Headshot of Chris White

Digital Security Awareness - Vishing: Theft of Information via Phone Call

Estimated read time: 3 min

Vishing (Voice Phishing): Using Phone Calls to Deceive Victims into Divulging Confidential Information

Vishing is a powerful and deceptive method attackers use to steal account credentials and sensitive information.

What is vishing?

Similar to phishing, vishing (voice phishing) instead leverages phone calls to impersonate trusted individuals or institutions and manipulate victims into sharing information like passwords, banking details, or other sensitive information. Attackers rely on psychological manipulation, urgency, and trust to exploit unsuspecting targets.

How it works

  1. The victim receives a phone call from someone who appears to be a legitimate employee of a trusted entity or even your own organization.
  2. The caller claims there’s an urgent issue that needs immediate action.
  3. They ask the victim to provide sensitive information to "resolve the issue."
  4. The attacker then uses that information to steal account credentials and other valuable assets.

Example: A scammer calls an employee, posing as the company’s IT support team. They claim there is a critical issue with the employee’s workstation and request their login credentials to resolve it immediately. The attacker pressures the employee by stating that failure to act could result in system downtime.

Example: A scammer contacts an employee pretending to be a vendor the company frequently works with. They claim there is an issue with an unpaid invoice and ask the employee to verify their company credentials to confirm the account. The attacker uses urgency to pressure the employee into compliance.

Protecting your organization

Be skeptical of unsolicited calls: someone calling unexpectedly is a red flag. Take your time to verify the caller before taking action.

Verify the caller's identity: never provide sensitive information over the phone to an unsolicited caller. Hang up and call back using an official number if something seems off.

Be skeptical of urgent requests: vishing attacks often create a sense of urgency, such as threats of account closure or legal action. Don't let fear drive your decisions; take the time to verify the situation.

Multi-factor authentication: enforce the use of multi-factor authentication. Although many providers offer SMS-based MFA, you should prefer to use an authenticator app to prevent account takeover via SIM swap.

Refuse to share one-time passcodes (OTP): scammers may try to trick you into sharing OTPs. These codes are for your security and should never be shared with anyone over the phone.

Vishing is a sophisticated form of social engineering that can lead to credential theft and employee account takeover. Avoid falling victim by arming your organization with the knowledge and tools required to recognize vishing. Employee training and awareness significantly reduces the risk of successful attacks, transforming employees from potential vulnerabilities into a robust line of defense.

This follow-up post is part of a blog series I'm writing called Digital Security Awareness for Non-Technical Professionals.