VishingOur Top 20 Vishing Red Flags & Prevention Tips for Consumers & Merchants
In a Nutshell
Imagine you click a link, but suddenly, a blue screen pops up, insisting you call a toll-free number for a “critical fix” to your device. When you call, the voice on the other end of the line asks you for sensitive personal information. This could be an insidious case of a “vishing” scam. This article will explain everything you need to know about vishing scams, including how they work and how to avoid them altogether.
Avoiding Vishing Scams: Everything You Need to Know to Spot & Prevent Phone Scams
Ever feel like you’re being inundated with unwanted robo calls? You’re not imagining things… you probably are.
Americans received roughly 2.5 billion robocalls across the first 9 months of 2025. And, many of them were malicious in nature. 68% of US adults report receiving scam calls on a weekly basis, higher than the proportion of adults who say they receive malicious emails (63%) or fraud-related MS messages (61%).
The good news, at least for consumers, is that chargeback protections can help neutralize some of the financial fallout if they end up falling victim to a vishing (or “voice phishing”) attack. The bad news is that equally innocent merchants are ultimately forced to shoulder the burden, leading to lost sales and dampened profitability.
In this article, we take a look at vishing fraud. We’ll explore how it works, discuss how it impacts businesses, and talk about what you can do to protect your store from voice calling scams.
Recommended reading
- What is Smishing? How to Identify & Prevent SMS Text Scams
- Spear Phishing: Scam Prevention Tips for Buyers & Sellers
- Angler Phishing: Conning Customers at Business’s Expense
- Our Top Tips to Prevent Phishing Scams
- Phishing Red Flags: How to Identify Scam Attacks in 2026
- Phishing: Real-World Examples of Phishing Attacks
What is Vishing?
- Vishing
Vishing, often called voice phishing, is a form of cybercrime that leverages telephone calls to illicitly obtain sensitive personal information. Scammers employ social engineering strategies to persuade victims into disclosing confidential details, such as bank account access, over the phone.
[noun]/və • SHiNG/
Like all forms of phishing, vishing relies on creating a sense of urgency and legitimacy to dupe the victim. Callers frequently pose as representatives from reputable institutions like government agencies, tax offices, or the victim's own bank to gain their trust.
To compel action, these fraudsters often resort to aggressive tactics. Some employ intimidating language framed as legal advice to coerce victims into complying. The scammer may insinuate that the victim could face legal repercussions if they don’t follow the scammer’s instructions. Another common approach is to leave ominous voicemails insisting on immediate callback. The message threatens outcomes like arrest or account suspension to induce a sense of panic.
In the end, the caller’s goal is to trick their victim into handing over sensitive information. Account numbers, passwords, personal data — all are common targets for vishing scammers.
How Does Vishing Work?
Executing a successful vishing attack generally involves a bit more nuance than merely dialing random numbers. Scammers often pre-prepare, and are armed with confidential details they've already snagged through other means like emails, bogus websites, or data breaches. This data is then leveraged to build trust and persuade victims into sharing critical information.
You might be asked for additional details during the call, like your full name and address. These fraudsters could also record your voice as you give verbal consent, which they may use for biometric spoofing. Or, in some cases, you might receive an accompanying text or email that prompts you to enter sensitive data.
Here's a breakdown of the typical vishing process:
While getting you to engage in a live call is usually the goal, many vishing scammers know that they can’t reach a victim on the first dial. For this reason, bad actors may leave seemingly legitimate voicemails with spoofed callback numbers to add an extra layer of authenticity to the scam and increase the odds that targets will voluntarily call them back.
If someone claiming to be from the government, your bank, or another authority leaves a voicemail requesting a callback, ignore the request. To decrease the odds of being caught in a vishing scam, look up the official customer service hotline online and dial that number instead.
Common Vishing Attack Vectors
A crucial element in any phishing attack, including vishing, is the use of social engineering tactics. That’s why maintaining a healthy skepticism of any caller employing forceful, urgent, or persuasive language is essential.
