The IT Law Wiki


A variation on "phishing," dubbed vishing or voice phishing, is

a scheme in which identity thieves use Voice Over Internet Protocol (VoIP) technology to spoof the telephone call systems of financial institutions and request that callers provide their account information. Vishing is possible because VoIP technology allows for caller ID spoofing, which enables the visher to act anonymously.
[s]oliciting private information from customers or members of a business, bank or other organization in an attempt to fool them into divulging confidential personal and financial information. People are lured into sharing user names, passwords, account information or credit card numbers, usually by an official-looking message in an email or a pop-up advertisement that urges them to act immediately — but in a vishing scam, they are urged to call the phone number provided rather than clicking on a link.[1]
the use of voice technology (landline phones, mobile phones, voice email, etc) to trick individuals into revealing sensitive financial or personal information to unauthorised entities, usually to facilitate fraud.[2]


Another type of vishing is when the criminal sends a spoofed e-mail, disguised to appear that is comes from a legitimate business or institution, which invites the recipient to call a telephone number. The victim feels safer in doing so since they are not required to go to a website where they would transmit their personal information. When calling the provided telephone number, the victim reaches an automated attendant, that prompts the victim to enter personal information such as account number, password or other information for alleged “security verification” purposes.

Vishing poses a particular problem for two reasons. First, criminals can take advantage of cheap, anonymous Internet calling available by using VoIP, which also allows the criminal to use simple software to set up a professional sounding automated customer service line, such as the ones used in most large firms. Second, unlike many phishing attacks, where the legitimate organization would not use email to request personal information from account holders, vishing actually emulates a typical bank protocol in which banks encourage clients to call and authenticate information.