“Vishing”: phoney, phoney phone calls

Last update: 29/09/2022

With fraud on the rise (especially online), protecting your bank info is more important than ever. Fraudulent schemes can be done via email, SMS and even by telephone. This article explains how phone scams work and how to recognize them.

Let's imagine for a moment that you receive a phone call from someone who claims to be an employee of your bank and tells you your credit card has been unexpectedly deactivated and you must urgently confirm your card details to reactivate it. They ask for your card's expiry date and the card verification code (CVC), information that your bank would never ask for.

These types of calls are known as "vishing". They're more common than we think, and we must be prepared to recognize them so a third party won't get hold of our bank info.

What is vishing?

Vishing is a telephone scam in which criminals claim to be a person, a bank, an energy or gas company, or any other organization that would have a reason to contact you. Their aim is to steal personal or bank information or even to convince people to transfer money to scammers.

What differentiates vishing from phishing (via email) and smishing (via SMS) is its communications method (e.g. the telephone). It is a portmanteau that combines "voice" and "phishing".

Introducing Santander’s Safe-Tea

How does vishing work?

Social engineering is what vishing scammers (or "vishers") use to get their victims to provide information or transfer money. It involves manipulative and persuasive techniques. The three most common in banking are:

Direct call. The visher makes the call pretending to be an employee of the bank. Before making the call, they have likely learned the victim's phone company, streaming platform or other services usually paid by credit or debit card to sound more convincing and carry out the scam. In fact, sometimes victims can even post compromising info or their buying behaviour on social media. Therefore, the victim can be convinced more easily to provide the information the visher wants.
Double call. This is a more elaborate method but persuades victims even more. A recorded message (usually by a robot) informs the victim of an apparent problem (such as unauthorized access to their digital banking app) and gives them a phone number to call and resolve it. The scam occurs when the victim calls and gives their log-in details or other requested info.
Various techniques combined. Criminals also often use additional methods to vishing . They might "smish" (or text) their victim with a telephone number that appears to be from their bank but which they actually control.

How can we protect ourselves from vishing?

A very easy way to avoid vishing is to be alert and informed and to take some simple precautions, such as not sharing your personal or financial info and security codes.

Banks already know your name, ID and your cards or products, so they will never ask you for that information. If someone calls you requesting it, do not give it to them. Tell your bank on a reliable customer service channel and alert the cybersecurity managers.

Scammers try to get your attention with promotions or conditions that are too good to be true in order to convince you to give them info for fear of missing out on an opportunity. You could be asked to give them your bank account to deposit the money from a prize draw you have not entered.

Vishers can use any information that will help them launch their attack over the phone. If you are in a public space, never let anyone see your passwords or share images with your ID, phone number, bank card and other personal information on your social media.

Some smartphones alert you that an incoming call could be a scam or suspicious. The first step to reducing risk is not answering them, especially if they come from countries that you have no ties to.

If you want to learn more about vishing, read this article (in Spanish) on the Tu Futuro Próximo website (a blog by Santander Consumer España).