{
	"id": "c293eaff-67de-4cd0-a61c-ccb60fdc6501",
	"created_at": "2026-04-06T00:06:38.007587Z",
	"updated_at": "2026-04-10T03:19:57.916293Z",
	"deleted_at": null,
	"sha1_hash": "a56aab6dbc549137235413a929776c8d57f8ecd7",
	"title": "What Is Vishing? Voice Phishing Definition | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 326649,
	"plain_text": "What Is Vishing? Voice Phishing Definition | Proofpoint US\r\nPublished: 2021-02-27 · Archived: 2026-04-05 22:25:00 UTC\r\nVishing has become a mounting cybersecurity threat that leverages phone calls and voice communication to\r\ndeceive individuals into revealing sensitive information. In recent years, attackers have increasingly used\r\nsophisticated tactics, including AI-driven voice impersonation, to exploit trust and urgency in business\r\nenvironments.\r\nAccording to a 2024 report, vishing attacks surged by 442% in the latter half of the year, underscoring the sheer\r\nscale of this threat and its impact on organizations worldwide. As businesses rely more heavily on voice-based\r\ncommunication platforms, understanding and mitigating vishing risks has become a critical component of modern\r\ncybersecurity strategies.\r\nTable of Contents\r\nDefinition\r\nTypes of Vishing\r\nVishing vs. Phishing vs. Smishing?\r\nVishing Techniques\r\nTechnology Advancements Combating Vishing\r\nHow to Prevent Vishing\r\nDefinition\r\nMost people have heard of phishing—vishing is a different attack under the general phishing umbrella that shares\r\nthe same goals. Vishers use fraudulent phone numbers, voice-altering software, text messages, and social\r\nengineering to trick users into divulging sensitive information.\r\n“Short for ‘voice phishing,’ vishing involves the attacker calling the victim and posing as a representative from a\r\ntrusted organization, like a bank or government agency. The malicious actor may use social engineering\r\ntechniques to trick the victim into revealing sensitive information over the phone,” explains Dave Cook,\r\nCybersecurity Analyst and frequent author at Proofpoint.\r\nUnlike other forms of phishing, vishing uses a voice to trick users. (Smishing, yet another form of phishing that\r\nuses SMS text messages to trick users, is often used in tandem with voice calls, depending on the attacker’s\r\nmethods.) By exploiting urgency, fear, or authority in their tone, these threat actors aim to bypass organizational\r\nsecurity standards, resulting in financial fraud, identity theft, or unauthorized access to corporate systems.\r\nHere’s how your free trial works:\r\nMeet with our cybersecurity experts to assess your environment and identify your threat risk exposure\r\nWithin 24 hours and minimal configuration, we’ll deploy our solutions for 30 days\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 1 of 7\n\nExperience our technology in action!\r\nReceive report outlining your security vulnerabilities to help you take immediate action against\r\ncybersecurity attacks\r\nFill out this form to request a meeting with our cybersecurity experts.\r\nThank you for your submission.\r\nTypes of Vishing\r\nVishing attacks come in various forms, each tailored to exploit trust, urgency, or fear to extract sensitive\r\ninformation from individuals or businesses. Below are some of the most common types of vishing methods used\r\nby cyber criminals:\r\nWardialing: Attackers use automated systems to call large volumes of numbers within specific area codes,\r\noften pretending to be local banks or law enforcement. These calls typically contain pre-recorded messages\r\ndesigned to instill fear and prompt victims to share personal information like Social Security numbers or\r\nbanking details.\r\nVoIP (Voice over Internet Protocol): Cyber criminals leverage VoIP technology to mask their identities\r\nand scale attacks by generating thousands of fake phone numbers. These calls often appear as legitimate\r\nlocal or toll-free numbers, making them harder to detect.\r\nCaller ID spoofing: Scammers manipulate caller ID systems to display trusted names like “IRS” or\r\n“Police Department.” This tactic creates a sense of legitimacy and urgency, increasing the likelihood that\r\nvictims will comply with requests for sensitive information.\r\nTech support scams: Fraudsters impersonate representatives from well-known companies like Microsoft\r\nor Apple, claiming there’s an issue with the victim’s device. They may request remote access or personal\r\ncredentials under the guise of resolving the problem.\r\nVoicemail phishing: In this method, attackers leave urgent voicemails impersonating banks or government\r\nagencies, asking victims to call back. When victims return the call, they’re connected with scammers who\r\nattempt to extract sensitive data.\r\nDumpster diving: This unconventional approach involves searching through physical trash from\r\nbusinesses to obtain documents containing personal data, such as employee names or account details. The\r\ngathered information is then used to craft persuasive vishing attacks.\r\nEach type of vishing underscores the importance of vigilance and verification when responding to phone calls or\r\nvoicemails requesting sensitive information.\r\nVishing vs. Phishing vs. Smishing?\r\nPhishing, vishing, and smishing all have the same goal: to obtain sensitive data from users that could be used for\r\nidentity theft, monetary gain, or account takeover.