What It Is, How To Detect and Prevent It

The phone rings and a recording says you owe the IRS back taxes and have to share your credit card number to settle the balance. Or it’s the bank, warning you that your account has been compromised.

These are just two examples of “vishing,” or voice phishing, a popular scam that can take place over a mobile phone or landline. The perpetrator will often pretend to be from a recognizable company or government agency and ask for your credit card, bank account info, Social Security number or other sensitive data.

These attacks are particularly effective because the scammers sound authoritative and urgent. In 2022, victims of vishing scams reported median losses of $1,400, according to the Federal Trade Commission (FTC).

Below, CNBC Select explains how to identify, avoid and recover from vishing attacks.

Vishing scams can target individuals or companies: A September 2023 vishing attack on MGM Resorts International cost the casino approximately $100 million.

As opposed to online scams that use malware, vishing schemes rely on social engineering, or psychological tactics to convince victims to take a certain action.

While phone scams have existed for decades, cybersecurity experts say vishing is on the rise, thanks to technological advances like caller ID spoofing and AI-powered software that can mimic specific human voices.

• Screen your calls carefully. If you don’t recognize a number, let it go to voicemail. Some scammers will “spoof” your caller ID into thinking their call is coming from a nearby location or a reputable source. If you want to reply to a voicemail, seek out an official contact number or email and confirm any information they provided.
• Be suspicious of unsolicited phone calls. If you suspect that a call is a vishing attack, hang up immediately. Don’t answer their questions or press any buttons. Don’t try to confront them since scammers can record your response to gain access to voice-activated menus.
• Don’t share personal data. Never share passwords, log-in names, driver’s license or passport information over the phone. Avoid giving out your Social Security number or other sensitive information over the phone, especially if you didn’t originate the call.
• Get on the National Do Not Call Registry. This free service from the FTC informs marketers that you don’t want unsolicited phone calls. While nefarious callers don’t abide by the registry, signing up means any unknown caller is less likely to be a legitimate business.
• Become an AT&T wireless customer. AT&T and TransUnion have partnered on TruContact Branded Call Display, which enables businesses to display their name and logo when calling AT&T customers. That way subscribers can confirm the number has not been illegally spoofed.

Of course, no one is 100% immune from scammers. There are some steps to foil a vishing attack once it’s started, like setting up multi-factor authentication on sensitive accounts.

Credit monitoring products can also help you spot if your account or identity has been compromised. CreditWise® from Capital One is a free service that alerts users about changes to their credit history on TransUnion and Experian, including new accounts, delinquencies, balances and hard inquiries.

You’ll also be notified about suspicious activity associated with your identity.

A paid service, IdentityForce® UltraSecure+Credit reports changes submitted to all three credit reporting agencies. It also offers advanced information and identity monitoring, fraud alerts and $1 million in identity theft insurance.

• Contact your financial institutions immediately and examine your accounts.
• Place a security freeze on your credit report
• Change your passwords, especially for more sensitive accounts.
• Report any attempted scams to the FTC and FBI.

Catch up on CNBC Select’s in-depth coverage of credit cards, banking and money, and follow us on TikTok, Facebook, Instagram and Twitter to stay up to date.