What Is Vishing? Voice Phishing Calls Explained
Vishing (voice phishing) uses phone calls to steal credentials, money, or personal data. AI voice cloning has made it dramatically more convincing in 2025–2026. This guide covers how vishing works, the six most common attack scripts, and what to do if you receive a suspicious call.
Key Takeaways
- • Vishing is voice phishing — social engineering conducted over the phone or via voicemail
- • AI voice cloning can replicate a person's voice from 3–30 seconds of audio, making family and CEO impersonation attacks nearly undetectable
- • The IRS never calls first. Banks never ask for your full SSN. Microsoft never proactively calls about your computer. These are absolute rules.
- • Callback phishing starts with an email containing only a phone number — no link — bypassing all URL scanners
- • Always hang up and call back on the official number. A legitimate caller will always agree to this.
What Is Vishing?
Vishing (voice + phishing) is a social engineering attack conducted over the phone. An attacker calls the victim — or leaves a convincing voicemail — impersonating a trusted institution: a bank, the IRS, Social Security Administration, Medicare, a tech company, or even a known person using AI-cloned audio.
The goal is the same as email phishing — extract credentials, financial information, or money — but the channel exploits human voice dynamics: real-time conversation pressure, authority cues in tone of voice, and the difficulty of verifying caller identity on an incoming call.
The FBI's Internet Crime Report recorded $4.57 billion in losses from phone-based fraud in 2023 alone. Vishing consistently ranks among the top three fraud categories by total dollar loss.
Phishing vs Vishing vs Smishing
| Phishing | Vishing | Smishing | |
|---|---|---|---|
| Channel | Phone / voicemail | SMS / text message | |
| Delivery | Written message | Live or recorded voice | Text message with link |
| Primary hook | Malicious link or attachment | Authority and urgency in real-time | Malicious link or callback number |
| Bypass method | Domain spoofing, lookalike URLs | Caller ID spoofing | Short URLs, link preview disabled |
| AI enhancement | AI-written convincing text | AI voice cloning | AI-personalized text at scale |
| Verification difficulty | Moderate (check sender domain) | High (caller ID easily spoofed) | Moderate (check link domain) |
| Common targets | Broad or targeted | Older adults, executives | Broad, mobile users |
Why AI Voice Cloning Changed Everything
Until 2023, vishing was detectable because cloned voices sounded robotic or generic. That changed with AI voice synthesis tools that require only 3–30 seconds of audio to produce a convincing clone. Samples are easy to obtain: LinkedIn video introductions, YouTube presentations, podcast appearances, TikTok posts, or even a 10-second voicemail greeting.
The FBI and FTC both issued formal warnings in 2024 about AI-cloned voice attacks. The two most dangerous categories:
The Grandparent Scam (AI Edition)
Attackers clone a grandchild's voice from a social media video and call grandparents claiming to be in an emergency — accident, arrest, medical crisis. The voice sounds exactly like their grandchild. Losses average $9,000 per victim. The AARP estimates AI-enhanced versions of this scam have increased reported losses by 300% since 2023.
CEO Fraud Voice Calls
Finance employees receive a real-time call from what sounds exactly like their CEO requesting an urgent wire transfer. The clone is generated from publicly available audio. Combined with a spoofed caller ID showing the CEO's office extension, the attack is extremely convincing. Average loss per successful attack: $50,000–$500,000 for mid-market companies.
Critical update: Voice alone is no longer sufficient verification for financial requests. Establish a family safe word and a corporate out-of-band verification procedure. When in doubt, hang up and call back on a number you independently verify.
6 Common Vishing Attack Scripts
Real scripts used in documented attacks — understand the pattern to recognize it under pressure.
Bank / Financial Institution Impersonation
"This is the fraud department at Chase Bank. We've detected suspicious activity on your account. To prevent your account from being frozen, I need to verify your identity. Can you confirm your account number and the last four digits of your Social Security Number?"
Why it works: Bank fraud departments do call about suspicious activity — making this plausible. The urgency ("prevent freezing") and authority ("fraud department") short-circuit rational thinking. Real banks never ask for full SSN over an unsolicited call.
Red flag: Asks for SSN or full account number. Hang up and call the number on the back of your card.
IRS / Tax Authority Scam
"This is Officer Michael Davis from the IRS Criminal Investigation Division. You have an outstanding tax debt of $4,200. A federal warrant has been issued for your arrest. To avoid immediate action, you must pay today by wire transfer or IRS-approved gift cards."
