Vishing: The Phone Call Scam That Empties Bank Accounts
Vishing is a voice-call scam where criminals impersonate your bank to steal credentials and money. Learn the red flags and how to respond.
Last Updated: February 2026
Key Takeaways:
- Vishing (voice phishing) uses phone calls to impersonate your bank, police, or trusted organisations
- Your bank will never ask you to move money to a "safe account" — this is always fraud
- Caller ID can be spoofed: a call showing your bank's number may not be from your bank
- If in doubt, hang up and call back on the number printed on your card — from a different device if possible
- Never share OTPs, full card numbers, or passwords with an inbound caller
What Is Vishing?
Vishing — a blend of "voice" and "phishing" — is a fraud technique where criminals call you by phone and impersonate a trusted organisation. The most common impersonations are your bank, your card provider, the police, or a fraud investigation team.
Unlike phishing emails, vishing is real-time. There is a human (or increasingly, a sophisticated automated voice system) on the other end of the call. That real-time interaction creates urgency, allows the criminal to respond to your questions, and makes it significantly harder to take a step back and think critically.
Vishing is now one of the most financially damaging fraud types in many countries. The "authorised push payment" scams it generates — where victims are convinced to transfer their own money — often result in complete loss of funds.
How a Vishing Call Typically Unfolds
Understanding the script helps you recognise it in real time.
Stage 1: The hook You receive a call from someone claiming to be from your bank's fraud department, the police, or a payment provider. They tell you something has gone wrong — a fraudulent transaction, suspicious activity on your account, or an "internal fraud" investigation involving your bank.
Stage 2: Establishing credibility The caller may:
- Know your full name and address
- Quote your partial account number or card details
- Reference a recent legitimate transaction
- Provide a "badge number" or "case reference"
- Remain calm, professional, and reassuring throughout
None of this proves they are who they say they are. This information comes from data breaches, prior social engineering, or previous phishing.
Stage 3: Creating urgency You are told the situation is urgent and time-sensitive. Your account is at risk. The police need to act now. Every minute counts.
Urgency is a feature, not a bug. It prevents you from pausing to think, consulting a family member, or independently verifying the caller.
Stage 4: The ask The criminal needs you to take an action that benefits them. Common asks:
- "Transfer your funds to a safe account" — the "safe account" belongs to the criminal
- "Read me the OTP your bank just sent you" — they are using your password to log in and need your 2FA code to complete the takeover
- "Install software so we can investigate your device" — remote access software that gives them control of your computer
- "Withdraw cash and hand it to our officer" — the "officer" is a criminal courier ("money mule")
- "Visit your branch and withdraw your savings" — they provide a script for what to tell the bank
Stage 5: Suppression Many vishing calls include an instruction to keep the matter "confidential" — do not tell your family, do not tell branch staff, do not tell police. This is specifically designed to prevent you getting a second opinion.
How to Tell It's a Scam: Red Flags
| What the caller says/does | Why it's a red flag |
|---|---|
| "Move your money to a safe account" | No bank does this. Your existing bank account is the safe account. |
| "Don't tell anyone — this is a confidential investigation" | Legitimate investigations do not require your silence from your own family |
| "Stay on the line while you call your bank" | They remain connected; a fake "bank representative" will answer |
| Provides a phone number to verify their identity | Call the number on your card instead; never use their number |
| Pressures you to act immediately | Urgency is a manipulation technique |
| Asks for OTP / security code | No bank representative will ever ask for this |
| Asks you to install software | This is always a social engineering attack |
| Claims your bank is compromised and you must move funds | A genuine fraud team would freeze your account, not ask you to empty it |
The Spoofed Number Problem
One of the most unsettling features of vishing is that criminals can make your caller ID display your bank's genuine phone number. This is called caller ID spoofing, and it is technically straightforward.
What this means for you:
- Seeing your bank's official number on your screen is not evidence that the call is from your bank
- Your bank's genuine outbound calls will appear the same way as a spoofed call
- The only way to verify the call is from your bank is to end it and call back
What to Do If You Receive a Suspicious Call
- It's okay to hang up. Tell the caller you will verify with your bank directly and call back. A genuine caller will understand.
- Use a different device to call back if possible. On some telephone networks, the original line can remain connected after you "hang up" — the criminal stays on and a fake representative answers when you call back on the same device.
- Use the number on your card or your bank's official website. Not a number the caller provided.
- Ask your bank if they recently called you. If they have no record of the call, you were targeted.
- Do not call back a number left in a voicemail from a suspicious caller.
If You Have Already Transferred Money or Shared Information
Speed is critical.
- Call your bank immediately on the number on your card
- Tell them: "I believe I have been the victim of an authorised push payment scam" — use this language; it triggers specific fraud response processes at most banks
- Ask them to contact the receiving bank and attempt to recall the funds — this works best when done within hours
- Change your online banking password from a clean device
- Report to authorities: UK: Action Fraud 0300 123 2040 | US: FTC reportfraud.ftc.gov
- Document everything: What was said, when, approximate caller ID shown
Payment Fraud Incident Response: A Step-by-Step Guide How to Dispute a Fraudulent Bank Charge: A Step-by-Step Guide
Protecting Vulnerable People Around You
Vishing disproportionately targets older adults — not because they are less intelligent, but because they may be more accustomed to trusting telephone-based authority and less familiar with how fraud works in this form.
If you have older relatives:
- Have a conversation about bank impersonation scams — use specific examples
- Establish a "family code word" that a genuine caller would know — not a public piece of information
- Encourage them to call you before acting on any unexpected banking call
- Consider whether their bank offers "safe pass" or "voice security" systems
Frequently Asked Questions
Q: My bank's number appeared on my phone when I was called. Doesn't that prove it's my bank? A: No. Caller ID spoofing allows criminals to display any number they choose. The displayed number is not evidence of the caller's identity. Always verify by calling back yourself, using the number on your card.
Q: The caller knew my account details. Isn't that proof they're from my bank? A: No. Account details — partial card numbers, account numbers, addresses — are obtainable through data breaches, previous phishing, and social engineering. Knowledge of this information is not proof of identity.
Q: I gave the caller my OTP before I realised it was a scam. What should I do? A: Call your bank immediately — this is a live account takeover attempt. Change your password from a clean device. The criminal will be trying to access your account right now.
Q: What if I'm not sure whether a call was genuine? A: Hang up politely. Call your bank back on the number on your card, using a different phone if possible. This is the only way to be certain. A genuine bank will not mind; they will have a record of contacting you if the call was real.
Q: Why don't banks stop spoofed calls? A: Caller ID spoofing is a telecommunications-level problem that banks have limited control over. Many banks and telecoms providers are working on technical solutions (such as STIR/SHAKEN authentication in North America), but it remains a widespread issue. The consumer defence is verification, not prevention.
Internal Links
- Social Engineering & Banking Scams: How to Spot and Stop Them — Social Engineering Guide
- Smishing: How to Spot a Fake Bank Text Message — Smishing: Text Message Scams
- Social Engineering & Banking Scams: How to Spot and Stop Them — Bank Impersonation Scams
- Bank Phishing Emails: How to Spot a Fake and What to Do — Phishing Emails
- Payment Fraud Incident Response: A Step-by-Step Guide — Incident Response Guide
- Consumer Fraud Response Checklist: Card or Account Compromised — Consumer Response Checklist
Last Updated: February 2026 | If you think you are being scammed, hang up and call your bank on the number on your card. Educational purposes only.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.