What is Vishing?

Vishing is voice phishing. An attacker calls the victim and impersonates a bank, tax authority, or tech-support agent to extract credentials, payment details, or remote access to a device.

Modern vishing increasingly layers AI voice cloning on top of the traditional script, so the caller can impersonate someone the victim already knows and trusts: a spouse, a CEO, a child.

The classic vishing attack flow

A typical vishing call combines three ingredients. Spoofed caller ID displays a trusted number. An authority figure answers, usually a fraud department, IRS agent, Social Security Administration investigator, Medicare representative, local police officer, or Microsoft technician. Then comes manufactured urgency: your account has been compromised, a warrant has been issued, your benefits will be suspended.

The IRS has publicly flagged impersonation calls as one of the most persistent phone fraud schemes targeting U.S. consumers, and the Social Security Administration Office of the Inspector General runs an ongoing public-awareness campaign specifically about SSA impostor calls. The FBI IC3 and FTC both track vishing losses in the hundreds of millions of dollars annually.

Robocalls, STIR/SHAKEN, and carrier defenses

Vishing operates on top of the wider robocall economy. YouMail's Robocall Index has regularly measured billions of robocalls placed to U.S. numbers each month, a large share of which are fraudulent.

In response, the FCC mandated STIR/SHAKEN, a protocol that cryptographically authenticates caller ID information as it passes between carriers, making large-scale spoofing materially harder on major networks. Carrier tools like AT&T ActiveArmor, T-Mobile Scam Shield, and Verizon Call Filter use STIR/SHAKEN attestation plus heuristics to block or label suspected scam calls, and Google's Pixel Call Screen uses an on-device assistant to answer calls on the user's behalf.

Variants: callback scams, tech support, and AI voice cloning

Several distinctive vishing variants are worth naming:

• Callback scams leave a single missed call from an expensive international premium-rate number, betting that the victim will call back out of curiosity.
• Tech-support scams impersonate Apple, Microsoft, or Geek Squad, often starting as a pop-up warning and escalating into a phone call that ends with the victim installing remote-access software.
• AI voice cloning has reshaped vishing since around 2023. With only seconds of source audio, attackers can now run real-time impersonations of family members for ransom-style scams or of executives for wire-fraud calls. The shift has been documented in FTC consumer alerts and in research from firms like McAfee and Pindrop.

Detection and platform responsibility

The durable individual defense has not changed.

If a call claims to be from your bank, the IRS, or any authority, hang up and call back using the official number printed on your card or the organization's verified website. Banks increasingly add transaction friction such as step-up authentication, 24-hour transfer holds, and challenge questions, specifically to interrupt vishing-driven wire fraud.

On the platform side, VoIP providers bear growing responsibility under FCC rules to authenticate originating traffic, and messaging apps that offer voice calling face similar pressure to detect impersonation and fraud patterns. Moderation systems on adjacent text and voice channels contribute by flagging scam scripts and coordinated impersonation campaigns before they reach an audience.