Vishing (phone scams): how to spot them
Vishing (voice + phishing) is a phone scam where the caller impersonates a bank, IT support or institution to extract codes, passwords or a payment. You spot it by the pressure to act immediately and a request to read out an SMS code or enter details — in which case hang up and call back on an official number yourself.
Vishing (voice + phishing) is a phone scam where the caller impersonates a trusted institution: a bank, IT support, a courier or even a government body. A voice inspires more trust than an email, and during a call it is hard to stop and think. It is exactly this real-time pressure that makes vishing dangerous — the victim is pushed to make a decision here and now.
The most common vishing scenarios
- checkBank: "We detected a suspicious transaction, verify your identity and read out the code from the SMS."
- checkIT support: "Your computer is infected, let me connect remotely."
- checkManager or colleague: a call asking for an urgent payment (CEO fraud by phone).
- checkSupplier: "Our account has changed, write down the new details."
- checkGovernment body: a threat of a fine or lawsuit if you do not pay immediately.
Signs that a call is fraudulent
- checkYou are rushed and pressured to act immediately, with no time to think.
- checkYou are asked to read out an SMS code, password or card details over the phone.
- checkYou are asked to install a remote-access app or tap a link.
- checkYou are threatened with consequences: account blocking, a fine, a lawsuit.
- checkThe number looks official, but the caller avoids letting you call back yourself.
What to do with a suspicious call
- checkDo not give in to urgency — you have the right to hang up and verify.
- checkDo not read out any codes, passwords or card details.
- checkHang up and call back on the official number from your card or the institution’s website.
- checkDo not install any apps and do not allow remote access.
- checkReport to IT or your manager if it was a work phone or about company matters.
Why vishing is hard to stop with technology
Unlike email, a phone call is not screened by any filter, and the number is easy to spoof so it looks like a bank line on your screen. So the only real protection is a trained person who recognises the pressure tactic and knows the simple rule — hang up and call back yourself.
How to prepare your team
Vishing often works together with phishing and smishing — for example, an email sets the stage and a call "confirms" it. So training should cover the whole scam picture, not just email. Opsinel simulations and short training build exactly the reflex to pause and check, no matter which channel the pressure comes through.
Frequently asked questions
How do I check whether it is really my bank calling?add
Hang up and call back on the official number printed on your card or the bank website. Never read out codes or passwords to the caller.
"IT support" called and asked for access — what do I do?add
Do not allow remote access and do not install apps. Hang up and contact your real IT via a known contact to verify.
Can scammers spoof a phone number?add
Yes. The number shown on screen can be spoofed to look like a bank or institution line, so you cannot trust the number alone.
What is vishing?add
Vishing is a phone scam — the name combines "voice" and "phishing". The caller impersonates a trusted institution and pressures you in real time to reveal details or make a payment.
I read an SMS code to a scammer — what now?add
Call your bank immediately on a known number, change passwords and watch the account. The sooner you report, the greater the chance of stopping an unauthorised transaction.