What is vishing?
Vishing (voice phishing) is a phone-based fraud where criminals impersonate banks, government agencies, or tech companies to trick victims into revealing passwords, PINs, or sensitive account information over the phone.
Last reviewed: 10 June 2026
Explanation
Vishing exploits the trust people place in phone calls from institutions with official-sounding authority. A caller claims to be from your bank's fraud department, the IRS or HMRC, a tech company's security team, or law enforcement. They often already have partial information about you — your name, the last four digits of a card, or your address — obtained from data breaches or social media, which they use to appear legitimate.
The scenario varies: your account has been breached and you must verify your details; you owe back taxes and face arrest unless you pay immediately; your computer has been infected and a technician needs your login details. In each case the goal is to extract either sensitive credentials or an immediate payment.
VoIP technology has made caller ID spoofing easy and cheap. The number displayed on your screen can be made to show any number the caller chooses, including the genuine number of your bank or a government agency. This means caller ID is no longer a reliable indicator of legitimacy.
The key principle: any unsolicited caller asking you to confirm sensitive information or make an urgent payment should be treated with suspicion. Hang up and call the organisation back using a number from their official website.
Common red flags
- An unsolicited call claiming urgent action is required on your account or regarding a legal matter
- The caller already knows some of your details and uses this to appear legitimate
- Caller ID shows a recognised number (this can be spoofed)
- You are asked to confirm passwords, PINs, or full card numbers over the phone
- Threats of arrest, account closure, or legal action if you do not comply immediately
- You are told not to discuss the situation with your bank or family
What to do now
- Hang up and call back using a number from the organisation's official website
- Wait a few minutes before calling back — some attacks keep the line open; call from a different phone if possible
- If you gave credentials, change them immediately and contact your bank
- Report the call to your national fraud authority
- Register with a call-blocking service to reduce unsolicited calls
Frequently asked questions
Can I trust caller ID to verify who is calling?
No. Caller ID spoofing is technically straightforward and widely used by vishing attackers. The number displayed can be set to any number the caller chooses, including your bank's genuine fraud department number. Always call back independently.
Would my bank ever call and ask for my full PIN?
No legitimate bank will ever ask for your full PIN, online banking password, or one-time passcode over the phone. These exist precisely so that no-one — including bank staff — needs to know them. Any caller asking for these is attempting fraud.