Vishing: protect your personal information

Vishing identity theft and advice from Iberdrola

Internet Informatics Cybersecurity

The digital technologies we use on a daily basis have become a breeding ground for new forms of scams and frauds. One of these is vishing, a type of deception via a phone call. Find out what it involves, what types exist and how to avoid data spoofing.

Cybercriminals use a wide variety of excuses to capture the attention of users and redirect them to fraudulent websites.

Impersonation scams through telematic means such as vishing are nothing new. These scams have been around for years, but they are always controversial again when they attempt to impersonate a major organisation or when they enable massive theft of money or data. They are dangerous because getting rid of the attackers is not that easy, but how do cybercriminals execute vishing, and how can we avoid falling victim to this scam?

What is vishing?

The term vishing comes from the combination of the words "voice" and "phishing" and consists of social engineering to commit fraud via telephone. It is a type of phishing. In this type of scam, the offender impersonates a real person or company (usually banks or utility companies) and requests personal information, usually bank details, from the victim.

Cybercriminals use a wide variety of excuses to capture the attention of users and redirect them to fraudulent websites that pretend to be legitimate: lottery prizes, urgent updates, unexpected deliveries that should be collected as soon as possible, payment notifications, the bank asking users to change their passwords...

In one of the most common cases, a person calls us on the phone pretending to be our telephone operator and warns us of a rate increase. Then, we receive a second call from someone offering us a cheaper recommended tariff in order to obtain sensitive information, such as account number or ID number.

Types of vishing

The call may be made from a hidden, unknown number or under an assumed identity of a company or organisation. These are some of the most common types of vishing:

 Financial institution.

Criminals pose as representatives or employees of a bank or financial institution. They usually call the potential victim to tell them that they have a serious problem with their account or that a fraudulent operation is being carried out with their card. Sometimes, fraudsters provide apparently real data in order to generate confidence in the user. 

To fix the issue, the attackers ask the victim for sensitive information such as card details or unique passwords received for access. With this information, they can make purchases or transfers to other accounts. Therefore, unique passwords should never be provided, as the bank never asks for them.

 Computer technician and support.

The scammers pose as support technicians from technology companies. Under the pretext of cleaning the computer of viruses, they request the payment of a sum of money via a platform that stores the victim's bank details. Sometimes they also take control of the supposedly infected computer to steal data, operate under the customer's identity or install malware or malicious software. In this case, it is recommended not to access any unknown platform or application to make payments.

 Telephone company.

Criminals call to communicate a rate increase, an error in the bill and ask for the customer's bank details in order to manage the error or make the refund. It is important not to provide the information requested in the call, as the company would already have all the necessary information to process the call.


The attackers call the potential victim to inform them that they have won a prize. To receive it, the victim is asked to provide personal and banking information in order to steal personal data and carry out fraudulent movements or transactions.

 Taxes or debts.

In this case, fraudsters pose as agents of the tax office and call people to warn them about alleged tax or debt defaults. They ask for imminent payments.

 Family members at risk or in danger.

In this type of vishing, criminals pose as family members in risky, emergency or troubled situations, telling a fictitious story to the potential victim with the information they have about the victim. The objective is to obtain money by taking advantage of their concern.

 A person interested in buying something online.

If a user sells second-hand goods via an app or online platform, fraudsters can pose as interested potential buyers. In this type of vishing, they try to obtain full bank details with the excuse of making payment more efficient and faster. The important thing is not to provide bank details by any means.

Vishing scam process

  • Icon

    The offender makes a preliminary study of potential victims in order to obtain information that will help him to carry out the deception.

  • Icon

    The attacker calls the victim and, when the victim answers, impersonates an employee of an organisation or entity, such as a bank.

  • Icon

    The offender uses the information he has gathered to build trust in the victim.

  • Icon

    The attacker asks the victim for sensitive financial information such as passwords or credit card details.

  • Icon

    The user who has been scammed hands over or completes his confidential information.

  • Icon

    The offender now has the victim's information with which to carry out unauthorised transactions.


 SEE INFOGRAPHIC: Vishing scam process [PDF]

Tips to avoid being a victim of vishing

All users are at risk of falling victim to this type of telephone fraud. The first step is not to answer, ignore or hang up on any call asking for personal or financial information. However, distinguishing a vishing call from a non-vishing call can be tricky. Here are some steps you can take to avoid being scammed:

  • The golden rule is to never give out personal or banking information over the phone.
  • It is important to be wary of calls from unknown numbers and even to block or ignore them.
  • In addition, we must verify the identity of the person making the call. If it is a company with which we have contracted certain services, we can ask for the full name of the person we are talking to and then contact the company to verify the information.
  • It is worth remembering that entities such as banks or large companies never call to ask for confidential data.
  • If you have received a call telling you something negative and then you receive another call offering you a related benefit that is too good, be wary. Block both numbers, find out what data there may be about you online and exercise your rights of access, rectification, cancellation or opposition.
  • Do not access any unknown platform or application to make payments.

How Iberdrola protects you

We are committed to the security of our customers. Iberdrola will never ask you for sensitive information or confidential data via SMS, WhatsApp or a call on your mobile phone. In the event that we request any type of personal information, we will contact you beforehand to inform you what data we will ask you for. 

In addition, on the occasion of corporate events such as the General Shareholders' Meeting, we offer cybersecurity tips to help shareholders better protect their devices and information.

We also use SecurityScorecard's CVE platform to track the security status of our suppliers' equipment to ensure that it meets the minimum requirements in the field of cybersecurity. At the same time, individuals can check the status of their devices, such as electricity meters and remote metering or telecontrol equipment (at company level), among others.