\r\nThe main difference between them is the medium used to target potential victims. Whereas phishing is primarily\r\nan email-based scam, vishing uses voice, typically calls to a user’s cell phone number. Smishing, on the other\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 2 of 7\n\nhand, uses SMS or text messages to deceive victims, often exploiting the higher open rates and immediacy of\r\nmobile messaging.\r\nBoth vishers and phishers send messages to potential victims, usually in high volumes. Phishing attackers send a\r\nlarge number of email messages to a list of potential targets. If the attacker targets a specific organization, only a\r\nlist of high-privileged user email addresses from the targeted business might be used. Vishing and smishing\r\nattacks often involve urgent messages purportedly from banks or delivery services, aiming to create a sense of\r\nurgency that prompts victims to act quickly.\r\nPhishers generally use compelling email messages to trick users into replying with sensitive information or\r\nconvince the user to click a link where malware is hosted. Malicious attachments are also used in some phishing\r\nattacks. Smishers use similar tactics via text messages, often including links to fake websites or prompts to\r\ndownload malicious apps.\r\nThe visher might first send a text message to potential victims in high volumes from a long list of phone numbers.\r\nThe message might ask users to make a phone call to the attacker’s number. Another vishing method creates an\r\nautomated message and robo-dials potential victims. It uses computer-generated voice messages to remove\r\naccents and build trust. The voice message then tricks the user into connecting to a human agent who continues\r\nthe scam, or it might ask users to open an attacker-controlled website.\r\nAlthough there are minor differences between vishing, phishing, and smishing, the end goal is always the same:\r\nobtaining credentials, personal identifiable data, and financial information. Users familiar with phishing might not\r\nbe familiar with vishing, so attackers increase their chances of success.\r\nVishing Techniques\r\nIdentifying a vishing attack is more challenging than a phishing and smishing attack. Vishing attacks start with a\r\ntext message and usually contain a phone number.\r\n“Fraudsters can rather easily manipulate standard caller ID services,” warns Gretel Egan, Security Awareness\r\nTraining Strategist at Proofpoint. “They can even make it look like your own phone number is calling you (a\r\nsimple trick to get you to pick up the phone and engage with the caller).”\r\nThe following image is an example of a vishing attack:\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 3 of 7\n\nScammers use scare tactics to convince users to make a phone call. In this message, the attacker pretends to be\r\nwith the IRS. Most users fear penalties and fees from the IRS, so users calling this number will be told they owe\r\nmoney. The attacker convinces the targeted user to charge their credit card or to transfer money directly from the\r\ntargeted user’s account. IRS scams are one of the more common attacks targeting users in the U.S.\r\nThe following image is another example of a vishing attack starting with a text message:\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 4 of 7\n\nIn the above picture, the same threats and scare tactics are used to convince users to call. If the targeted user\r\nresponds with STOP, the messages will continue. By replying to the attacker, the targeted user verifies that the\r\nphone number is valid and will continue to be a target.\r\nNotice in both images that the caller ID number is an invalid, 6-digit invalid contact number. These numbers are\r\nused by telecoms to send users messages, indicating the message was sent from an auto-dialer API or an email\r\naccount. If a message comes from one of these numbers, always be suspicious that it could be a smishing or\r\nvishing scam.\r\nNot every message with an invalid caller ID number is malicious. These numbers are also used in multi-factor\r\nauthentication requests when the user is sent a PIN to complete the authentication process. Social engineering\r\nattackers trick users into sending the PIN by contacting them to divulge the PIN. Vishing, phishing, and smishing\r\ncan be combined with social engineering for more large-scale attacks on high-privilege accounts.\r\nMore and more vishing attackers are using computer programs to mask voices and geographical accents. Attackers\r\ncan even use a different gendered voice to launch an attack. Often, these voices are audibly computer-generated\r\nand obvious vishing attempts. But always be aware of phone calls asking for private information.\r\nTechnology Advancements Combating Vishing\r\nAdvancements in technology have become a cornerstone in the fight against vishing, enabling real-time detection\r\nand prevention of fraudulent calls. These tools are designed to outpace increasingly sophisticated scams.\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 5 of 7\n\nAI-Driven Anomaly Detection Systems\r\nArtificial intelligence (AI) plays a pivotal role in identifying and mitigating vishing attempts. AI-powered fraud\r\ndetection systems analyze vast datasets of call patterns, voice characteristics, and contextual information to detect\r\nanomalies indicative of fraudulent activity. For example, machine learning models—like deep neural networks\r\nand anomaly detection algorithms—can flag suspicious behaviors, such as unusual pauses or scripted speech\r\npatterns, in real time.