Back to blog

Threats & Scams

What Is Vishing? The 2026 Guide to Voice Phishing Scams, Red Flags & How to Stop Them

Vishing (voice phishing) is the fastest-growing scam of 2026 — AI-cloned voices, spoofed bank numbers, fake IRS agents and callback traps. This guide breaks down exactly how vishing works, the 10 scripts scammers use right now, how to spot a vishing call in under 15 seconds, and the step-by-step response Cybrvault's Miami team uses when a client falls for one.

Cybrvault TeamJuly 5, 202615 min readUpdated July 5, 2026
What Is Vishing? The 2026 Guide to Voice Phishing Scams, Red Flags & How to Stop Them

If you searched "what is vishing," you probably just got a call that felt off — a robotic voice claiming to be your bank, a "fraud department" agent who already knew your name, or a voicemail from "the IRS" threatening arrest. This 2026 guide from Cybrvault's Miami incident-response team explains exactly what vishing is, why it works, the 10 scripts scammers are using right now, and the step-by-step playbook we run when a client (or their parent) falls for one.

Vishing is a specific slice of the broader phishing family. If a text message is trying to trick you, that's smishing — see what is smishing for the differences below. For a related deep-dive on AI-generated phone calls, read our AI voice scams and deepfake phone calls guide.

What is vishing? A plain-English definition

Vishing (short for "voice phishing") is a social engineering attack delivered by phone call or voicemail. The attacker impersonates a trusted institution — your bank, the IRS, Microsoft, Amazon, a delivery service, a family member, or your own IT department — and manipulates you into handing over sensitive information, transferring money, installing remote-access software, or reading back a one-time MFA code. Everything else is packaging: caller ID spoofing, AI-cloned voices, background call-center noise, and urgent scripts designed to bypass your critical thinking.

The word "vishing" combines "voice" and "phishing." It is a federally recognized fraud category — the FBI's Internet Crime Complaint Center (IC3) tracked billions of dollars in phone-based fraud losses in 2024, and 2025 numbers set another record thanks to generative-AI voice cloning tools that can mimic a real person's voice from as little as three seconds of audio scraped off social media.

How a vishing attack actually works (step by step)

  1. 1**Recon.** The attacker buys or scrapes a list — leaked breach data, LinkedIn, public records, or a data broker. They know your name, employer, bank, and often the last four of a card.
  2. 2**Spoof.** Using a VoIP service or SIP trunk, they set the outbound caller ID to match your bank's real 1-800 number, a local Miami area code, or a coworker's cell.
  3. 3**Pretext.** They open with a plausible reason: "This is Chase fraud protection — we blocked a $2,400 charge in Los Angeles, was that you?" or "This is Microsoft support, your PC is sending errors to our servers."
  4. 4**Hook.** They induce fear ("your account will be locked"), authority ("I'm Officer Reyes with Miami-Dade PD"), or greed ("you're owed a $1,900 refund").
  5. 5**Payload.** They ask you to: read back the 6-digit code just texted to you (that's your MFA reset), move money to a "safe account," install AnyDesk/TeamViewer, buy gift cards, or confirm your Social Security number.
  6. 6**Cash out.** Within minutes: wire transfers move to mule accounts, MFA codes drain crypto wallets, gift-card numbers are redeemed on darknet markets, and remote-access sessions plant persistence for later.

Vishing vs phishing vs smishing — what's the difference?

  • **Phishing** — deception delivered by email. Fake login pages, malicious attachments, bogus invoices.
  • **Smishing** — deception delivered by SMS or iMessage. Fake USPS "missed delivery," toll-road violations, bank alerts with a link.
  • **Vishing** — deception delivered by voice call or voicemail. The pressure is real-time, and the human voice is the weapon.
  • **Quishing** — QR-code phishing. A poster, email, or parking meter has a malicious QR code that opens a phishing site.

Modern scams often chain them: a smishing text ("your card was locked, call 305-555-0142") leads to a vishing call where the attacker takes over. That's called a callback scam, and it's #6 on the list below.

The 10 vishing scripts hitting phones in 2026

1. The bank fraud department (bank impersonation)

"This is the Wells Fargo fraud team. We're calling about a suspicious $1,982 charge at Best Buy in Doral — was this you?" You say no. They say, "We need to verify your identity — I'm sending a code to your phone right now, please read it back." That code is the MFA reset for your online banking. As soon as you read it, they're logged in.

2. The IRS / Social Security threat

Robotic voicemail: "This is the Internal Revenue Service. A lawsuit has been filed against your Social Security number. Press 1 to speak with an officer or a warrant will be issued." The IRS never calls first, never threatens arrest, and never accepts gift cards. This scam still works because fear overrides logic.

3. Microsoft / Apple / Google tech support

"Sir, this is Microsoft. Your computer has sent 847 error reports and is broadcasting a virus on the network." They ask you to open Run → type a command → visit a URL that installs AnyDesk or ScreenConnect. Once installed, they show you "the viruses" (harmless system logs), then charge $300–$3,000 to "fix" them — and often steal browser sessions in the background.

