Vishing — voice phishing — is the use of a phone call or voice message to deceive someone into surrendering sensitive information, making a payment, or granting access to an account or system. It is now the dominant form of social engineering faced by both individuals and organisations, and it has been made significantly more dangerous by the adoption of AI-generated voices and caller ID spoofing. Knowing how these calls are structured is the most reliable way to recognise them in real time.
What Vishing Is
Vishing is a form of phishing carried out through voice rather than text. Like its email-based counterpart, it relies on deception rather than technical exploitation — the attacker does not need to break into a system if they can persuade a person to hand over the information or access they need directly.
The term covers a broad range of attacks: an automated recorded message telling you your bank account has been frozen; a live caller posing as an HMRC officer demanding immediate payment; a realistic voice, generated by software, impersonating a colleague asking for login credentials. What they share is the use of voice communication to establish false trust and prompt a response that the target would not otherwise take.
Voice phishing attacks surged sharply in the period between the first and second halves of 2024, with industry reporting indicating a 442% increase over that period. According to cybersecurity incident data from the same period, vishing accounted for the majority of all phishing-related incident response engagements handled by major security firms. It is no longer a marginal threat or a consumer nuisance — it is the primary social engineering method in active use against individuals and enterprises alike.
Why Vishing Works
Several features of voice communication make it significantly more effective for social engineering than text-based methods.
A phone call happens in real time. Unlike a suspicious email, which a recipient can examine, verify, and decide to ignore at leisure, a call places immediate pressure on the target. Decisions must be made quickly, which reduces the time available for sceptical reflection. Attackers exploit this deliberately by introducing urgency — claiming that immediate action is required to prevent account suspension, arrest, or financial loss.
Voice also carries authority that text cannot easily replicate. The tone, pacing, and confidence of a caller creates an impression that skilled attackers manage carefully. When combined with caller ID spoofing — which allows a call to display the number of a legitimate organisation such as a bank, government agency, or internal IT helpdesk — the initial instinct of the target is to trust the contact rather than question it.
Attackers also arrive at calls prepared. Information gathered in advance from social media profiles, data breaches, or company directories allows them to greet targets by name, reference recent transactions, mention colleagues, or demonstrate familiarity with the target’s workplace. The presence of accurate personal detail makes the fabrication more difficult to challenge in the moment.
Common Pretexts Used in Vishing Calls
Bank Security Alerts
The caller claims to be from the fraud team at the target’s bank, reporting suspicious activity and requesting verification of account details or card numbers.
HMRC and Government Demands
An automated or live call claims unpaid tax, a warrant for arrest, or an overdue penalty — demanding immediate payment to avoid enforcement action.
IT Helpdesk Impersonation
The caller poses as internal IT support or an external software provider, claiming a security problem on the target’s device and requesting remote access credentials.
Executive or Colleague Impersonation
Particularly in workplace settings, a caller poses as a senior colleague or executive instructing an urgent payment, credential reset, or data transfer.
Parcel and Delivery Fraud
A call claims a package cannot be delivered or requires a customs payment, directing the target to a number or website to provide card details.
Prize and Lottery Calls
The target is told they have won a prize or competition and must provide personal details or pay a release fee to claim it.
The Role of AI in Modern Vishing
The most significant recent development in voice phishing is the adoption of AI-generated voice cloning. Current synthesis technology can produce a convincing replica of a specific person’s voice from a very short audio sample — in some cases only a few seconds. The resulting audio can be deployed in a live call or pre-recorded voicemail with sufficient accuracy to deceive someone who knows the person being impersonated.
This has given rise to attacks in which an employee receives a call appearing to come from a trusted colleague or senior manager, with the voice accurately reproduced, instructing them to transfer funds, share credentials, or approve access. Several high-profile cases have involved exactly this pattern, resulting in significant financial losses before the deception was discovered.
AI has also enabled vishing at scale. Automated systems can now conduct thousands of calls simultaneously, with scripts that adapt dynamically to responses, maintaining the appearance of a genuine conversation without a human attacker on the line. The combination of scale, personalisation, and voice realism has made this a substantially more difficult threat to defend against than the robotic recorded messages of earlier years.
Warning Signs During a Call
- The caller creates immediate urgency — stressing that failure to act now will result in account closure, arrest, a fine, or financial loss
- The caller requests security credentials, PINs, one-time passcodes, or full card details — any legitimate bank or government body will not ask for these by phone
- The caller insists you stay on the line while taking action, or asks you not to contact the organisation through any other channel
- The number displayed matches a known organisation, but the caller’s questions or requests do not match the procedures that organisation would follow
- You are asked to install software, visit a website, or enter a code to “help” resolve a problem on your device
- The caller knows some accurate personal information — your name, address, or partial account number — and uses this to establish credibility, but then requests further sensitive details
- The call involves an unexpected request from someone claiming to be a colleague, even if the voice sounds familiar
- There is slight artificiality in the voice — unusual evenness of tone, lack of natural hesitation, audio that sounds slightly processed or flat
- The caller becomes persistent or aggressive when you hesitate or suggest calling back through the official number
No bank, government agency, or legitimate IT department will ever ask for a full PIN, password, or one-time passcode during an inbound call. If a caller requests any of these, the call should be ended immediately, regardless of how convincing it seems.