Vishers often impersonate callers from trusted institutions like Microsoft, Amazon, or healthcare providers. None of these entities would call to ask for sensitive financial information or security codes over the phone, though.
Here's a rundown of ten common strategies employed in vishing attacks:
#1 | Automated Dialing
Scammers target specific area codes and kickstart an automated message that impersonates a local institution, like a bank or police department. The message may prompt the listener to divulge personal and financial details under the guise of account verification or security checks.
#2 | VoIP Masking
VoIP technology allows fraudsters to hide behind untraceable numbers, often masquerading as local or toll-free numbers. Some even configure VoIP numbers to appear as if they're originating from credible institutions like hospitals or government agencies.
#3 | Caller ID Manipulation
In this approach, scammers tamper with the caller ID to disguise their identity. They often appear as "unknown," or mimick legitimate entities like the IRS or law enforcement.
#4 | Dumpster Diving
Scammers may scrounge through waste bins behind banks or corporate buildings to find useful information. They use the information gathered to launch targeted vishing attacks known as “spear-vishing.”
#5 | Alarmist Messages
Scammers leave voicemails that create a sense of urgency, like warnings of compromised bank accounts or pending IRS action. When you return the call, they're primed to collect your sensitive information.
#6 | Pre-Attack Info Gathering
Some elaborate schemes involve detailed research on potential victims to establish credibility and lower the target's guard. This makes such attacks harder to identify.
#7 | Multichannel Attacks
In addition to phone calls, attackers might send emails as a part of their scheme. The email serves as a precursor to the phone call, creating a false sense of security and verification.
#8 | Phony VPN Setups
Posing as IT support, fraudsters may guide employees to log into a fake VPN page. Through this dummy page, they can capture login credentials to infiltrate an organization’s network.
#9 | Encouraging Callbacks
Also known as “reverse vishing,” the scammer leaves a message asking the victim to return the call about an urgent matter, often providing a case number for added legitimacy. Because the victim initiates the call, they're more inclined to trust the situation.
#10 | Counterfeit Two-Factor Authentication
With this tactic, the scammer sends a false two-step verification request from a reputed service like Google or Apple. The scammer poses as customer support. When the victim engages, the scammer collects the verification code and gains account access.
Voice-enabled phishing can lead to a surge in chargebacks.
Are you sure you’re protected?
Request a Demo
These methods prey on the human propensity to trust and act urgently during phone interactions. That’s why it’s important to always remain cautious. Seek to confirm the identity of anyone requesting personal or financial information over the phone.
AI voice cloning tools are increasingly being co-opted by vishing scammers to make highly targeted scam calls. According to IBM, AI vishing scams exploded by 442% in 2024 and are expected to rise even further in the years to come.
How Big of a Threat is Vishing? 2024–2025 Statistics
How big of a threat is vishing? In one word? Huge.
Thanks to the accessibility of generative AI tools, even the least sophisticated bad actors can launch highly personalized and seemingly credible scams that, when successful, can cost consumers and merchants hundreds of even thousands of dollars.
Despite aggressive call filtering initiatives from carriers and mobile phone operating systems, it’s likely that vishing will only become more of a nuisance over time. One-third of Americans report receiving at least one spam call per day. Globally, an estimated 24.9% of calls from unknown numbers are spam or fraud, including over half in high-risk regions like Chile and Indonesia.
Unfortunately, this constant, unrelenting barrage of scam calls has real consequences. 24% of surveyed respondents say they were successfully deceived into disclosing personally identifying information as part of a scam. 48% say that they’ve been ensnared in credit or debit card fraud.
The financial consequences of this are alarming. According to FTC data, vishing attacks resulted in median fraud losses of $1,500 per incident in 2024; more than what was lost in a typical smishing ($1,000) or email phishing ($600) incident.