4. The AI-cloned family emergency

You get a call from your daughter's number. Her voice — cloned from a 6-second TikTok clip — is crying: "Mom, I was in an accident, I need bail money, don't tell dad." A "lawyer" then takes the phone and directs you to send cash via Zelle, wire, or courier. This is the fastest-growing scam category of 2026. Full breakdown: AI voice scams and deepfake phone calls.

5. The CEO / boss wire transfer (business vishing)

Finance manager gets a call: "Hi Sarah, it's Mark [the CEO]. I'm heading into a deal — I need you to wire $87,500 to this vendor before EOD. I'll email the wire info. Don't discuss this with anyone until it's closed." Voice cloned from a podcast interview. This is Business Email Compromise's louder cousin — see social engineering attack examples for Miami businesses.

6. The callback trap (smishing → vishing)

A text says "Your Amazon order of $739.20 has shipped — if you did not authorize this, call 1-888-555-0136." You call. A "refund department" answers, tells you they'll refund the money but you have to install a support tool and log into your bank so they can "process it." Then they either drain the account or trick you into wiring your own money to yourself under a different name.

7. The utility shut-off (FPL / water)

"This is Florida Power & Light. Your account is 48 hours past due — your service will be disconnected in one hour unless you pay $384.20 now over the phone." Common in South Florida, targeting restaurants and small businesses during lunch rush when they can't afford downtime. FPL never demands payment by phone or gift card.

8. The crypto "account compromise"

"This is Coinbase security — someone in Russia is trying to withdraw 2.3 BTC from your wallet." They walk you through "securing" your account by reading your 12-word seed phrase or approving a wallet-connect prompt. The seed phrase is the wallet. Anyone with it owns every coin inside.

9. The delivery / package scam

"UPS calling — we have a package for you but need a $4.99 redelivery fee." You give a card. That card is now on a scammer's testing rig within 60 seconds, running micro-charges to check the limit before a big purchase.

10. The romance / investment vishing ("pig butchering")

A weeks-long WhatsApp / dating-app conversation moves to phone calls. The "investor" walks you through funding a crypto trading platform. Every screen is real-looking; every dollar is gone. Losses per victim frequently exceed $200,000. If a stranger calls to talk investments, hang up.

The 15-second vishing checklist — how to spot a call in real time

  1. 1Are they creating urgency? ("You have 30 minutes," "warrant," "disconnect," "suspended.")
  2. 2Are they asking for a code, password, PIN, seed phrase, or SSN?
  3. 3Are they telling you not to hang up, or not to talk to anyone?
  4. 4Are they asking for payment in gift cards, wire transfer, crypto, or Zelle to a stranger?
  5. 5Are they asking you to install software or visit a URL?
  6. 6Does the caller ID show a big brand but the voice/context feels off?

One "yes" is suspicious. Two is a vishing call. Hang up — you can always call the institution back at the official number on their website or the back of your card.

What to do the moment you realize it's a vishing call

  1. 1**Hang up.** Do not "just hear them out" — every extra second helps the script.
  2. 2**Do not press any digits.** Even "press 2 to be removed" confirms your number is live and sells it to more scammers.
  3. 3**Block the number** on iPhone (Recents → i → Block Caller) or Android (Recents → long-press → Block/report).
  4. 4**Report it.** File at reportfraud.ftc.gov and (if impersonation of a company) forward details to the real institution's fraud line.
  5. 5**Warn the household.** Elderly parents and teens are the top targets — one 60-second conversation prevents most losses.

What to do if you already engaged — the recovery playbook

If you shared a bank OTP / MFA code or banking login

  1. 1From a different device, log into your bank and change the password immediately.
  2. 2Call the number on the back of your card — tell them you fell for a vishing call and ask them to lock cards, review recent transactions, and flag the account for elevated fraud monitoring.
  3. 3Freeze credit at all three bureaus: Experian, Equifax, TransUnion (free, online, 5 minutes each).
  4. 4Enable transaction alerts on every account.
  5. 5Change any password reused on other sites — see our passkeys vs passwords guide for a stronger long-term fix.

If you installed AnyDesk / TeamViewer / ScreenConnect at their request

  1. 1Disconnect the computer from the internet (unplug Ethernet, turn Wi-Fi off).
  2. 2Uninstall the remote-access tool from Settings → Apps.
  3. 3From a different device, change every password you had saved in the browser.
  4. 4Run a full Microsoft Defender Offline Scan — see the Windows 11 hacked recovery guide for the full playbook.
  5. 5If any business or client data lives on the machine, treat it as an incident and call an IR team before wiping.

If you wired money or bought gift cards

  1. 1Call your bank within minutes and request a wire recall — success drops sharply after 24 hours.
  2. 2For gift cards, call the card brand's fraud line (numbers are on the back or on the gift-card carrier). Some brands can freeze unredeemed balances.
  3. 3File with reportfraud.ftc.gov and your local police (Miami-Dade residents: MDPD Economic Crimes).
  4. 4Report to IC3.gov — FBI cyber division can sometimes claw back international wires.

