Vishing is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone. While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements: they involve automated voice simulation technology, for instance, or the scammer may use personal information about the victim harvested from earlier cyberattacks to put them at ease.

No matter what technology is used, the setup for the attack follows a familiar social engineering script: An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we’re more likely to trust a human voice and may target the elderly and technophobic who are naive and have no experience with these types of scams.

Phishing is the granddaddy of them all, and CSO has a complete explainer with all the details, but in essence it involves sending targeted email messages to trick recipients. “Phish” is pronounced just like it’s spelled, which is to say like the word “fish” — the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.

Vishing is, essentially, phishing via phone calls. Just as phishing is considered a subset of spam, so vishing is an outgrowth of VoIP spam, also known as spam over telephony, or SPIT. The term “vishing” itself has been around since the late ’00s.

“Smishing” is a similar type of attack that uses text messages instead of emails or voice calls; the word is a portmanteau of “SMS” and “phishing.” For more on smishing, check out our explainer on the subject.

Almost all vishing attacks have a few things in common. The phone calls are initially placed via voice over IP (VoIP) services, which makes them easier for the vishers to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attackers’ ultimate goal is to profit from you in some way either by harvesting bank account information or other personal details they can use to access your bank accounts, or by tricking you into paying them directly.

But within the universe of vishing scams, there are a wide range of techniques and strategies. They run the gamut from largely automated “shotgun” attacks targeting many potential victims in hopes of a few bites to laser-focused scams that take aim at a specific high-value target.

Perhaps the most widespread form of vishing begins with so-called “wardialing” that is, hundreds or thousands of automated calls to hundreds or thousands of numbers. The potential victim (or their voicemail) will get a recording meant to scare or trick them into initiating a phone call themselves back to the scammers. Often the vishers will claim to be from the IRS or some other government agency, or from a bank or credit union. The wardialing my focus on a specific area code and use a local institution’s name in hope of finding actual customers.

A variation on this technique involves using popup windows on your computer, often planted by malware, to simulate a warning from your OS about some technical problem. The victim is told they need to call “Microsoft Support” or something similar and given a phone number. This puts them on the line with the visher, who may end up using a combination of real and automated voice responses during your conversation again, the goal here is to get the most return out of little effort.