A vishing attack (voice phishing) is a phone-based scam where cybercriminals call victims while impersonating banks, government agencies, or tech support companies to trick them into revealing sensitive information — account numbers, OTPs, PINs, or passwords. Vishing is distinct from smishing (SMS phishing) in that it uses live or automated voice calls rather than text messages. In India, vishing is one of the most common methods behind online banking fraud and OTP fraud.
What Is a Vishing Attack?
Vishing (voice + phishing) uses voice calls to deceive targets. The attacker poses as a trusted entity — a bank representative, an IT support agent, an income tax officer, or a police officer — to create fear, urgency, or false trust. Once the target is manipulated, they hand over the information the attacker needs to drain bank accounts, take over accounts, or commit identity fraud.
Vishing is closely related to caller ID spoofing, where the attacker uses VoIP technology to make their number appear to be a bank or government number on the victim’s screen.
Types of Vishing Attacks
1. Robocalls
Automated systems dial hundreds of numbers per day, playing pre-recorded messages that claim urgent action is needed — a suspended bank account, a tax notice, or an unpaid fine. AI-powered bots continue the conversation if the victim responds, collecting personal details without human involvement.
2. Caller ID Spoofing
Using VoIP technology, attackers make their call appear to originate from a trusted number — your bank, UIDAI, the Income Tax Department, or even India’s cybercrime helpline. This makes the call appear legitimate on your screen. Read more about caller ID spoofing scams.
3. Voicemail Phishing
Attackers leave urgent voicemail messages — claiming your account has been compromised or you face arrest — and ask you to call back a specific number. That callback number connects directly to the fraudster’s operation center.
4. SMS-to-Call Phishing
A fake SMS text message asks you to call a specific number for urgent account support. This is often the first step of a two-stage vishing attack, where the SMS creates the setup and the call delivers the fraud.
5. Tech Support Scams
A pop-up or alert appears on your computer claiming your device has a virus and providing a “support number” to call. The caller then installs remote access software to take control of your device. This is also called a screen sharing scam.
6. Deepfake Voice Calls
AI deepfake technology can now clone the voice of a politician, CEO, or family member. Attackers use cloned voices to call victims and request urgent fund transfers, believing they are speaking to a person they trust. This is an emerging vishing variant used in CEO fraud attacks on businesses.
How to Identify a Vishing Scam
Watch for these red flags during any phone call:
- An unexpected call from someone claiming to represent a bank, government department, or tech company
- A request for your OTP, PIN, password, Aadhaar number, or credit card details
- Claims that your account has been compromised, suspended, or that you face legal action
- Urgent demands: “You must act now or your account will be closed within 30 minutes”
- Instructions to transfer money via UPI, gift cards, or cryptocurrency to “secure” your account
- A request to click a link, download an app, or share your screen
- The caller becomes aggressive or threatens arrest if you refuse to comply
- The caller ID number looks unusual or unfamiliar despite claiming to be a known institution
Important: If you spot any of these signals, hang up immediately. Call your bank or the institution directly using the number on their official website — never the number provided by the caller.
How to Protect Yourself from Vishing Attacks
Never Share Sensitive Information Over the Phone
No legitimate bank, government agency, or company will ever ask for your OTP, PIN, full card number, or password over a phone call. This is a universal rule. If any caller requests this information, it is a scam.
Enable Two-Factor Authentication
Enable two-factor authentication (2FA) on all accounts. Even if a visher obtains your password, they cannot access the account without the second factor.
Verify Every Unknown Number
Use a caller ID app (Truecaller) to check any unknown number before calling back. Cross-reference phone numbers on official websites before returning calls that request sensitive action.
Let Unknown Calls Go to Voicemail
If a call looks suspicious, let it go to voicemail. A genuine institution will leave a verifiable message. A fraudster typically will not.
Register on the Do Not Call Registry
Register your number on the National Do Not Disturb Registry (DND) by calling 1909 or visiting the TRAI portal. While it does not block all vishing calls, it reduces the volume of unsolicited calls significantly.
Follow Strong Cyber Hygiene
Review your cyber hygiene best practices regularly. Use unique passwords for each account and do not reuse credentials that may have appeared in a data breach.
Where to Report a Vishing Attack in India
- Online: cybercrime.gov.in
- Helpline: Call 1930 — the National Cyber Crime Financial Helpline for immediate response to financial fraud.
- Local police: File an FIR at your nearest cyber crime police station.
If you have already lost money to a vishing scam, report it within 24 hours to maximize the chance of a freeze on the fraudulent transaction. For an investigation into the attack or help with recovering funds, contact a cyber expert in India.
