What is Vishing?
The most dangerous attacks don't break through your computer's security - they trick you into giving access voluntarily. Learn how vishing and social engineering work, and how to protect yourself.
Build a Secure PCWhat is Vishing?
Vishing (voice phishing) is when attackers use phone calls to trick you into revealing sensitive information or giving them access to your computer. Unlike malware that tries to break through your defenses, vishing exploits human trust - and no antivirus can protect you from that.
How Vishing Attacks Work
Common Vishing Scenarios
Fake Tech Support
The Call: "This is Microsoft/Apple/Dell support. We've detected viruses on your computer."
The Hook: They claim to see errors, infections, or security issues that require immediate action.
The Scam: They convince you to install remote access software (TeamViewer, AnyDesk) so they can "fix" the problem. Once they have access, they steal data, install malware, or lock you out and demand ransom.
Fake IT Department
The Call: "Hi, this is IT. We need to reset your password for security updates."
The Hook: They impersonate your company's IT department with convincing details like employee names or systems.
The Scam: They ask you to reveal your current password, share a one-time code, or grant them remote access to "fix" your account. They then use your credentials to access company systems.
Fake Bank Security
The Call: "This is fraud prevention from your bank. We've detected suspicious activity on your account."
The Hook: They create urgency by claiming your account has been compromised or unauthorized charges are pending.
The Scam: They ask you to "verify" your identity by sharing account numbers, passwords, or one-time codes sent to your phone. They use this information to drain your accounts.
One-Time Passcode (OTP) Interception
One of the most effective bank vishing techniques involves intercepting one-time passcodes (OTP). Attackers use two methods: either a live caller pretending to be your bank's fraud department, or automated bots that play pre-recorded messages. These bots are sophisticated - they listen for dial tones (DTMF tones) when you press numbers on your keypad to "verify" the code. Both approaches create urgency about suspicious activity, then trick you into providing the code that was just texted to you. That code is actually the attacker's attempt to log into YOUR account - and you just handed them the keys.
Expert Resources on OTP Fraud:
- Old National Bank: Understanding OTP Fraud: Banking industry insights on how attackers exploit one-time passcodes
- FTC Consumer Alert: Federal guidance explaining verification code scams and why no one legitimate will ask for your code
- Krebs on Security: In-depth technical analysis of automated OTP interception bots used by criminal networks
Critical Rule: Never Share OTP Codes
If someone asks for a code sent to your phone, it's a scam - period. Real banks NEVER ask you to read them verification codes. They sent you that code so YOU can log in, not so you can tell someone else.
If you receive an unexpected verification code, someone is trying to access your account RIGHT NOW. Don't share it, don't "verify" it, just hang up and contact your bank directly using the number on your card.
Common Vishing Scenarios (Continued)
Government Impersonation
The Call: "This is the IRS/Social Security Administration. Your SSN has been suspended due to suspicious activity."
The Hook: They threaten legal action, arrest warrants, or benefit suspension if you don't comply immediately.
The Scam: They demand payment via gift cards, wire transfer, or cryptocurrency to "resolve" the issue. They may also steal your Social Security number and other personal information.
Cryptocurrency Exchange Impersonation
The Call: "This is security from Coinbase/Binance/Kraken. We've detected unauthorized access to your account."
The Hook: They claim someone is trying to withdraw your cryptocurrency or that your account has been compromised and needs immediate verification.
The Scam: They ask you to "verify" your identity by providing your recovery phrase, 2FA codes, or login credentials. They may also direct you to a fake website that looks identical to the real exchange to capture your information. Once they have access, they drain your cryptocurrency wallets - and unlike bank fraud, crypto transactions cannot be reversed.
Real-World Crypto Exchange Vishing Attacks
Cryptocurrency exchange vishing attacks have become so sophisticated and damaging that they've triggered action from multiple state attorneys general and federal regulators. These organized criminal groups combine phone-based social engineering with technical expertise to drain victim accounts.
Official Actions & Warnings:
- Coinbase Public Statement: Exchange details how they combat organized extortion and vishing groups targeting their customers
- Maine Attorney General: State legal action against cryptocurrency vishing operations
- Massachusetts Attorney General: State investigation and regulatory action regarding crypto exchange security incidents
- SEC Filing (Coinbase): Federal securities disclosure detailing vishing threats and security incidents
- California Attorney General: Official notification template for Coinbase security incidents affecting California residents
Why Crypto Vishing is So Dangerous
Irreversible transactions: Unlike credit cards or bank transfers, cryptocurrency transactions cannot be reversed. Once it's gone, it's gone forever.
