What Is Vishing? How Phone Call Scams Work in 2026

What Is Vishing?

Vishing — short for "voice phishing" — is a phone-based social engineering attack in which fraudsters impersonate legitimate organizations to trick victims into revealing sensitive information, transferring money, or taking actions that benefit the attacker.

Unlike email phishing, vishing uses the immediate, real-time nature of phone calls — and in 2026, increasingly uses AI voice cloning — to create highly convincing fraud scenarios that are harder to verify than written communications.

The Vishing Playbook

Most vishing attacks follow a consistent structure:

Pretexting: The attacker establishes a believable reason for calling — a fraud alert, a legal matter, a technical problem, a government compliance issue.

Authority establishment: The attacker creates urgency by claiming to represent a bank, government agency, law enforcement, tech company, or the target's own employer.

Trust building: Details that appear to confirm legitimacy are provided — real-seeming employee IDs, case numbers, or information the attacker found through research.

Pressure and urgency: The victim is told they must act immediately to avoid a serious consequence — criminal charges, frozen accounts, lost funds, or technical damage.

The ask: Once trust is established and urgency created, the attacker requests sensitive information (account numbers, passwords, OTP codes), payment (gift cards, wire transfers), or remote access to the victim's device.

Common Vishing Scenarios

Bank Fraud Vishing:
Caller: "This is [Bank Name] fraud prevention. We have detected suspicious activity on your account. To protect your funds, we need to verify your identity — please confirm your full account number and PIN."

Legitimate banks do not ask for your PIN over the phone. Ever.

IRS/Tax Authority Vishing:
Caller: "This is the IRS. You have an outstanding tax liability and a warrant has been issued for your arrest. To resolve this, you must purchase [gift cards] and provide the codes immediately."

Government agencies communicate through official mail, not threatening phone calls demanding gift card payment.

Tech Support Vishing:
Caller: "This is Microsoft Support. We have detected that your computer is infected with malware and sending dangerous data. I need remote access to fix it immediately."

Microsoft does not proactively call customers about virus infections.

Social Security Vishing:
Caller: "Your Social Security number has been suspended due to suspicious activity. To unlock it, you must confirm your SSN, date of birth, and current address."

Social Security numbers cannot be "suspended." This is a data collection call.

AI Voice Cloning Vishing (2026 Specific):
A call appears to come from a family member in distress — using their actual cloned voice — requesting emergency wire transfer. The voice is indistinguishable from the real person.

Defense: Establish a family verification code word in advance that the real person would know but AI would not.

How to Respond to Suspected Vishing

Hang up:
You are never obligated to remain on a call that makes you uncomfortable. Hanging up and calling back on the official number is always the right move.

Do not provide information to inbound callers:
If someone calls you claiming to be your bank, hang up and call your bank's official number (from the back of your card or official website). Provide information only to outbound calls you initiated.

Never provide OTP codes to callers:
No legitimate organization will call you to request a one-time password you just received. This is always an account takeover attempt.

Verify through independent means:
Before acting on any call — transferring money, providing credentials, granting access — verify the request through an independently sourced contact (official website phone number, physical branch, known work contact).

Report vishing attempts:
In the US: FTC at reportfraud.ftc.gov. In the UK: Action Fraud at actionfraud.police.uk.

The Relationship Between Vishing and Email Privacy

Vishing often uses email as a pretext or follow-up channel. A vishing call may reference a fake email it "already sent" to create legitimacy. A vishing victim may later receive phishing emails impersonating the same organization.

Using Temp90 for online registrations reduces the information available about which services you use — limiting the credibility of vishing pretexts that reference specific account relationships.

FAQ:

Q: How do I verify if a call from my bank is legitimate?
A: Hang up and call the number on the back of your bank card or on the bank's official website. If the original call was legitimate, you will be able to continue through the official channel.

Q: Are elderly people specifically targeted by vishing?
A: Yes. Older adults are disproportionately targeted by phone-based scams. The most impactful protection is education — ensuring family members know the common patterns and feel comfortable hanging up on suspicious calls.

Q: Can AI voice cloning be defeated by asking knowledge questions?
A: Questions about shared memories or facts the AI would not know from public information add a layer of verification. Establishing a family code word known only to real family members is the most reliable defense.

Conclusion:

Vishing exploits the immediacy and personal nature of phone calls to create compelling fraud scenarios. The consistent red flags — urgency, unusual payment methods, requests for credentials or OTP codes, unsolicited inbound contact — apply across all vishing variants. The fundamental defense is simple: never provide sensitive information or take financial action based on an inbound call. Always verify through independently sourced channels before acting.