Most people are trained to be cautious with suspicious emails. Fewer people expect a scam to come through a phone call. That is exactly why voice phishing, also called vishing, has become so effective.
A phone call feels personal. You hear a voice. The caller sounds confident. They may already know your name, department, or workplace. The conversation feels legitimate, and attackers count on that reaction.
What Voice Phishing Is
Voice phishing is when an attacker uses a phone call or voicemail to trick someone into sharing sensitive information, approving a request, or granting access to an account or system. The caller often pretends to be from IT support, a bank, a vendor, law enforcement, or another trusted organization.
Some attackers now use caller ID spoofing so the number appears legitimate. Others use artificial intelligence to mimic real voices or create believable automated messages.
Common Tactics
Fake IT Support Calls
A common tactic is pretending to be IT support. The caller may claim there is a problem with your account, suspicious activity on the network, or a password issue that needs immediate attention. They might ask you to approve a login request, share a verification code, or install remote access software.
Urgent Financial Warnings
Another approach involves fake financial or security alerts. Attackers may claim there has been fraud on your account or an unauthorized purchase that requires urgent action. The goal is to create panic so you react before thinking through the request.
Callback Scams
Voicemails are also used in these attacks. A message may direct you to call a number back immediately to avoid account suspension, payroll issues, or legal trouble.
Protective Steps
A few habits can prevent most voice phishing attacks:
- Do not trust caller ID alone, since phone numbers can be spoofed.
- Never share passwords, MFA codes, or sensitive information over the phone.
- Hang up and call back using a trusted number from an official website or directory.
- Be cautious of pressure or urgency. Legitimate organizations allow time to verify requests.
- Treat unexpected calls involving money, credentials, or account access with extra caution.
If You Were Targeted
If you shared credentials or approved a suspicious request, change your password immediately and notify your supervisor. If financial information was involved, contact the appropriate institution right away. Then report the incident to your IT help desk.