US-Based Fraud Attack Channel Data (2024)
| Fraud Channel | # of Reports | Total Losses | Median Losses |
| Email (Phishing) | 371,651 | $502 million | $600 |
| Phone call (Vishing) | 284,659 | $948 million | $1,500 |
| Text message (Smishing) | 246,784 | $470 million | $1,000 |
| Social Media | 186,826 | $1.85 billion | $409 |
| Website or Apps | 186,663 | $976 million | $200 |
| Other | 148,288 | $1.07 billion | $633 |
| Physical mail | 42,108 | $90 million | $990 |
| Online ad or pop-up | 42,023 | $246 million | $180 |
Vishing can cause businesses to face far more catastrophic losses. For example, banks that are targeted in vishing attacks report average losses of $600,000 per incident. 10% report losses exceeding $1 million.
Vishing Examples: Case Studies of High-Profile Vishing Attacks
Statistics can give you a general idea of the fraud landscape. But what do vishing attacks look like on a more granular level? Here are a few notable cases that will help illustrate the scale of the problem in more concrete terms:
Five Pakistani Defendants Charged in $703 Million Medicare Fraud Scheme
In June 2025, five Pakistani nationals — Ruknuddin “Rick” Charolia, Aamir Ali Arif, Shearyar Arif, Fizza Farid, and Faizan Saleem — were indicted by a grand jury in the United States District Court for the Northern District of Illinois as part of their role in a fraudulent Medicare scheme.
As part of the ploy, the defendants stole “Medicare beneficiaries’ identification numbers and other confidential health information” and “used artificial intelligence to create fake recordings of Medicare beneficiaries purportedly consenting to receive certain products,” like over-the-counter Covid-19 test kits. The defendants then illegally sold these numbers and fake recordings to laboratories “knowing the records and recordings would be used to support fraudulent claims for reimbursement to Medicare and Medicare Advantage Plans.”
In total, the five defendants submitted roughly $703 million in fraudulent claims to Medicare and Medicare Advantage plans, which paid out about $418 million. As part of their probe into the case, the US government “seized approximately $44.7 million from various bank accounts” from the defendants.
Maryland Man Sentenced to Two Years in Federal Prison for Voice Phishing Scam
In May 2021, 20-year-old Maryland resident Jordan K. Milleson was sentenced to two years in federal prison, followed by one year of supervised release, for his role in an account takeover scheme.
Between September 2017 and July 2020, Milleson “used techniques such as phishing and vishing to deceive victims into visiting… fraudulent websites and providing their credentials to access their electronic accounts.”
After gaining access, Milleson used SIM swapping techniques to take over victims’ mobile phone numbers as well, which allowed him to “gain unauthorized access to the victims’ other electronic accounts, including email, social media, and cryptocurrency accounts. Milleson and his co-conspirators changed the passwords to the accounts to prevent the victims from accessing their own accounts.”
As a consequence of these account takeovers, Milleson caused victims to lose tens of thousands of dollars worth of cryptocurrency, as well as followers (and associated income and brand deals) on their social media accounts. In addition to his prison sentence, Milleson will be required to pay $34,329.01 in court-ordered restitution.
Three Romanian Nationals Plead Guilty to $21 Million Vishing and Smishing Scam
In 2019, three Romanian nationals from Ploiesti — Robert Codrut Dumitrescu, 41, Teodor Laurentiu Costea, 42, and Cosmin Draghici, 29 — plead guilty in the United States District Court for the Northern District of Georgia for defrauding victims in the US of over $21 million.
Between October 2011 through February 2014, the trio posed as banking representatives and used “interactive voice response and bulk emailing software” to trick thousands of victims into divulging personally identifying information (PII). Once in possession of the PII, the fraudsters would sell the data on illegal brokers on the dark web or use it to commit account takeover fraud.
