Vishing: the voice phishing playbook, and how to stop it.
Vishing is phishing by phone. AI voice cloning has removed its biggest tell, the unfamiliar voice, so the defense is now a habit, not an ear. Here is how it works and how to shut it down.
What vishing is, and how it differs from phishing
Phishing, smishing, and vishing are the same con delivered through different channels: email, text message, and voice, respectively. The goal is always to impersonate someone you trust and manufacture enough urgency that you act before you verify. Vishing is uniquely effective because a live voice feels personal and immediate, and because, unlike an email, there is no time to re-read it. The US Cybersecurity and Infrastructure Security Agency treats it as a core social-engineering technique, and imposter scams of this kind were the most-reported fraud category as US losses topped 10 billion dollars in 2023.
How a vishing attack unfolds
Almost every vishing call follows the same three beats. Recognizing them in the moment is most of the defense.
Impersonate
The caller claims to be your bank's fraud team, a government agency, an executive, or a relative in trouble, often with a spoofed caller ID or a cloned voice to match.
Manufacture urgency
A crisis is invented: a fraudulent charge, an arrest, an emergency. You are told to act immediately and to keep it secret, so you cannot pause or check.
Move the asset
The ask bypasses normal controls: a wire, gift cards, crypto, a one-time passcode, or remote access. Once it is sent, it is almost impossible to recover.
AI voice cloning removed the last tell
For years the giveaway was a voice that did not sound right. That is gone. A convincing clone now needs only seconds of public audio from a podcast, a voicemail greeting, or a social clip, so an attacker can sound exactly like your CFO or your daughter. This is why AI voice scams and executive-impersonation fraud have climbed, and why the old advice, trust the voice, is now a liability. The durable defense is to verify the audio and the request, not to rely on recognition.
The vishing scripts you will actually meet
Bank fraud department
"We've detected fraud on your account. Move your money to a safe account now." Real banks never ask this.
Government or tax threat
Claims of unpaid tax, a warrant, or a compromised ID, demanding immediate payment, often in gift cards or crypto.
Tech support
A "Microsoft" or "Apple" agent says your device is infected and needs remote access or a fee to fix it.
Executive (CEO) fraud
A cloned executive instructs a finance employee to wire funds urgently and confidentially. See the fraud use case.
Family emergency
A cloned relative claims an accident or arrest and needs money now. Disproportionately targets older people.
Account verification
A call or voicemail asks you to "confirm" a one-time passcode or password to stop a login, handing the attacker access.
Signs a call is vishing
Any one of these is a reason to slow down. Two or more together, treat the call as hostile.
- 01Urgency and secrecy. You are told to act now and not to tell anyone, so you cannot pause or verify.
- 02An unexpected channel. A call, not the letter or app your bank actually uses, from a number you cannot confirm.
- 03A request that bypasses normal controls. A wire, gift cards, crypto, a one-time passcode, or remote access to your device.
- 04A familiar voice you did not expect. With AI cloning, a relative or executive can be impersonated from seconds of public audio.
- 05Refusal to be called back. A real institution is fine with you hanging up and dialing the number on your card.
The defense is a habit, not a gadget
A cloned voice is convincing, but it cannot survive a callback to a number you already trust or a question that is not searchable online.
Hang up and call back
End the call and dial the organisation on the number from your card, statement, or contacts, never the number the caller gives you.
Agree a code word
Families and finance teams should share a private word in advance. Anyone claiming an emergency must say it. Never post it online.
Verify the audio
Save the voicemail or recording and run it through the detector for a citable verdict on whether the voice was AI-generated.
Never send wire transfers, gift cards, crypto, or one-time passcodes on the strength of a phone call. If money moved or nearly did, report it to the FTC at reportfraud.ftc.gov and, for financial loss, the FBI's IC3. For the wider threat picture, see the dangers of AI voices, and for verification technique, how to verify AI audio.
Common questions
What is vishing?
What is the difference between vishing, phishing, and smishing?
What are common examples of vishing?
How has AI voice cloning changed vishing?
How do I protect myself from vishing?
How do I report a vishing attack?
Got a call that felt off? Verify it.
Save the voice note and check whether the voice was AI-generated. Free for a single verdict.