The Mac Security Blog

Security & Privacy

What is vishing and how to spot voice scams

Posted on by

Phone scams work because a real voice can feel more convincing than a message on a screen. When someone sounds calm, confident, and official, it is easy to believe the call is real — especially if they claim there is a problem with your bank account, Apple ID, a delivery, or taxes.

That is what vishing is. It is a scam that uses phone calls or voicemails to pressure you into sharing sensitive information, reading out a verification code, sending money, or giving someone access to your accounts or device.

This guide explains what vishing usually sounds like, the warning signs to watch for, and what to do if a call does not feel right.

What vishing calls usually sound like

Not every scam call sounds dramatic right away. Some start small with a missed call, a short voicemail, or a quick check to see if you’ll answer. If you do pick up a vishing call, here’s what it often feels like when it happens:

  • Mentioning unexpected problems or prizes: Vishing calls often start with a surprise, like a “suspicious charge” you haven’t seen yet, a refund you weren’t expecting, or even a vague voicemail asking you to call back urgently. Responding or calling back can signal that your number is active, which can lead to more scam calls.
  • Rushing you to act: If someone is pushing you to act right away — saying your account is blocked or your money is at risk — they’re usually trying to stop you from thinking things through. Real organizations give you time to sort things out instead of rushing you.
  • Asking for private details: A bank or a service you trust will never ask you to say your password, your PIN, or a security code over the phone. If someone does, they’re trying to get into your account.
  • Asking you to do something out of the ordinary: You might be asked to move money, download an app, or call a number they give you instead of one you trust. These are things a real company would never ask you to do over the phone.
  • Not wanting you to hang up: Scammers often try to keep you talking. They might tell you not to hang up or call the company directly. A real representative won’t mind if you take the time to check things properly.
  • Knowing a few things about you: A caller might already know your name, address, or where you shop, but a lot of this information is easy to find or buy online. It’s not proof that the caller is who they say they are.

How vishing scams usually play out

Most vishing calls don’t start with anything obviously suspicious. They usually begin with a call from someone claiming to be from a bank, a service provider, or a government agency. The call introduces a problem — for example, money is at risk or there’s a problem with a service — and it can sound genuine.

At first, it feels like a normal customer service call. The caller may sound calm and helpful, walking through what seems like a standard process. Then the tone shifts, and there’s pressure to act quickly — for example, reading back a security code, downloading an app, or making a payment to resolve the issue.

In some cases, the caller already has access to basic personal details, such as a name or address, which makes the call feel more legitimate. The situation itself can vary — it might be described as a suspicious bank charge, a problem with an internet service, or an issue with taxes or legal records.

These calls are often made to look and sound familiar. The number that shows on the phone screen may be “spoofed” to match a real company, hiding the scammer’s real number. Some calls are automated at first, then passed to a real person, and in some cases, voices are AI-generated to sound like a recognizable public figure.

If the caller gets the information they’re asking for, the impact can build quickly. It might start with access to an account, like your Apple ID, or a password reset, then lead to sensitive data being exposed and, in some cases, money being moved between accounts.

In some situations, software downloaded as “support” tools stays on a device and allows the scam caller to access it after the call has ended. That access can let them see what you’re doing in real time — opening emails, logging into accounts, or managing your files — and in some cases, use that access to capture passwords or move further into your accounts.

Real-world examples of vishing attacks

Here are a few examples of how vishing scams show up in real situations:

AI voice clone scam targeting Italian business leaders

In 2025, scammers used AI to mimic the voice of Italy’s defense minister, Guido Crosetto. They contacted prominent business leaders and claimed urgent funds were needed to help free kidnapped Italian journalists. Massimo Moratti reportedly transferred almost €1 million before the scam was uncovered.

Social engineering in the 2023 MGM Resorts cyberattack

In 2023, attackers used social engineering against MGM Resorts, helping trigger a cyberattack that disrupted services including digital room keys, reservations, and other hotel systems.

CRA impersonation scam in Canada

Scammers have repeatedly impersonated the Canada Revenue Agency and pressured people to make immediate payments by claiming they owe taxes. Scam calls may use spoofed numbers and threatening language to make the contact seem real and urgent.

Smishing vs vishing and how these attacks work together

Smishing and vishing are closely related — both aim to build trust just long enough to get personal details or convince someone to act.

Smishing uses text messages or messaging apps to send fake alerts, links, or phone numbers. These messages are usually short and urgent, warning about suspicious activity, delivery issues, or security problems.

Vishing uses phone calls or voicemails to build trust through conversation. That direct contact can create a different kind of pressure. When a caller sounds calm and confident, it’s easier to go along with what they’re saying — especially if they claim to be calling from a bank or a familiar company.

Many scams use both methods together. A common pattern starts with a scam text telling the recipient to call a phone number rather than click a link.

Once the call begins, the scammer tries to keep the conversation moving long enough to ask for information or get access that shouldn’t be shared, like a login code or permission to enter an account.

Moving from a text to a call can make the situation feel more like a real support process, which makes the warning signs easier to miss.

Spear vishing and targeted voice attacks

Spear vishing is a more targeted version of vishing. Instead of calling people at random, the scammer focuses on one person and uses the details they found beforehand to make the call feel familiar.

That might include mentioning a colleague, a recent project, or information pulled from a professional profile or company website — small details that make the call sound convincing.