How to prevent vishing (for people, families, and businesses)

Personal

  • Let unknown numbers go to voicemail. Real people leave messages.
  • Turn on carrier spam filters: T-Mobile Scam Shield, AT&T ActiveArmor, Verizon Call Filter, Google Pixel Call Screen.
  • Never share MFA codes over the phone. No legitimate company will ever ask.
  • Set a family safe word — a simple word used to verify identity during emergency calls. Kills AI voice cloning cold.
  • Move critical accounts to passkeys or hardware keys so an OTP can't be phoned out of you.

Business

  • Enforce dual approval for any wire transfer above a set threshold — verbal request alone is never sufficient.
  • Verify unusual finance requests through a second channel (Slack DM to a known account, in-person walk-over) — never just call back on the same line.
  • Train front-desk, finance, and IT-help-desk staff quarterly on vishing scripts.
  • Deploy a call-verification tool or dial-back policy for any inbound caller claiming to be a vendor, bank, or executive.
  • Add 24/7 SOC monitoring so a compromised endpoint is caught before the scammer completes the second half of the attack — see Miami 24/7 monitoring.

How to report vishing

  • FTC: reportfraud.ftc.gov (best for consumer scams and pattern tracking).
  • FBI IC3: ic3.gov (best when money moved, especially interstate or international).
  • FCC: fcc.gov/consumers/guides/stop-unwanted-robocalls-and-texts (for spoofed caller ID / robocall complaints).
  • Your carrier: forward call details to 7726 (SPAM).
  • Florida residents: report to the Florida Attorney General's consumer protection division at myfloridalegal.com.

When to call a professional

Personal vishing losses under a few hundred dollars are painful but usually not worth a paid investigation — file the reports above and rotate credentials. Bring in help immediately if: a business account was drained; a wire above $5,000 left the country; a scammer installed remote-access software on a work computer; the same target is being hit repeatedly (suggests SIM swap or account takeover in progress); or an elderly family member is showing signs of ongoing manipulation. Cybrvault runs vishing incident response for individuals and businesses across Miami-Dade, Broward, and Palm Beach — book a free consultation or see our personal security services for one-on-one help.

// frequently asked

Questions teams ask us

What is vishing in simple terms?+

Vishing is a phone-based scam where someone pretending to be your bank, the IRS, a tech company, or even a family member tricks you into giving up money, passwords, one-time codes, or remote access to your device. It's phishing delivered by voice call or voicemail instead of email.

What is the difference between phishing, smishing, and vishing?+

Phishing is delivered by email, smishing is delivered by text message (SMS/iMessage), and vishing is delivered by phone call or voicemail. All three are social engineering, and modern scams often chain them — for example, a text with a fake support number that leads to a vishing call.

How can I tell if a call is a vishing scam?+

Watch for urgency, requests for a code/password/SSN, pressure to stay on the line, requests for payment in gift cards, wires, or crypto, and requests to install remote software. Any one of those is suspicious; two together is a vishing call. Hang up and call the institution back at the official number.

Will my bank or the IRS ever call me for my password or a verification code?+

No. Real banks, the IRS, Social Security Administration, Microsoft, Apple, Amazon, and Google will never call to ask for your password, MFA/OTP code, PIN, Social Security number, or crypto seed phrase. Anyone who does is a scammer.

What should I do if I already gave information to a vishing scammer?+

Hang up, then from a different device change the passwords on any affected accounts, call the institution using the number on the back of your card, freeze credit at Experian/Equifax/TransUnion, enable transaction alerts, and report the incident at reportfraud.ftc.gov and ic3.gov. If money was wired, call your bank within minutes to request a wire recall.

How do scammers make their caller ID show a real company's number?+

They use VoIP services and SIP trunking to set any outbound caller ID they want — a practice called caller ID spoofing. It's illegal under the Truth in Caller ID Act when used for fraud, but it's technically trivial, which is why the number on your screen is never proof of who's calling.

Are AI voice cloning scams the same as vishing?+

AI voice cloning scams are a modern subtype of vishing. The delivery is still a phone call, but the attacker's voice is generated from a short audio clip of a real person (a family member, executive, or public figure). Read our [AI voice scams and deepfake phone calls guide](/blog/ai-voice-scams-2026-deepfake-phone-calls) for detection tips and family-safe-word setup.

How do I report a vishing call?+

Report to the FTC at reportfraud.ftc.gov, the FBI at ic3.gov (especially if money moved), and forward call details to 7726 (SPAM) with your carrier. Florida residents can also file with the Florida Attorney General's consumer protection division at myfloridalegal.com.

// need help applying this?

Book a free, confidential consultation.

Our engineers can map this to your environment in 30 minutes.

Get secured

// keep reading

Related articles