What is vishing? How scam phone calls work and how to spot them
Vishing is phishing by phone call. Here is how it works, what the most common UK scam scripts look like, and what to do if you receive one.
You answer the phone. The caller says they're from your bank's fraud team, HMRC, Microsoft support, or a courier company. Something is wrong with your account, your tax, or your computer - and you need to act immediately.
This is vishing: phishing delivered by voice call instead of email or text. The name blends "voice" and "phishing", and it works on the same principle as every other phishing attack - impersonate someone you trust, create urgency, and extract money or information before you have time to think.
What is vishing?
Vishing is a social engineering attack in which a scammer calls (or leaves a voicemail) pretending to be from a bank, government department, tech company, or other trusted organisation. The goal is to trick you into:
- Transferring money to a "safe account"
- Sharing online banking login details or one-time passcodes
- Installing remote-access software on your computer
- Paying a fake fine or tax bill over the phone
Unlike smishing or email phishing, there is no link to inspect before you act. The scammer is talking to you in real time, applying pressure, and adapting their script based on your responses. That makes vishing one of the most psychologically effective forms of fraud.
Why phone scams are so effective
Several things work in the scammer's favour:
- Real-time pressure - there is no pause to check a domain or run a URL through a checker. The caller wants an answer now.
- Caller ID can be spoofed - the number on your screen may show your bank's name or a local UK area code even when the call originates elsewhere.
- Authority and fear - "This is the fraud department", "You owe HMRC ยฃ2,400", "Your computer is infected" - these scripts exploit trust and panic.
- You can't verify mid-call easily - the scammer will tell you not to call the number on the back of your card, not to speak to anyone else, and not to hang up. All of that is designed to keep you isolated.
Common vishing scripts in the UK
Bank "safe account" scam
The most dangerous vishing type. A caller claims to be from your bank's fraud team. They say someone is trying to access your account and you need to move your money to a "safe account" they provide - often at a different bank - to protect it.
Your bank will never ask you to transfer money to a safe account over the phone. This is always a scam.
Hang up immediately. Call your bank on the number on the back of your card.
HMRC tax scam
A caller claims to be from HMRC. They say you owe unpaid tax and will be arrested unless you pay immediately - often by bank transfer, gift cards, or cryptocurrency. HMRC does not operate this way. They do not threaten immediate arrest by phone, and they do not demand payment via gift cards.
Tech support scam
A caller claims to be from Microsoft, Apple, or your internet provider. They say your computer has a virus or your broadband has been compromised. They ask you to install remote-access software (TeamViewer, AnyDesk, or similar) so they can "fix" the problem - then access your files, banking apps, or passwords.
Microsoft and Apple do not make unsolicited support calls about viruses on your home computer.
Courier or bank callback scam
You receive a missed call from a number that looks local. When you call back, you're connected to a premium-rate line that charges heavily per minute - or to a scammer who picks up and runs one of the scripts above.
Also watch for "courier" calls claiming a parcel couldn't be delivered and asking for card details to pay a redelivery fee. Legitimate couriers do not operate this way - see how to spot a fake delivery text for the text-message version of this scam.
"Hi Mum" / WhatsApp impersonation
Not always a phone call, but closely related. A message - often on WhatsApp - arrives from an unknown number claiming to be your child or another family member. They've lost their phone, need money urgently, or can't access their bank. The goal is a fast bank transfer before you verify with the real person.
Always call your family member on a number you already have. Never send money based on a message alone.
How to spot a vishing call
No single tell is definitive, but these signals - especially together - are strong warning signs:
- Unsolicited contact - you didn't call them; they called you about a problem you weren't aware of
- Urgency and threats - arrest, account closure, computer destruction, "act in the next 30 minutes"
- Requests to transfer money - especially to a "safe" or "holding" account at a different bank
- Requests for remote access - anyone asking to install software on your computer to "fix" a problem
- Payment by gift cards or crypto - no legitimate government body or bank accepts these
- Instructions not to tell anyone - "Don't call the number on your card", "Don't speak to your branch", "This is confidential"
- Asking for one-time passcodes - your bank sends these to verify you; a caller asking you to read them out is trying to bypass your security
What to do if you receive a vishing call
Hang up. You owe a cold caller nothing. If the call was genuine, the organisation will contact you through official channels or you can reach them yourself.