According to the US Attorney’s Office for the Northern District of Georgia, “At the time of their arrests in Romania, Dumitrescu possessed 3,278 financial account numbers, Costea possessed 36,050 financial account numbers, and Draghici possessed 3,465 financial account numbers — all fraudulently obtained through this scheme.” Following their arrests, the trio were extradited from Romania to Atlanta in 2018 to face charges.
How Vishing Impacts Your Business
As mentioned above, one way carriers and tech companies have tried to fight back is to block suspicious callers before they ever have a chance to connect.
+30%: Year-over-year increase in vishing attacks faced by financial institutions between 2024 and 2025.
Source: BioCatch
$1.2 billion: Annual losses attributable to vishing.
Source: BioCatch
+1,600%: Rise in AI voice cloning scams in early 2025.
Source: Right-Hand Cybersecurity
70%: Percentage of companies and organizations that are at risk of vishing fraud.
Source: Keepnet
60%: Portion of social engineering scams that involved vishing in Q1 2025.
Source: KnowBe4
The downside to aggressive call filtering is that while you do get rid of the vishing calls… you also filter a lot of legitimate ones, too. In the US, about 33% of calls are flagged as spam, a proportion that includes many genuine, non-malicious calls. This leads to sharply negative consequences for businesses:
Whenever you receive wire instructions over phone or email, always verify those details using a second channel. For example, if a vendor calls you and asks you to send a wire, call their personal cellphone number to confirm before initiating a payment. This “never trust, always verify” approach adds friction, but it can prevent you from falling victim to vishing scams.
10 Vishing Red Flags to Be on the Lookout For
The perpetrators are becoming more clever. So, knowing how to spot the red flags and protect yourself from falling victim to vishing scams is crucial.
With that in mind, here are ten red flags to watch for that can help you identify a vishing attempt:
#1 | Unexpected Calls
Be wary if you receive a call don't anticipate a call from an organization, especially one asking for personal or financial information. Legitimate organizations don't request sensitive data over the phone unless you've specifically asked them to call you for a certain purpose.
#2 | Pressure Tactics
Scammers often use high-pressure tactics to force a quick decision. They may claim that your account has been compromised, that you owe money, or that you face some other urgent situation requiring immediate action. Legitimate companies will give you time to think and verify information.
#3 | Generic Greetings
The scam call often starts with a generic greeting like "Dear Customer" instead of using your real name. This is an immediate red flag, as most organizations that would require sensitive information would also use your name to personalize the interaction.
#4 | Call-Back Numbers
If the caller provides a number for you to call back to verify their identity, don't use it. Instead, look up the official contact number for the organization and use that to initiate any further conversations.
#5 | Inconsistencies in Caller ID
Be wary of calls for which the caller ID doesn't match what the caller claims, or is a number that's just slightly off from a familiar number. Spoofing technology can make it appear as though the call is coming from a legitimate source when it's not.
#6 | Request for Unusual Payment
Scammers often ask for payment in non-traditional forms like gift cards, wire transfers, or cryptocurrencies. Legitimate organizations will have standard payment options and will not rush you to use an alternative method.
#7 | Bad Script or Dialogue
Listen for inconsistencies, misspeaking, or language that seems overly complicated or poorly worded. Legitimate organizations typically use clearly scripted language for customer service interactions.
#8 | Background Noise
A legitimate call center will usually sound professional. Be careful if you hear a lot of background noise or what sounds like a home environment.
#9 | Asking to Verify Information
Be suspicious if you are asked to verify information that the organization should already have. This is especially true for sensitive information like your Social Security number or bank account number.
#10 | Two-Step Verification Warning
If you receive a call shortly after receiving a two-step verification request that you didn't initiate, that's a red flag that someone might be trying to hack into your account.
Remember: always trust your gut. If something doesn't feel right or you're uncomfortable, hanging up and verifying the situation through other means is best.
Don't let yourself be pressured into giving away personal or financial information over the phone. The only thing that can help you avoid becoming a victim of vishing scams is being informed and vigilant.