Why it works: Fear of arrest and IRS authority creates panic. Many targets don't know the IRS never initiates contact by phone (they use certified mail) and never accepts gift cards.
Red flag: IRS never calls first, never demands immediate payment, and never accepts gift cards. This is always a scam.
Tech Support / "Your Computer Is Infected"
"This is Microsoft Support. Our monitoring system has detected a critical virus on your Windows computer. If you don't take action in the next 30 minutes, your files will be permanently encrypted. I'll guide you through the removal process — please go to your computer now."
Why it works: Microsoft has trained users to fear malware. Remote access requests seem like legitimate troubleshooting. Once granted, attackers install real malware, steal banking credentials, or demand "removal fees."
Red flag: Microsoft, Apple, Google, and antivirus companies never proactively call you. If you receive this call, hang up immediately.
Social Security Administration Fraud
"Your Social Security Number has been suspended due to suspicious activity linked to a drug trafficking case in Texas. A temporary SSN will be issued once you verify your identity and confirm your current address and date of birth. This call is being recorded."
Why it works: "SSN suspended" and "drug trafficking" create maximum fear. The recording notice implies legal consequences for non-compliance. The SSA does not suspend Social Security Numbers.
Red flag: SSA does not suspend SSNs. Any caller claiming this is a scammer. Report to SSA's OIG at 1-800-269-0271.
CEO / Executive Impersonation (AI Voice)
A call from the CEO's cloned voice: "Hi, it's [CEO name]. I'm in a board meeting and I need you to process an urgent wire transfer of $45,000 to a new vendor. It's time-sensitive — I'll send you the account details by text. Don't mention this to anyone else on the team yet."
Why it works: AI voice cloning makes this sound exactly like the real CEO. Authority plus secrecy ("don't mention to anyone") prevents the victim from checking with colleagues. The request to "send details by text" shifts to a text-based channel the attacker controls.
Red flag: Always verify financial requests from executives via a direct call-back to a known number or in-person confirmation. Voice alone is no longer sufficient verification.
Grandparent / Family Emergency Scam (AI Voice)
A call that sounds exactly like a grandchild: "Grandma/Grandpa, it's me [name]. I've been in an accident and I'm in jail. I can't let Mom and Dad find out. I need you to send $3,000 in gift cards to cover bail — my lawyer will call you with instructions."
Why it works: AI voice cloning using 30 seconds of video scraped from social media makes this indistinguishable from the real grandchild. Fear for a family member's safety overrides skepticism. The secrecy instruction prevents verification.
Red flag: Hang up and call the grandchild directly on their known number. If you cannot reach them, call another family member. Never send gift cards for bail.
Callback Phishing: When Email Leads to a Vishing Call
Callback phishing (also called telephone-oriented attack delivery, or TOAD) starts with an email that contains no malicious link — just a phone number. The email looks like an invoice confirmation, subscription renewal, or security alert and instructs the recipient to call a number to dispute or cancel.
Because the email contains no URL and no attachment, it passes every URL-scanning and anti-phishing email filter. The entire attack happens on the phone call. BazarCall and BazaLoader campaigns using this technique caused over $500 million in losses in 2022–2024.
Example callback phishing email
Subject: Your Norton subscription has been renewed — $349.99
Body: Thank you for renewing your Norton 360 subscription. Your account has been charged $349.99. If you did not authorize this charge, call our billing team immediately at 1-888-XXX-XXXX to cancel and receive a full refund within 24 hours.
No link. No attachment. No sender domain to flag. The entire scam is on the call — where the attacker asks for remote access to "process the refund" and then steals banking credentials.
Gorganizer detects callback phishing emails by identifying the pattern: large fabricated dollar amounts, subscription/renewal language, a phone number as the only call to action, no legitimate unsubscribe header, and known callback phishing sender patterns — even without any URL to scan.
6 Ways to Protect Yourself from Vishing
Never give out sensitive data on an incoming call
Hang up and call back on the official number (from the institution's website or the back of your card). A legitimate caller will always accept this. A scammer will object, create urgency, or stay on the line to prevent you from hanging up.
Verify before any financial action
Gift card purchases, wire transfers, and cryptocurrency sends are irreversible. Any caller who demands payment in gift cards, wire, or crypto before you can verify their identity is running a scam — no exceptions, regardless of how official they sound.
