The phone rings and a recording says you owe the IRS back taxes and have to share your credit card number to settle the balance. Or it's the bank, warning you that your account has been compromised.
These are just two examples of "vishing," or voice phishing, a popular scam that can take place over a mobile phone or landline. The perpetrator will often pretend to be from a recognizable company or government agency and ask for your credit card, bank account info, Social Security number or other sensitive data.
These attacks are particularly effective because the scammers sound authoritative and urgent. In 2022, victims of vishing scams reported median losses of $1,400, according to the Federal Trade Commission (FTC).
Below, CNBC Select explains how to identify, avoid and recover from vishing attacks.
What we'll cover
- What is vishing?
- How to detect a vishing attempt
- Ways to combat vishing
- What to do if you've been a victim of vishing
- Bottom line
What is vishing?
Vishing is a type of cybersecurity attack in which the perpetrator attempts to gain access to sensitive data over the phone. They typically seek financial details or Social Security numbers, but passwords and other data can also be the goal.
Scammers may pretend to be an authority figure — an IRS agent or bank official, for example — and claim there is a time-sensitive matter that requires your immediate attention.
Vishing scams can target individuals or companies: A September 2023 vishing attack on MGM Resorts International cost the casino approximately $100 million.
As opposed to online scams that use malware, vishing schemes rely on social engineering, or psychological tactics to convince victims to take a certain action.
While phone scams have existed for decades, cybersecurity experts say vishing is on the rise, thanks to technological advances like caller ID spoofing and AI-powered software that can mimic specific human voices.
How to detect a vishing attempt
While vishing can take different forms, there are telltale signs that can tip off savvy consumers.
- A pre-recorded message. Many vishing calls will have an automated message claiming you've won a free prize or that your urgent response is required to prevent a financial penalty.
- A request for sensitive information. If someone asks for your Social Security number or other personal details, it's a strong sign of a vishing attack. To sound legitimate, they might provide public information, like your birthday or job title.
- Posing as a government official. Scammers may claim to be from a federal agency, such as the IRS, but legitimate government officials will never call, email or text to ask for money or personal information.
- Using an aggressive manner. A phone call allows scammers to catch victims off-guard more than an email or letter. Be skeptical of any caller pressuring you to quickly provide sensitive information.
Ways to combat vishing
While vishing is an increasing threat to consumers, there are ways to guard against scammers.
- Screen your calls carefully. If you don't recognize a number, let it go to voicemail. Some scammers will "spoof" your caller ID into thinking their call is coming from a nearby location or a reputable source. If you want to reply to a voicemail, seek out an official contact number or email and confirm any information they provided.
- Be suspicious of unsolicited phone calls. If you suspect that a call is a vishing attack, hang up immediately. Don't answer their questions or press any buttons. Don't try to confront them since scammers can record your response to gain access to voice-activated menus.
- Don't share personal data. Never share passwords, log-in names, driver's license or passport information over the phone. Avoid giving out your Social Security number or other sensitive information over the phone, especially if you didn't originate the call.
- Get on the National Do Not Call Registry. This free service from the FTC informs marketers that you don't want unsolicited phone calls. While nefarious callers don't abide by the registry, signing up means any unknown caller is less likely to be a legitimate business.
- Become an AT&T wireless customer. AT&T and TransUnion have partnered on TruContact Branded Call Display, which enables businesses to display their name and logo when calling AT&T customers. That way subscribers can confirm the number has not been illegally spoofed.
Of course, no one is 100% immune from scammers. There are some steps to foil a vishing attack once it's started, like setting up multi-factor authentication on sensitive accounts.
Credit monitoring products can also help you spot if your account or identity has been compromised. CreditWise® from Capital One is a free service that alerts users about changes to their credit history on TransUnion and Experian, including new accounts, delinquencies, balances and hard inquiries.
You'll also be notified about suspicious activity associated with your identity.
CreditWise® from Capital One
Information about CreditWise has been collected independently by Select and has not been reviewed or provided by Capital One prior to publication.
Cost
Free
Credit bureaus monitored
TransUnion and Experian
Credit scoring model used
VantageScore
Dark web scan
Yes
Identity insurance
No
Terms apply.
A paid service, IdentityForce® UltraSecure+Credit reports changes submitted to all three credit reporting agencies. It also offers advanced information and identity monitoring, fraud alerts and $1 million in identity theft insurance.
IdentityForce®
Cost
UltraSecure Individual: $19.90 per month or $199.90 per year; UltraSecure+Credit Individual: $34.90 per month or $349.90 per year; UltraSecure Family: $24.90 per month or $249.90 per year; UltraSecure+Credit Family: $39.90 per month or $399.90 per year
Credit bureaus monitored
3-bureau credit monitoring, alerts and reports: Experian, Equifax and TransUnion®, with UltraSecure+Credit Individual and UltraSecure+Credit Family plans only
Credit scoring model used
VantageScore®3.0, with UltraSecure+Credit Individual and UltraSecure+Credit Family plans only
Dark web scan
Yes, with all plans
Identity theft insurance
Yes, at least $1 million with all plans
Terms apply.
If you've been a victim of a vishing attack
If you suspect you've fallen victim to a vishing scheme:
Subscribe to the CNBC Select Newsletter!
Money matters —so make the most of it. Get expert tips, strategies, news and everything else you need to maximize your money, right to your inbox.Sign up here.
Bottom line
Vishing scammers are developing more advanced strategies every day. It's important to be skeptical of unsolicited phone calls and refrain from sharing personal information over the phone.
Why trust CNBC Select?
At CNBC Select, our mission is to provide our readers with high-quality service journalism and comprehensive consumer advice so they can make informed decisions with their money. Every article is based on rigorous reporting by our team of expert writers and editors with extensive knowledge of financial products. While CNBC Select earns a commission from affiliate partners on many offers and links, we create all our content without input from our commercial team or any outside third parties, and we pride ourselves on our journalistic standards and ethics.
Catch up on CNBC Select's in-depth coverage ofcredit cards,bankingandmoney, and follow us onTikTok,Facebook,InstagramandTwitterto stay up to date.
Read more
How virtual card numbers can help prevent credit card phishing scams
5 scams to watch out for, according to a consumer protection expert
How to tell the difference between legit debt collectors and scam artists
6 signs of a student loan scam
Editorial Note: Opinions, analyses, reviews or recommendations expressed in this article are those of the Select editorial staff’s alone, and have not been reviewed, approved or otherwise endorsed by any third party.
