Home · Vishing

Vishing: the voice phishing playbook, and how to stop it.

Updated July 2026

Vishing is phishing by phone. AI voice cloning has removed its biggest tell, the unfamiliar voice, so the defense is now a habit, not an ear. Here is how it works and how to shut it down.

Suspected vishingInbound call
Pressure
Urgent · secret
Ask
Wire / gift cards
Vishing, short for voice phishing, is a scam carried out over a phone call or voice message. An attacker impersonates a trusted party, a bank, a government agency, tech support, or a relative, and uses urgency to pressure you into sending money or sharing sensitive information. AI voice cloning now lets them sound like someone you know, so the reliable defense is to verify the request through a channel you already trust before acting.
Definition

What vishing is, and how it differs from phishing

Phishing, smishing, and vishing are the same con delivered through different channels: email, text message, and voice, respectively. The goal is always to impersonate someone you trust and manufacture enough urgency that you act before you verify. Vishing is uniquely effective because a live voice feels personal and immediate, and because, unlike an email, there is no time to re-read it. The US Cybersecurity and Infrastructure Security Agency treats it as a core social-engineering technique, and imposter scams of this kind were the most-reported fraud category as US losses topped 10 billion dollars in 2023.

Anatomy of a call

How a vishing attack unfolds

Almost every vishing call follows the same three beats. Recognizing them in the moment is most of the defense.

01 . Pretext

Impersonate

The caller claims to be your bank's fraud team, a government agency, an executive, or a relative in trouble, often with a spoofed caller ID or a cloned voice to match.

02 . Pressure

Manufacture urgency

A crisis is invented: a fraudulent charge, an arrest, an emergency. You are told to act immediately and to keep it secret, so you cannot pause or check.

03 . Extract

Move the asset

The ask bypasses normal controls: a wire, gift cards, crypto, a one-time passcode, or remote access. Once it is sent, it is almost impossible to recover.

Why it got worse

AI voice cloning removed the last tell

For years the giveaway was a voice that did not sound right. That is gone. A convincing clone now needs only seconds of public audio from a podcast, a voicemail greeting, or a social clip, so an attacker can sound exactly like your CFO or your daughter. This is why AI voice scams and executive-impersonation fraud have climbed, and why the old advice, trust the voice, is now a liability. The durable defense is to verify the audio and the request, not to rely on recognition.

A cloned voice looks human to the ear but carries a synthesis signature a detector can read
Common scams

The vishing scripts you will actually meet

Bank fraud department

"We've detected fraud on your account. Move your money to a safe account now." Real banks never ask this.

Government or tax threat

Claims of unpaid tax, a warrant, or a compromised ID, demanding immediate payment, often in gift cards or crypto.

Tech support

A "Microsoft" or "Apple" agent says your device is infected and needs remote access or a fee to fix it.

Executive (CEO) fraud

A cloned executive instructs a finance employee to wire funds urgently and confidentially. See the fraud use case.

Family emergency

A cloned relative claims an accident or arrest and needs money now. Disproportionately targets older people.

Account verification

A call or voicemail asks you to "confirm" a one-time passcode or password to stop a login, handing the attacker access.

Red flags

Signs a call is vishing

Any one of these is a reason to slow down. Two or more together, treat the call as hostile.

  • 01Urgency and secrecy. You are told to act now and not to tell anyone, so you cannot pause or verify.
  • 02An unexpected channel. A call, not the letter or app your bank actually uses, from a number you cannot confirm.
  • 03A request that bypasses normal controls. A wire, gift cards, crypto, a one-time passcode, or remote access to your device.
  • 04A familiar voice you did not expect. With AI cloning, a relative or executive can be impersonated from seconds of public audio.
  • 05Refusal to be called back. A real institution is fine with you hanging up and dialing the number on your card.
Save a suspicious voice note before you act, so it can be verified and reported
How to stop it

The defense is a habit, not a gadget

A cloned voice is convincing, but it cannot survive a callback to a number you already trust or a question that is not searchable online.

Do

Hang up and call back

End the call and dial the organisation on the number from your card, statement, or contacts, never the number the caller gives you.

Do

Agree a code word

Families and finance teams should share a private word in advance. Anyone claiming an emergency must say it. Never post it online.

Do

Verify the audio

Save the voicemail or recording and run it through the detector for a citable verdict on whether the voice was AI-generated.

0.48s
Median verdict
99%
Accuracy on clean audio
24+
Generators named
24h
Audio deleted after

Never send wire transfers, gift cards, crypto, or one-time passcodes on the strength of a phone call. If money moved or nearly did, report it to the FTC at reportfraud.ftc.gov and, for financial loss, the FBI's IC3. For the wider threat picture, see the dangers of AI voices, and for verification technique, how to verify AI audio.

FAQ · Vishing

Common questions

What is vishing?
Vishing, short for voice phishing, is a social-engineering scam carried out over a phone call or voice message. The attacker impersonates a trusted party, a bank, a government agency, tech support, or a relative, and uses urgency to pressure the target into sending money or revealing sensitive information.
What is the difference between vishing, phishing, and smishing?
They differ by channel. Phishing uses email, smishing uses text messages, and vishing uses voice calls or voicemails. The playbook is the same: impersonate someone trusted and manufacture urgency. Vishing is especially dangerous now because AI can clone a specific voice.
What are common examples of vishing?
Bank or card-fraud department impersonation, government and tax-agency threats, tech-support scams, delivery or account-verification calls, executive-impersonation (CEO) fraud aimed at finance teams, and grandparent or family-emergency scams aimed at older relatives.
How has AI voice cloning changed vishing?
It removed the biggest tell, an unfamiliar voice. A convincing clone now needs only seconds of sample audio, so an attacker can sound exactly like a relative or a boss. That is why verifying the audio and the request out of band matters more than ever.
How do I protect myself from vishing?
Do not act on an inbound call. Hang up and call back on a number you already trust, never one the caller gives you. Never send wire transfers, gift cards, crypto, or one-time codes on the strength of a call. Agree a family or team code word, and verify any suspicious recording with a detector.
How do I report a vishing attack?
In the US, report to the FTC at reportfraud.ftc.gov and, for financial loss, the FBI's IC3 at ic3.gov, plus your bank and local police. Other countries have equivalent fraud-reporting bodies.

Got a call that felt off? Verify it.

Save the voice note and check whether the voice was AI-generated. Free for a single verdict.

Open detectorFraud detection