How to Identify Vishing Attempts
Vishing scammers, like many social engineering fraudsters, rely on speed and fear. By slowing down, taking an investigative approach, and testing the caller’s capabilities, you can often expose the ruse. Consider the following tactics:
Ask to Be Transferred
Scammers typically dial in from external VoIP software and lack the technical ability to route calls within the organization they are impersonating. If a caller claims to be from your bank’s fraud support team, ask them to transfer you to their supervisor or a different department. While a fraudster may make an excuse, hang up, or “transfer” you to a co-conspirator, a real representative can usually perform the transfer without an issue.
Pay Attention to Audio Artifacts
AI voice cloning technology is impressive… but imperfect. It often struggles to replicate the natural “room tone” or ambient static of a real phone line. Listen closely for absolute, unnatural silence between words or choppy audio at the end of sentences, which are tell-tale signs that a generative AI model, rather than a real human, is processing your input before responding.
Sniff Out Soundboards Via Intentional Interruption
Some vishing operations use soundboards, which are pre-recorded human phrases played by a scammer pressing buttons. To test this, interrupt the caller abruptly in the middle of a sentence with a complex or off-topic question. Because a soundboard cannot adjust dynamically, the recording may continue to play over your question. Or, you may hear a long, unnatural pause while the scammer scrambles for the right button.
Real-Time Fact Checking
Vishing scammers may claim to be alerting you to a blocked transaction or locked account, but they rarely have real-time access to your actual backend status. While keeping them on the line, log in to your account independently using a separate device. If the urgent alert they are describing doesn’t appear in your secure message center or dashboard, the call is a fabrication.
Pay Attention to Requests for Voice Biometrics
Be hyper-aware of callers who ask repetitive questions designed to elicit a clear “yes” or “I agree” from you, often by pretending they can’t hear you clearly. Bad actors may be attempting to harvest soundbites from your voice print to bypass biometric security layers at banks or other institutions that use voice authentication for identity verification.
What to Do If Your Business Is Targeted or Compromised
If you suspect your business has been the target of a vishing attack, acting quickly and deliberately can help you limit the fallout.
Immediate Actions to Take
If an employee divulged sensitive credentials during a call, immediately revoke their access, force a password reset across all compromised accounts, and terminate any active sessions.
If your business phone number is being spoofed by vishing scammers, contact your VoIP provider or carrier immediately to report the spoofing. They can sometimes implement “Do Not Originate” (DNO) registry protections that mark your number as inbound only, which can prevent unauthorized users from impersonating your number.
Your Response & Recovery Plan
Once the immediate threat is contained, focus on reputation management and transparency.
If your number was spoofed, place a prominent banner on your website or interactive voice response system alerting customers that scammers are impersonating you. This can help mitigate confusion and restore trust from victims who search for your contact info.
If you’ve suffered financial losses, notify your acquirer and bank immediately, and file a formal report with the FBI’s Internet Crime Complaint Center (IC3) to create an official paper trail for insurance purposes.
Post-Incident Activity
After the dust settles, conduct a post-mortem to identify how the vishing attempt succeeded.
In addition to general fraud awareness training, implement specific verification challenge protocols where employees must ask callers for a code, keyword, or non-public identifier (like a specific transaction ID) before discussing account details. Think about this as a form of multi-factor authentication that you can implement over the phone.
Consider replicating this internally, too. Establish safewords or code words for your finance teams — passphrases that must be spoken during any phone request for money transfers — to render AI voice cloning attacks ineffective.
How to Prevent Vishing Attacks: Tips for Consumers & Merchants
Vishing attacks are a pervasive problem affecting not just individual consumers, but merchants and businesses, too.
Consumers are often targeted for their personal and financial information. Merchants, however, are vulnerable to more elaborate schemes to compromise their systems, steal customer data, and conduct fraudulent transactions.