\r\nNatural Language Processing (NLP) further enhances these systems by analyzing call transcripts for coercive\r\nlanguage or scam-related phrases, enabling swift identification of threats. Google’s recent rollout of on-device AI\r\nscam detection for Android devices is a prime example, offering real-time alerts for suspicious calls while\r\npreserving user privacy.\r\nVoice Biometrics and Deepfake Detection\r\nVoice biometrics technology leverages unique vocal characteristics such as pitch, timbre, and speech patterns to\r\nauthenticate callers and detect synthetic voice manipulations. This is especially critical as attackers increasingly\r\nuse deepfake audio to impersonate trusted individuals.\r\nAI-based systems can identify inconsistencies in speech patterns or mismatched audio features, effectively\r\ncountering deepfake-enabled vishing campaigns. These technologies not only prevent fraud but also restore trust\r\nin voice-based communications.\r\nTelecommunications Advancements\r\nThe telecommunications industry has made significant strides in combating vishing through innovations like\r\nSHAKEN/STIR protocols. This caller ID authentication framework ensures that calls are verified as legitimate by\r\noriginating carriers before reaching consumers, reducing the success rate of spoofed calls.\r\nAdditionally, real-time fraud management systems integrated into telecom networks can block suspicious calls\r\nduring the setup phase—before the recipient’s phone even rings—by analyzing metadata and historical fraud\r\npatterns. These systems offer predictive capabilities, enabling proactive defenses against emerging scam tactics.\r\nHow to Prevent Vishing\r\nAvoiding vishing attacks requires a combination of awareness, technology, and proactive measures. Users must\r\ntake additional precautions to protect themselves. Here are key strategies to prevent vishing:\r\nStay informed and educated: Regular training and awareness programs are crucial for both individuals\r\nand organizations. Educating employees helps them recognize and report vishing attempts, reducing the\r\nrisk of successful attacks.\r\nVerify caller identities: If a caller requests sensitive information, hang up and contact the institution\r\ndirectly using a verified number. Verify the caller’s position, purpose, and organization to ensure\r\nlegitimacy.\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 6 of 7\n\nUse multifactor authentication (MFA): Implement MFA on all sensitive systems to add an extra layer of\r\nsecurity, making it harder for attackers to bypass security measures.\r\nBe cautious with unsolicited calls: Ignore calls from unknown numbers and let them go to voicemail. If\r\nnecessary, call back using a verified number from the organization’s official website.\r\nWatch for pressure tactics: Scammers typically use urgency and fear to manipulate victims. Be wary of\r\nrequests for immediate financial transactions or sensitive information.\r\nProtect against SIM swapping: Be vigilant about messages related to multi-factor PINs or account\r\nchanges. Contact your telecom provider immediately if you suspect SIM swapping.\r\nRegister with do not call lists: Enroll in the National Do Not Call Registry to reduce unsolicited calls,\r\nmaking it easier to identify potential scams.\r\nWhile telecoms have systems in place to flag suspicious calls, relying solely on these systems is insufficient. By\r\nstrategically adopting these tactics, individuals and organizations can significantly reduce their vulnerability to\r\nvishing attacks.\r\nGet Ahead of Tomorrow’s Threats with Proofpoint\r\nAnticipating the nature of certain cyber threats helps organizations identify where their defenses are weak and\r\nwhich protective measures to prioritize. Most organizations are more resilient through layered strategies that\r\nleverage detection and prevention technologies, real-time threat intelligence, and user-focused training programs\r\nto reduce the risk of attacks via email and cloud environments. As threats like phishing, BEC, ransomware, and\r\ncredential theft evolve, it’s important to have the right mix of tools and processes to keep your data and your\r\npeople protected. Take ownership to protect against threats and make strides to improve your cybersecurity\r\neffectiveness.\r\nLeverage the capabilities trusted by 83 of the Fortune 100 companies. Contact Proofpoint to learn more.\r\nRelated Resources\r\nThe latest news and updates from Proofpoint, delivered to your inbox.\r\nSign up to receive news and other stories from Proofpoint. Your information will be used in accordance with\r\nProofpoint’s privacy policy. You may opt out at any time.\r\nSource: https://www.proofpoint.com/us/threat-reference/vishing\r\nhttps://www.proofpoint.com/us/threat-reference/vishing\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-reference/vishing"
	],
	"report_names": [
		"vishing"
	],
	"threat_actors": [],
	"ts_created_at": 1775433998,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a56aab6dbc549137235413a929776c8d57f8ecd7.pdf",
		"text": "https://archive.orkl.eu/a56aab6dbc549137235413a929776c8d57f8ecd7.txt",
		"img": "https://archive.orkl.eu/a56aab6dbc549137235413a929776c8d57f8ecd7.jpg"
	}
}