At work, this often involves someone posing as IT or finance. Because they sound like they belong, it’s easier to go along with a request to share a password or approve a payment without stopping to question it.

How to reduce your risk

Staying safe from vishing calls means slowing things down and paying attention to what feels off.

A few habits can make these calls less effective:

  • Don’t share passwords or verification codes over the phone.
  • Pause if a caller tries to rush or worry you.
  • Hang up and contact the company using a number you trust.
  • Avoid installing software during a call.
  • Let family members and coworkers know what to watch out for.

What to do if you get a suspicious call

Don’t share any information during a suspicious call. If a caller asks for sensitive details like your PIN, password, or a one-time verification code, treat that as a serious warning sign. Scammers specifically ask for verification codes to break into accounts.

It’s perfectly fine to hang up the moment you feel uncomfortable. You don’t owe the caller an explanation, and putting the phone down gives you the space to think clearly without pressure.

If you want to check if the call was real, reach out to the company yourself. You can find their phone number on their website, in their app, or on a recent paper statement. Don’t rely on the number that showed up on your screen or any callback numbers left in a message, because caller ID can be spoofed.

It’s best not to follow any directions the caller gives you, like downloading a new app or clicking a link they sent. These can give someone access to your device or accounts, and may allow apps to make unexpected connections in the background — something a firewall can help you keep an eye on.

If you’re ever in doubt, it’s okay to pause. You can always talk it over with someone you trust. Taking that extra minute to check is often enough to avoid any problems.

What to do if you already shared information

If you shared information with a suspicious caller, start by securing your main accounts. Change your passwords, especially for email, banking, and accounts like your Apple ID or Google account.

Let your bank and phone provider know what happened. They can add extra identity verification so only you can make changes or move money, pause payments, or watch for unusual activity.

If you let the caller view your screen or control your device, turn those permissions off and delete any software they asked you to download. If you use a Mac, a tool like Intego’s antivirus can help check for and remove anything that shouldn’t be there.

Finally, keep an eye on your accounts over the next few days or weeks. Watch for unusual logins, password reset attempts, or transactions you don’t recognize. If anything stands out, contact your bank or service provider so you can secure the account right away.

Staying one step ahead of vishing calls

Vishing calls work because they lean on human trust and a sense of urgency — things that aren’t always easy for a security tool to spot. Scammers are now using a mix of phone calls, messages, and emails together, which makes it easier for them to convince people to take specific actions.

By keeping a few simple habits in mind — like not sharing personal information over the phone — it’s much easier to stop, check what’s happening, and handle the situation safely.

Frequently asked questions about vishing

What does the term “vishing” mean in cybersecurity?

Vishing is short for “voice phishing.” It describes a scam where a scammer calls or leaves a voicemail pretending to be someone they aren’t, hoping to get a person to share things like passwords or bank details.

How is vishing different from phishing or smishing?

Phishing usually happens through email, smishing arrives as a text or a chat message, and vishing happens over the phone — either through a direct call or recorded voicemail.

What are common signs of a vishing scam call?

Vishing calls create a sense of urgency or concern, then start asking for details like passwords, bank logins, or verification codes.

Callers may also try to keep the conversation going or get defensive if you suggest hanging up and calling the company back yourself.

How do scammers trick people during vishing attacks?

Scammers pretend to represent a well-known company, using a calm, confident tone to make it seem like something needs attention.

By guiding the conversation, they make the call feel routine enough that sharing details or approving a payment doesn’t seem unusual at that moment.

They may also mention small details they’ve found online or in public records, which helps the call feel more believable.

Can vishing target both personal and business phones?

Yes. On a personal number, the person on the other end may claim to be from a bank, a tech support desk, or a government office.

At work, these callers often focus on people who handle payments, manage accounts, or have access to internal systems. They might pretend to be an executive or someone from IT to make any requests feel routine.

What should I do if I accidentally give information to a vishing caller?

If you’ve shared details on a fraudulent call, start by updating passwords for any accounts that might be affected, then let your bank or employer know so they can watch for unusual activity.

It’s also worth checking your statements over the next few days to see if anything unfamiliar appears.

How can I report a vishing attempt to authorities?

Start by notifying your mobile provider or a local consumer protection office. Many countries also have a dedicated service for reporting fraud like the Federal Trade Commission (FTC) in the US.

If the caller claimed to represent a bank or government department, those organizations usually have a way to report suspicious calls as well.

What are the best ways to protect yourself from vishing?

A simple way to reduce the risk is to avoid sharing sensitive information over the phone. If something doesn’t feel right, it’s best to hang up and contact the company directly using the number on their official website.

Can caller ID or spoofing protection stop vishing?

Caller ID filters can reduce unwanted calls, but they’re not always reliable on their own. Numbers can be changed or made to look familiar, making a call seem more trustworthy. Don’t rely on the name or number on your screen — if something feels off, hang up and contact the company directly using a trusted number.

About Kamso Oguejiofor-Abugu

Kamso specializes in researching and writing about cybersecurity, digital privacy, and tech products. With a degree in mechanical engineering and a strong passion for technology, he brings a thoughtful, analytical approach to his work. Outside of work, you’ll likely find him on the basketball court, shooting hoops. View all posts by Kamso Oguejiofor-Abugu →