Vishing is phishing delivered through phone calls, voicemail, or voice chat. The attacker impersonates a bank, vendor support, IT, or a colleague to extract codes, remote access, or payments.
Why it matters for account recovery
Vishing matters for recovery because attackers often target the control plane: email logins, phone numbers, and verification codes. A convincing voice script can bypass otherwise good security settings.
Common failure modes and misconceptions
- Calling you on the number you trust: Caller ID can be spoofed. The display name does not prove who is calling.
- Code and password extraction: Attackers ask for one-time codes, password reset links, or "verification" steps that hand them access.
- Remote access tools: Support impersonation often aims to get you to install remote control software.
Safe best practices
- Hang up, then call back using a known number from an official site, card, or app.
- Do not share one-time codes or recovery links by phone.
- Treat phone-based urgency as social engineering pressure and switch to a known verification path.
Related terms
Related guides
Vishing is a verification failure. If you make call-back on known numbers normal for high leverage requests, most vishing scripts stop working.