Network Brainiacs
Tip #20·Social engineering

Social engineering on the phone.

Vishing is phishing over the phone — and it's still remarkably effective because people trust voices more than emails. Learn the tells.

People have been trained to be suspicious of emails. Phones? Not so much. A well-delivered phone call from a confident stranger claiming to be your vendor, your bank, or your own IT department still gets past most defenses. Vishing is the oldest attack in the book and one of the most effective.

Why phone scams still work

Voices feel real. Urgency feels urgent. Authority feels unambiguous. When someone calling themselves "Microsoft Security" says your computer is compromised and they need you to install something immediately, many people comply — not because they're gullible, but because the human brain treats live social interaction differently from a written message.

The common scripts

A caller claiming to be from your bank's fraud department asking you to confirm your account number and a one-time code.

Red flag: Banks never call and ask for codes. Real fraud alerts come through your app or require you to call the number on your card.

A caller from "IT" saying your password expired and they need to verify it to reset you.

Red flag: No IT department on earth asks for your password. Hang up and call IT yourself using a number you already have.

A caller claiming to be from the IRS, threatening arrest unless you pay immediately via gift cards.

Red flag: The IRS only contacts you by mail first. Gift cards are never a legal form of tax payment. It's 100% a scam.

The defensive habits

  • When in doubt, hang up. Legitimate callers will understand.
  • Call back on a number you already have, not the one they gave you.
  • Never give passwords, MFA codes, or SSNs over the phone to an inbound caller.
  • Assume anyone creating urgency on the phone is running a script.
  • For business-critical callers (vendors, banks, IT), keep their real numbers saved.

Run a vishing drill.

We simulate phone scams against our clients' teams. Ten minutes of training after a simulated call prevents years of reality. Ask us.

Do this today
  • 1Train your team: inbound callers asking for passwords, codes, or remote access = hang up.
  • 2Keep real phone numbers for your bank, vendors, and IT posted where staff can see them.
  • 3Make it explicit company policy that it is always OK to hang up and call back.
  • 4Report every vishing attempt — they cluster, and one report can protect the rest of the team.
  • 5Include vishing in your annual security awareness training.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #4 · Social engineering

Verify before you wire.

Wire fraud is the fastest-growing financial attack on small businesses. The fix is a 90-second phone call before the money moves.

ReadTip #8 · Social engineering

The fake CEO email.

Gift cards, wire changes, W-2 forms, payroll routing — all the classic CEO-impersonation scams. One callback habit kills every variant.

Read
Back to all tips