Both parties need to be vigilant and employ robust preventive measures to protect against attacks. Here are our top 10 tips for consumers and merchants to avoid vishing scams:
For Consumers
- Two-Factor Authentication (2FA): Enabling 2FA on all your online accounts adds an extra layer of security by requiring a second form of verification, like a text message or authenticator app, in addition to your password.
- Email Vigilance: Be careful with unsolicited emails, particularly those that ask for personal information or contain links and attachments. Verify the sender's address, look for grammatical errors, and be suspicious of generic greetings.
- Regular Software Updates: Keep all your software and antivirus programs up to date. Security patches are regularly released to fix vulnerabilities that vishers could exploit.
- Check URLs: Before clicking on a link, hover over it to see where it leads. A mismatch between the text of the link and the actual URL is a red flag. Also, ensure that websites use https protocol, indicated by a padlock icon in the address bar, for added security.
- Education & Training: Stay informed about the latest phishing tactics and how to recognize them. A well-informed user is the first line of defense against phishing attacks.
For Merchants
- Employee Training: Educate employees about the risks of phishing attacks and how to recognize them. Conduct simulated phishing tests to evaluate their readiness and reinforce training.
- Secure Payment Systems: Use secure and updated payment gateways to handle transactions. Ensure compliance with Payment Card Industry (PCI) security standards to protect customer data.
- Network Security: Implement robust firewalls and intrusion detection systems. Regularly monitor and audit network traffic for suspicious activity.
- Access Control: Limit access to sensitive data to authorized personnel only. Use strong, unique passwords and employ multi-factor authentication for critical information systems.
- Regular Backups: Keep frequent backups of important data to mitigate the damage in case of a successful attack. Ensure that backup systems are also secure to prevent them from becoming a secondary target for attackers.
By adopting these practices, consumers and merchants can significantly reduce the risks of vishing attacks. Vigilance, education, and a strong security infrastructure are key in defending against this ever-evolving threat.
FAQs
What is the difference between phishing and vishing?
Phishing is a type of online scam that often uses email to deceive recipients into revealing sensitive information or clicking on malicious links. Vishing, short for “voice phishing,” takes the scam to the phone lines, where fraudsters use voice calls to trick individuals into giving away personal details.
Phishing often relies on text communication, usually via email. Vishing uses spoken conversation to exploit victims.
What is a vishing attack?
Vishing, often called voice phishing, is a form of cybercrime that leverages telephone calls to illicitly obtain sensitive personal information. Scammers employ social engineering strategies to persuade victims into disclosing confidential details, such as bank account access, over the phone.
How common are vishing attacks?
Very common. According to data from Statista, nearly 70% of survey participants have experienced vishing attempts; a 30% increase compared to 2020. Furthermore, 1 in 3 Americans admit to being a victim of a phone scam, and 1 in 5 Americans say they've fallen for a phone scam more than once.
What is the meaning of vishing?
Vishing is a portmanteau that is short for “voice phishing.”
What are the signs of vishing?
Signs of a vishing attack often include unsolicited phone calls from unknown or spoofed numbers claiming to be reputable entities, such as banks or government agencies. The caller usually employs urgent or threatening language to create a sense of immediacy, pressuring the recipient into divulging sensitive information. Additionally, the scammer might already possess some personal information to appear more convincing, using it to request further confidential details or verification codes.
What is vishing vs. phishing?
Vishing and phishing are both forms of social engineering fraud. The difference is that phishing involves malicious emails, while vishing (or “voice phishing”) involves malicious calls or voicemails.
What is a common tactic used in vishing attacks?
Impersonating trusted contacts or authority figures, like a bank, law enforcement, or the government, is one of the most common tactics used in vishing attacks.
Why is it called vishing?
Vishing is short for “voice phishing.” It’s called this because it's a variant of phishing that involves voice-based channels, like calls or voicemails.