Call back on a number you trust. Use the number on the back of your bank card, the official HMRC website, or a saved contact - never a number the caller gave you.
Don't install anything. Never install remote-access software at a caller's request, regardless of who they claim to be.
Don't transfer money. No bank, police force, or government department will ask you to move funds to a "safe account" by phone.
Report it. In the UK, report to Action Fraud at actionfraud.police.uk. For HMRC impersonation, also forward details to [email protected]. Your report helps protect others.
What to do if you already transferred money or gave access
Speed matters - call your bank immediately, even if the branch is closed. Most banks have 24-hour fraud lines.
If you transferred money:
- Call your bank's fraud line now - ask them to attempt recovery and flag your account
- Report to Action Fraud at actionfraud.police.uk
- Note exactly what you were told, the account number you sent money to, and when
Recovery is not guaranteed, but acting within hours significantly improves your chances.
If you gave online banking details or passcodes:
- Call your bank immediately - ask them to freeze the account and reset your credentials
- Change your password through the official app or website
- Enable two-factor authentication if it isn't already active
- Check for unauthorised transactions and log out of all sessions
See what to do after clicking a phishing link for detailed recovery steps - the same principles apply even though the attack came by phone rather than a link.
If you installed remote-access software:
- Disconnect the device from the internet immediately
- Uninstall the remote-access software
- Run a full antivirus scan before logging into anything
- Change passwords for any accounts you accessed on that device - banking, email, and anything else sensitive
- Contact your bank if you logged into online banking while the software was active
Vishing vs smishing vs email phishing
| Type | Channel | Example |
|---|---|---|
| Phishing | Fake HMRC refund email with a login link | |
| Smishing | Text message | Fake bank fraud alert with a link |
| Vishing | Phone call | "Move your money to a safe account" |
| Quishing | QR code | Fake parcel QR code in an email |
All four aim to steal money or credentials. The difference is the delivery method - and with vishing, there is no URL to inspect before you act, which makes hanging up and verifying independently the most important defence.
For QR-code attacks, see what is quishing. For text-message attacks, see what is smishing and how to spot a fake bank text.
Frequently asked questions
Q: What is vishing in simple terms?
A: Vishing is phishing by phone call. A scammer pretends to be your bank, HMRC, tech support, or another trusted organisation and tries to pressure you into transferring money, sharing login details, or giving them remote access to your computer.
Q: Can scammers fake my bank's phone number?
A: Yes. Caller ID spoofing is common. The number on your screen may show your bank's name or a familiar area code even when the call is from a scammer. Never trust caller ID alone - hang up and call back on a number you trust.
Q: Will my bank ever call and ask me to transfer money?
A: Never. No UK bank will ask you to move funds to a "safe account" over the phone. If someone does, it is a scam - hang up and call your bank on the number on the back of your card.
Q: What should I do if I think a vishing call might have been real?
A: Hang up anyway and call your bank or the organisation directly using a number you trust - the one on your card, the official website, or a saved contact. If there is a genuine issue, they will confirm it through official channels. Taking two minutes to verify costs nothing; transferring money to a scammer costs everything.
Q: Is the "Hi Mum" WhatsApp message a type of vishing?
A: It's the same principle - impersonation and urgency to extract a fast payment - but delivered by message rather than voice call. The defence is the same: verify independently by calling the person on a number you already have before sending any money.
Not sure about a link?
Paste it below and we will run our checks for you. It only takes a few seconds, and you do not need an account.
๐ฌ Scam Watch โ our free monthly digest on active scams. Subscribe โ