Vishing: Phone Call Phishing Explained
A retired teacher in Ohio answered her phone in March 2026. The caller ID showed "Social Security Administration." The caller — professional, calm, authoritative — explained that her Social Security number had been used in a money-laundering operation in Texas. An arrest warrant had been issued. To resolve it, she needed to verify her identity by providing her SSN, date of birth, and bank account number. She complied. Within 48 hours, $34,000 had been withdrawn from her retirement account.
Vishing — voice phishing — is social engineering conducted over the phone. It exploits the human tendency to trust voice communication more than text. A phone call feels personal, immediate, and authoritative in ways that email cannot match.
Why Vishing Works
Caller ID is trivially spoofable. Attackers use VoIP services that allow them to display any phone number they want. Your phone shows "IRS," "Chase Bank," or "Local Police" because the attacker programmed it to. Caller ID was designed as a convenience feature, not a security mechanism — it provides zero authentication.
Voice creates urgency and authority. A live human voice speaking authoritatively triggers compliance instincts that text cannot. When someone says "this is Agent Thompson from the IRS" in a serious tone, your body's stress response activates. You shift from critical thinking to compliance mode.
Real-time manipulation. Unlike phishing emails (which are static), a vishing caller adapts in real time. If you express doubt, they have rebuttals prepared. If you ask questions, they provide convincing answers. If you try to hang up, they escalate the urgency. This dynamic interaction makes vishing far harder to resist than reading an email.
Got a suspicious phone call?
Describe what they said — we'll identify the scam pattern.
Free · No signup required · Cmd+Enter to scan
Common Vishing Scripts
The government threat.
"This is Special Agent Williams from the Social Security Administration. Your Social Security number has been linked to suspicious activity involving narcotics trafficking. A warrant has been issued for your arrest. To resolve this without law enforcement action, I need to verify your identity. Can you confirm your Social Security number and date of birth?"
The SSA, IRS, and other agencies do not call to threaten arrest. They communicate by mail. No government agent will ask for your SSN over the phone — they already have it.
The bank fraud alert.
"Hello, this is the fraud department at Chase Bank. We've detected unauthorized transactions on your account totaling $2,847. To secure your account, I need to verify your identity. Can you confirm the last four digits of your card and your online banking password?"
Banks do call about fraud — but they never ask for your full password. They verify your identity through security questions they set up, not by asking you to hand over credentials.
The tech support scam.
"This is Microsoft Technical Support. Our systems have detected that your computer is infected with a critical virus that is transmitting your personal data to hackers. I need you to go to your computer right now so I can walk you through removing it."
Microsoft does not make unsolicited support calls. Ever. The "fix" involves granting remote access to your computer, after which the scammer installs actual malware or demands payment.
AI Voice Cloning: The 2026 Escalation
The most alarming vishing development is AI voice cloning. With as little as 10 seconds of audio — scraped from social media videos, voicemail greetings, or conference presentations — attackers can generate a synthetic voice that sounds identical to someone you know.
"Mom, it's me. I'm in trouble. I was in a car accident and I got arrested. I need you to wire $5,000 for bail. Please don't tell Dad. Can you do it right now?" — AI-generated voice clone targeting the mother of a college student. The voice was cloned from an Instagram video.
The FBI reported a 300% increase in AI-assisted vishing attacks between 2024 and 2025, with losses exceeding $1.2 billion. Family impersonation calls — where the attacker clones a child's or spouse's voice — are the fastest-growing category.
How to Defend Against Vishing
Hang up and call back. This is the single most effective defense. If your bank calls about fraud, hang up and call the number on the back of your card. If the IRS calls, hang up and call their published number. If your child calls from an unknown number, hang up and call their known number. Legitimate callers will understand. Scammers will not be there when you call the real number.
Establish family code words. Choose a code word that only family members know. If someone calls claiming to be your child in distress, ask for the code word. AI can clone a voice but cannot produce information it does not have.
Never share credentials or PINs over the phone. No legitimate organization asks for passwords, PINs, full SSNs, or one-time codes over the phone. If someone asks, the call is a scam. Full stop.
Let unknown calls go to voicemail. Scammers rarely leave voicemails because it gives you time to think and verify. If the call is legitimate, the caller will leave a message with a callback number you can verify independently.
Register with the Do Not Call list. While this does not stop criminals, it reduces the volume of legitimate telemarketing calls, making scam calls easier to identify as anomalies.
Report vishing attempts. Report to the FTC at reportfraud.ftc.gov and your phone carrier. You can also analyze suspicious voicemail transcripts at IsThisAScam to confirm whether a message follows known scam patterns.
Received something suspicious? Check it now for free →