National Cyber Security Centre — Guidance on Scam Phone Calls
How to Respond During a Suspicious Call
1. Do not provide any information during the call.
Even if the caller has some accurate details about you, this does not make them legitimate.
Organisations do not require you to confirm sensitive information in response to a call they initiated.
2. End the call immediately.
There is no obligation to remain on the line with a suspicious caller.
A polite but firm termination of the call is the correct response.
Do not allow urgency or pressure tactics to keep you engaged.
3. Wait before calling back.
Some fraud attempts keep the line open after you believe you have hung up.
After ending a suspicious call, wait a few minutes before dialling again,
or use a different phone to ensure the previous connection is fully cleared.
4. Contact the organisation using a verified number.
Use contact details from an official website, the back of your bank card,
or a printed statement.
Never use a number provided by the caller or included in a follow-up message.
5. Verify colleague requests through a separate channel.
If a colleague makes an unusual request by phone, confirm it independently.
Use a different communication method such as internal messaging,
a known mobile number, or an in-person conversation before taking action,
even if the voice sounds familiar.
What to Do If You Have Already Responded
If personal details, banking credentials, or a payment were provided before the call was identified as fraudulent, the priority is to act quickly.
- Contact your bank immediately if card details or banking information were shared. Most UK banks have 24-hour fraud lines and can freeze accounts or reverse transactions within a limited window.
- Change passwords for any accounts that were referenced or whose details were discussed during the call.
- Contact your IT or security team if the call related to a workplace system, remote access tool, or company credentials. Time is a significant factor in containing the impact of a compromised account.
- Report the call to Action Fraud at reportfraud.police.uk or by calling 0300 123 2040. In Scotland, contact Police Scotland. Reporting helps map active vishing campaigns and can assist others who are targeted by the same operation.
- Report the number to the NCSC by forwarding any accompanying text message to 7726, and submitting details of the call through the NCSC’s reporting channels.
Prevention Tips
- Establish a personal policy of never providing sensitive information in response to an inbound call, regardless of the caller’s stated identity
- Register with the Telephone Preference Service (TPS) to reduce unsolicited calls from legitimate marketing callers, making suspicious contact easier to identify
- Enable call-screening features offered by your mobile carrier or handset — these can intercept or flag unknown callers before the call connects
- Discuss vishing tactics with others in your household or organisation, particularly those who may be more likely to be targeted — older adults and frontline employees receive a disproportionate share of these calls
- In professional environments, establish a clear protocol for verifying unusual requests that arrive by phone — particularly those involving payments, credential resets, or access grants
- Treat any call that combines urgency with a request for credentials or money as suspect by default, regardless of the number displayed or the confidence of the caller
- If unsure whether a voice call is genuine, note the details and research independently before taking any action
Related Internal Reading
- Investigating an unknown phone number using OSINT — tracing the origin and ownership of a number that was used in a suspicious call
- Verifying a person’s identity online before engaging — broader identity checks relevant when a caller claims to represent a colleague or known contact
- Social engineering red flags in unsolicited communication — the psychological manipulation techniques that underpin vishing and related attacks
Trusted External References
- National Cyber Security Centre — Report a Scam Phone Call — official UK government guidance on how phone scams operate, what to do during a suspicious call, and how to report it.
- Action Fraud — National Fraud and Cybercrime Reporting Centre — the UK’s central reporting point for vishing incidents and phone-based fraud, including live cases and ongoing campaigns.
- Ofcom — Nuisance Calls and Call-Blocking Guidance — the UK communications regulator’s guidance on call-blocking services and the legal framework covering unsolicited and fraudulent telephone contact.
Summary
- Vishing uses voice calls to deceive targets into surrendering credentials, making payments, or granting system access — it is now the most common form of social engineering in active use
- Attackers succeed by combining urgency, authority, accurate personal detail, and in advanced cases AI-cloned voices that can impersonate known individuals convincingly
- Caller ID spoofing means the displayed number is not a reliable indicator of who is calling — a number that appears to belong to a bank, HMRC, or internal IT cannot be trusted at face value
- The most reliable response to a suspicious call is to end it, wait, and contact the organisation independently using a verified number from a trusted source
- In the UK, vishing incidents should be reported to Action Fraud and the NCSC; suspected compromise of accounts or banking details requires immediate contact with the relevant institution