Know what legitimate organizations will never ask
IRS: never calls first, never accepts gift cards. Social Security: never suspends your SSN. Banks: never ask for your full SSN, CVV, or password over the phone. Microsoft/Apple: never proactively call about your computer. These are absolute rules — any caller violating them is a scammer.
Treat AI voice cloning as a real threat
Establish a family safe word or out-of-band verification method for emergency financial requests. A cloned voice sounds exactly like the real person — voice alone is no longer sufficient verification for any financial request. Always call back on a known number.
Register with the Do Not Call Registry — and stay skeptical anyway
The FTC's National Do Not Call Registry (donotcall.gov) reduces legitimate telemarketing but does not stop scammers, who are already operating illegally. Call screening apps (Hiya, Nomorobo, your carrier's built-in tools) can flag known scam numbers before you answer.
Watch for callback phishing emails
Some vishing attacks begin with a phishing email containing only a phone number — no malicious link, just a fake invoice or "confirm your order" message. The email passes URL scanners but the scam happens on the call. Suspicious emails with only a phone number and urgency language are callback phishing lures.
Frequently Asked Questions
What is vishing?
Vishing (voice phishing) is a social engineering attack conducted over the phone. An attacker calls the victim — or leaves a voicemail — impersonating a trusted entity such as a bank, the IRS, Social Security Administration, or tech support, and uses urgency, fear, or authority to extract sensitive information, payment, or access credentials. Unlike email phishing, vishing exploits the human voice and real-time conversation dynamics.
What is the difference between phishing, vishing, and smishing?
Phishing is the umbrella term for social engineering attacks that impersonate trusted entities to steal information. The delivery channel determines the subtype: phishing uses email, vishing uses voice calls or voicemail, and smishing uses SMS text messages. All three may be used together in a single coordinated attack — for example, a phishing email that instructs the victim to call a phone number (vishing), or a smishing text containing a link (phishing) that leads to a page asking to verify by phone (vishing).
How do I know if a call is a vishing attack?
Key red flags: (1) Unsolicited call claiming urgency — "your account will be frozen in 24 hours." (2) Caller asks for your full Social Security Number, bank account number, credit card CVV, or passwords. (3) Caller says to keep the call secret or not to hang up and call back on the official number. (4) Caller offers to "verify" by reading back partial account information (obtained from a data breach) to seem legitimate. (5) Caller asks you to wire money, buy gift cards, or send cryptocurrency. Legitimate banks, government agencies, and tech companies never ask for gift card payments or instruct you to stay on the line while you take action.
What is AI voice cloning and how is it used in vishing?
AI voice cloning uses machine learning to generate synthetic audio that sounds like a specific person from just 3–30 seconds of audio sample. Attackers scrape voice samples from public videos (LinkedIn introductions, YouTube interviews, TikTok posts) and use tools like ElevenLabs or similar platforms to clone a person's voice. The clone is then used in real-time calls or pre-recorded voicemails impersonating a family member, executive, or trusted individual. The "grandchild emergency scam" and "CEO fraud phone call" are the two most common AI voice vishing attacks.
What should I do if I think I've been vishied?
Immediately: (1) Hang up and do not call back the number the caller gave you. (2) Look up the official number for the organization they claimed to represent and call it directly. (3) If you provided financial information, contact your bank immediately to freeze or monitor the account. (4) If you provided Social Security information, place a credit freeze at all three bureaus (Equifax, Experian, TransUnion). (5) Report the call to the FTC at ReportFraud.ftc.gov and the FCC's complaint center. (6) If the attacker impersonated the IRS, report to the Treasury Inspector General at 1-800-366-4484.
How does vishing relate to email phishing?
Vishing and email phishing are frequently used together. Common combination attacks: (1) Callback phishing — a phishing email with no link, only a phone number to call; the "danger" is inside the call, not the email, bypassing URL-scanning filters. (2) Multi-channel attacks — a smishing text with a link, followed by a vishing call to "verify" the transaction. (3) Pre-call email — an email "confirming" a call the victim will receive, reducing suspicion when the vishing call arrives. Email security tools detect callback phishing lures by identifying emails that contain only a phone number and a fake invoice or order confirmation.
Detect Callback Phishing in Your Gmail Inbox
Gorganizer catches callback phishing emails — the ones with no link, just a fake invoice and a phone number — using 1,751+ detection signals including dedicated TOAD attack detectors.