Vishing

The most useful tell in a vishing call is not that the caller sounds suspicious. It is that the caller asks you to verify your identity to them.

Genuine organisations that initiate contact by phone do occasionally ask you to confirm details for security purposes. But the standard practice at most banks and government agencies is the reverse: they expect you to authenticate the call, not to provide credentials to prove you are who the caller thinks you are. When a caller presents themselves as from your bank, then asks for your card number, PIN, or a one-time code to confirm your identity, the authentication is running in the wrong direction.

How vishing works

Vishing uses phone calls, robocalls, voicemail, or VoIP to reach a target and collect information or transfer funds. The attacker constructs a scenario that makes the request seem legitimate and urgent: a fraud alert on the account, a tax liability, a problem with a delivery, a family member in trouble.

Caller ID spoofing allows the displayed number to be replaced with any number the attacker chooses. A call appearing to come from your bank’s main number, or from a government agency, or from a family member’s phone, may be coming from anywhere. The displayed number is not authentication.

Robocalls automate the initial contact at scale. A pre-recorded message filters for responses: press 1 to speak with an agent, confirm your account details now, call this number to resolve the issue. The responses either go directly to an attacker or into an automated flow that collects credentials without human involvement.

AI-generated voice synthesis has made impersonation more difficult to detect by ear. A call purporting to be from someone you know, with a voice that sounds like them, may not be.

Patterns worth knowing

  • The caller creates urgency: the account will be frozen, a warrant is about to be issued, the payment is already in transit and needs to be reversed now

  • The caller discourages you from hanging up to verify: “do not call the bank separately as it will delay resolving your case”

  • The caller asks for a one-time code you receive during the call, which they claim is for verification: the code is for authorising a transaction or account recovery, not for your benefit

  • The call requests an unusual payment method: gift cards, wire transfer, cryptocurrency

What to do

Hang up. Call back on a number from the organisation’s official website or the back of your card. Do not use a number the caller provided.

If in doubt during a call, say you will call back. A genuine organisation will not object. If the caller objects, or insists you stay on the line, that is the information you needed.