified.
What to Do if You're a Victim of Vishing Fraud
If you have been victimized by a vishing fraud or have reason to believe a call or message originated with a scammer, you can report the matter to local law enforcement, and then take their advice on whether to notify additional state or federal authorities. The following national agencies also have authority to pursue vishing fraud:
- The Federal Trade Commission (FTC) tracks and investigates phone-based fraud through its website and via a toll-free phone number: 877-382-4357 (TTY: 866-653-4261).
- The National Do Not Call Registry follows up on nuisance telemarketing calls and "robocalls."
- The Federal Communications Commission (FCC) investigates cases of caller ID spoofing.
The Bottom Line
If you're concerned that vishing scammers have tricked you into disclosing personal information, or if a fraudster reveals they already have some of your personal data, it may be prudent to monitor your credit history for signs of unauthorized activity. Experian offers identity theft protection that can alert you to activity on your credit reports (and your children's), and notify you if personal information for you or the kids appears online, including on the hidden "dark web" criminals often use to sell stolen data. In addition, a free personal privacy scan can alert you to personal data listed on "people search" websites, so you can have them removed so fraudsters can't use them when compiling call lists.
Vishing is one of many examples of ways criminals adapt and exploit technology. As always, being aware of criminals' tricks, and taking care to be sure of whom you can trust, can help protect you, your loved ones and your financial well-being.