Skip to content Skip to navigation Skip to footer

What Is Vishing and a Vishing Attack?

Vishing is short for "voice phishing," which involves defrauding people over the phone, enticing them to divulge sensitive information. In this definition of vishing, the attacker attempts to grab the victim's data and use it for their own benefit—typically, to gain a financial advantage.

What is a vishing attack? Vishing has the same end goal as many kinds of cyberattacks. In a digitized business and financial environment, all that stands between a criminal and the money of victims is access credentials, credit card numbers, or personal data that can be later used to execute identity theft.

What Is the Difference Between Vishing and Phishing?

Vishing, phishing, and smishing are all cyberattacks with similar end objectives, but they use different techniques. Vishing is performed over the phone using a voice call. This can occur over a landline, cellular network, or a Voice over Internet Protocol (VoIP) system. Phishing, on the other hand, is executed using email. This detailed guide on phishing explains the different kinds of phishing techniques criminals use.

In the various types of phishing attacks and vishing scams, the attacker may use something referred to as “baiting.” A baiting attack involves using fake promises to appeal to the victim’s sense of curiosity or greed. Once the attacker has the victim’s attention, they then leverage this to trick them into giving up private information. In this way, vishing and phishing are both social engineering attacks—they use the emotions of the target to coerce them into doing something they would not otherwise do.

Why Are Vishing Attacks Performed?

The main reason why vishing attacks are performed is to obtain sensitive financial information or the personal data of the person who answers the phone. In a face-to-face interaction, physical, visible credentials can be presented, such as identity badges, driver’s licenses, or access cards. Over the phone, the methods of verifying the caller’s identity are limited to what they say. 

Therefore, one of the main reasons vishing attacks are performed is because they are easier to pull off than in-person scams.              

What Are the Most Common Vishing Attacks?

Compromised Bank or Credit Card Account

If a visher can get the bank account or credit card information of a victim, they can gain access to their funds. The routing numbers for bank accounts can be easily found online. With the combination of a bank’s routing info and the victim’s personal account number, the attacker can potentially withdraw or transfer funds from their account into their own.

Similarly, with a credit card number, expiration date, and security code, an attacker can make purchases over the phone or online. Even if the purchase is revealed as fraudulent, the attacker, in many cases, can return the item or sell it for a profit.

Unsolicited Loan or Investment Offers

Vishers can catch victims off guard by offering them the opportunity to invest in a project or obtain a loan. Because these kinds of financial transactions often involve divulging personal financial information, if the attacker can convince the victim that their offer is legitimate, the target may have no problem giving up sensitive information.

Medicare or Social Security Scam

Sadly, many attackers focus on people who are sick or elderly. Part of their attack may involve using the victim’s condition as leverage to convince the target they should give up their personal data. This could involve a promise to sign them up for a free offer, get a refund, or receive a check—only after they provide private information.

IRS Tax Scam

With an Internal Revenue Service (IRS) tax scam, the attacker takes advantage of the fact that the person may be afraid the IRS is after them to collect a debt. The attacker can then offer a solution to the problem, or even a refund, if the target is willing to divulge personal data.

How To Identify a Vishing Attack

There is a Frantic Sense of Urgency

A vishing attack often hinges on creating a sense of panic or otherwise applying pressure on the victim. This could include offers of a time-sensitive nature or those that provide a solution to a dire problem.   

The Caller Asks for Your Information

Anytime a caller asks for personal information, you should be skeptical. There is often no way to know for sure whether the request is legitimate or part of a vishing scam. It is best to say no.

The Caller Claims to Represent the IRS, Medicare, or the Social Security Administration

These are all organizations that people tend to trust—and feel comfortable providing with personal information. A real IRS, Medicare, or Social Security agent or representative will already have enough personal information to do business with you.

What Steps Can You Take to Prevent a Vishing Attack?

Do Not Pick Up the Phone

If you see a suspicious number, let it go to voicemail. You can verify its importance by checking your messages.

Join the National Do Not Call Registry

The National Do Not Call Registry can reduce the number of telemarketing—and vishing—calls you get. If companies call numbers on the list, they can face penalties.

Hang Up

When in doubt, just hang up the phone.

Do Not Press Buttons or Respond to Prompts

Automated vishing calls depend on feedback from the victim. If you refuse to press buttons or answer questions, the attack can be stopped.

Verify the Caller's Identity

You can do an online search for the caller, their company, its physical location, and other information you can use to verify their legitimacy.

How Do you Recover from a Vishing Attack?

Recovery from a vishing attack depends on the following factors:

  1. The nature of the attack: If you provided financial information, you should alert the institutions involved.
  2. Your organization’s incident response team: You should alert them right away if you suspect you have been targeted.
  3. Virus protection on a personal computer: This can help block future attacks by preventing malware that could be used to share your contact information.
  4. Contact the financial institution for advice regarding how to protect your data: They know the best ways to protect information that helps you gain access to their services.

How Fortinet Can Help

Even though the best way to stop vishing attacks from succeeding is to be careful regarding the information you give out over the phone, preventing cyber criminals from getting their hands on your information—or that of your employees or customers—can stop a vishing attack before it even starts. That is where FortiEDR comes into play. 

FortiEDR can protect your endpoints from data exfiltration, ensuring that your phone number and those of clients and employees stay safely secured within each endpoint in your network. In this way, you can prevent vishers from getting the phone numbers they need to launch their attacks.

FortiEDR shrinks the attack surface, detects threats, mitigates them, and prevents malware infection. This all happens in real time. You can also automate the actions of FortiEDR, predesigning remediation methods using playbooks you can custom design.


What is vishing and a vishing attack?

Vishing is also referred to by its full name "voice phishing," and it involves defrauding people over the phone, enticing them into divulging sensitive information.

What is the difference between vishing and phishing?

Vishing is performed over the phone using a voice call. Phishing, on the other hand, is executed using email.

Why are vishing attacks performed?

The main reason why vishing attacks are performed is to get sensitive financial information or the personal data of the person who answers the phone.