What is vishing?

Vishing is short for "voice phishing," and it's exactly what it sounds like: fraud over the phone. Scammers call you (or leave voicemails) pretending to be someone trustworthy: your bank, the taxman, or even a colleague. Their goal is to trick you into handing over sensitive information or transferring money.

Unlike email phishing, which relies on you clicking a dodgy link, vishing puts a human voice (or a very convincing AI one) on the other end of the line. That immediacy and the pressure of real-time conversation make it surprisingly effective.

A typical vishing attack unfolds in a few stages. First, attackers gather background information about their targets, often scraped from social media or past data breaches. Then they prepare their setup: cheap VoIP phone lines and spoofed caller IDs that mimic legitimate organisations.

When the call comes through, the scammer creates urgency. Your account's been "compromised," there's "suspicious activity," or you're about to face legal trouble if you don't act now. According to a March 2026 report from Programs.com, vishing attacks surged by 442% in 2024, and around 70% of organisations have fallen victim to these calls.

The pressure works. People share passwords, PINs, or one-time codes without stopping to think. Sometimes the attacker asks you to transfer funds to a "safe" account or grants them remote access to your computer under the guise of tech support.

Here are a few examples that crop up time and again:

• Bank fraud alerts: A caller claims there's been unusual activity on your account and asks for your PIN to "verify your identity."
• Tax or government scams: Someone posing as HMRC or another authority threatens fines or arrest unless you pay immediately.
• Tech support fraud: You're told your computer has a virus and need to download software or hand over remote access.
• AI voice cloning: Attackers use seconds of recorded audio to impersonate executives or family members in distress, requesting urgent transfers.

That last one is particularly worrying. AI-driven vishing saw a 14-fold surge by early 2026, according to Vectra AI, making it harder than ever to trust a familiar-sounding voice.

Don't panic if you receive a suspicious call, that's exactly what the scammers want. Hang up. If the call claims to be from your bank or another organisation, look up their official number (don't use the one the caller gave you) and ring them back.

Legitimate institutions won't ask for your password, PIN, or security codes over the phone. If someone does, it's a red flag. Training your team to recognise these tactics can make a real difference. As compliance and security professionals know, security awareness training is a key control that strengthens your organisation's resilience.

If your company handles sensitive data or needs to meet standards like ISO 27001 or SOC 2, testing your team's response to social engineering, including vishing, is part of building a strong control environment. Services like phishing tests can help you measure awareness and close gaps before attackers find them.