High-value targets: A single compromised crypto account can contain hundreds of thousands or millions in digital assets.
Recovery phrase vulnerability: If attackers trick you into revealing your recovery phrase (seed phrase) over the phone, they have permanent access to your wallet - even if you change your exchange password.
Protecting Your Crypto from Vishing
Never share recovery phrases: No legitimate exchange will EVER ask for your recovery phrase, seed phrase, or private keys over the phone.
Use hardware wallets: Store significant crypto holdings offline in hardware wallets (Ledger, Trezor) - can't be accessed via phone scam.
Enable withdrawal whitelist: Most exchanges let you whitelist withdrawal addresses - even if scammed, they can only send to pre-approved addresses.
Set withdrawal delays: Configure 24-48 hour withdrawal delays - gives you time to catch unauthorized transfers.
Hang up and verify: If someone calls claiming to be from your exchange, hang up and contact the exchange through their official app or website.
Social Engineering: The Human Hack
Social engineering is the broader category of attacks that manipulate human psychology rather than exploiting technical vulnerabilities. Vishing is just one type - others include phishing emails, SMS scams (smishing), and in-person impersonation.
Psychological Tactics Attackers Use
- Urgency: "You must act now or your account will be locked!" Creating panic makes you skip security checks.
- Authority: Impersonating IT staff, managers, or government officials to make you comply without questioning.
- Fear: Threatening legal action, job loss, or financial penalties to override your better judgment.
- Trust: Using names of real employees, company-specific details, or spoofed caller ID to appear legitimate.
- Helpfulness: Positioning themselves as solving a problem for you, making you feel grateful and cooperative.
- Curiosity: "We found something interesting about your account" - making you want to know more and engage.
How to Protect Yourself
Defense Strategies
Before Engaging
- Never trust caller ID - It can be spoofed to show any name or number
- Question urgency - Legitimate organizations don't create artificial panic
- Don't give personal info - Real companies won't ask for passwords or SSN over the phone
Verification Steps
- Hang up and call back - Use the official number from the company's website
- Contact through official channels - Use the app, website, or known support number
- Ask specific questions - Real IT knows your ticket number, real banks know your last transaction
What Legitimate Companies NEVER Do
- Ask for your password, PIN, or security code over the phone
- Request remote access to your computer without you initiating contact
- Demand immediate payment via gift cards, cryptocurrency, or wire transfer
- Threaten arrest or legal action over the phone for unpaid bills or taxes
- Call you out of the blue claiming to have detected viruses or security issues
- Ask you to download software from unofficial sources
- Pressure you to keep the conversation secret from family, colleagues, or supervisors
If You've Been Targeted
Immediate Response Steps
If You Shared Information:
- Change passwords immediately - Start with email, banking, and any accounts you discussed
- Enable 2FA everywhere - Add two-factor authentication to all critical accounts
- Contact your bank - Report potential fraud and freeze accounts if necessary
- Monitor credit reports - Watch for unauthorized accounts or activity
- File reports - Report to FTC (reportfraud.ftc.gov), FBI IC3 (ic3.gov), and local police
If You Granted Remote Access:
- Disconnect from internet - Unplug ethernet or disable WiFi immediately
- Run full malware scan - Use Windows Defender or trusted antivirus in safe mode
- Uninstall remote access software - Remove TeamViewer, AnyDesk, or whatever they had you install
- Change all passwords - Assume they captured everything you typed
- Consider professional help - IT security professional may need to verify your system is clean
Bottom Line
Your skepticism is your best defense. No legitimate organization will pressure you, threaten you, or demand immediate action over an unsolicited phone call. When someone calls asking for sensitive information or access, always hang up and verify through official channels. A few minutes of verification can save you from devastating financial and identity theft.
Quick Reference: Red Flags
Hang Up Immediately If:
- Unsolicited call claims to be tech support
- They ask for passwords or security codes
- They create extreme urgency or fear
- They want remote access to your computer
- Payment via gift cards is requested
- They threaten arrest or legal action
- Caller ID shows government agency
Safe Response:
- Say "I'll call you back"
- Hang up (don't press numbers they suggest)
- Look up official contact info
- Call back using verified number
- Ask about the "issue" they mentioned