Vishing: voice scams impersonating your bank and the tax authority
Vishing uses calls that look legitimate to steal your money and data. We explain the most common scripts and the golden rules to avoid falling for them.

The phone rings, your bank's name appears on the screen and on the other end a serious voice warns you of a "suspicious transaction" on your account. Everything seems in order, but you have just walked into one of the most effective phone scams there is. Vishing combines social engineering, urgency and impersonation technology to empty accounts in a matter of minutes. In this guide we explain how it works and, above all, how to stop it dead.
What vishing is
The term vishing comes from the combination of "voice" and "phishing". It is a scam carried out over the phone, in which the criminal poses as a trusted entity (your bank, the tax authority, the technical support of a large company, the police or even a relative) to convince you to hand over sensitive information or carry out an operation that benefits the attacker.
Unlike phishing by email or text message, vishing has a psychological advantage: the human voice builds trust and allows the scammer to improvise. The fraudster can answer your questions, feign empathy, ramp up the sense of urgency or put you through to a "supervisor" to add credibility. It is all scripted, but it sounds natural.
Why the number looks legitimate
Many victims let their guard down because "the bank's number showed up" or the area code was domestic. The problem is that the number you see on the screen is not reliable proof of identity.
Through a technique called spoofing (caller ID falsification), scammers manipulate the number that appears on your mobile. They can make it show your bank's real customer service line, a freephone number or even a landline from your own province. Today's telephony technology makes it easy to falsify that detail, so trusting the incoming number is one of the most expensive mistakes you can make.
If you receive a call and you are unsure, you can check who is calling you before taking any step, but remember: a "clean" caller ID guarantees nothing.
The typical scripts you should recognise
Vishing attacks follow repeated patterns. Recognising the script is half the defence.
Impersonating your bank
This is the classic one. The scammer presents themselves as the "security department" or the "anti-fraud department" of your bank and warns you of an unrecognised charge, an access attempt from another country or a transfer that "is about to go out". The aim is to trigger panic so that you act without thinking.
They will then ask you to "verify your identity" or "block the operation" by providing data you should never give out:
- The full PIN of your card.
- The OTP codes or one-time keys that reach you by text message or through the app.
- The login credentials for online banking.
- That you confirm a Bizum or authorise a transfer "to cancel the fraudulent charge".
Here is the catch: any OTP or confirmation you approve during that call actually authorises the scammer's operation. You are signing off on your own robbery.
Impersonating the tax authority
Another very common variant. They call you saying you have an "outstanding debt with the Tax Agency", a "refund that could not be processed" or an "inspection" under way. They pressure you to pay immediately or hand over banking details to "deposit the refund". The tax authority does not work this way: it does not demand urgent payments over the phone or ask for your banking credentials during a call.
Fake technical support
Here the attacker pretends to be from Microsoft, your phone company or a major tech firm. They tell you that your computer "is infected" or that there is a "problem with your contract" and guide you through installing a remote control program. Once inside your machine, they can access your online banking while you watch the screen without understanding what is happening.
The golden rules against vishing
Memorise these guidelines and share them with the older people around you, who are a frequent target:
- A bank will never ask you for your PIN, your full password or an OTP over the phone. No legitimate employee needs that data: they already have access to your account by other means. If someone asks you for it, it is a scam, no exceptions.
- Urgency is the scammer's weapon. "You have to act now or you will lose your money" is a phrase designed to override your judgement. The more they rush you, the more suspicious you should be.
- Hang up and call them yourself. Do not use the number that called you or the one they dictate to you. Dial the official phone number printed on the back of your card or on the entity's official website. That breaks any impersonation.
- Never confirm Bizum payments, transfers or codes you did not initiate yourself. If you are not making a purchase or a payment at that moment, do not approve anything.
- Do not install software or grant remote control to someone who calls you without you having requested it.
You will find more detail in our guide to vishing and in the article on what to do about a suspicious call.
What to do if you think it is vishing
If you become suspicious during the call or afterwards, act calmly but quickly:
- Hang up without giving any data. Do not justify yourself or argue with the caller; simply end the call.
- Verify through the official channel. Call your bank on the number on the back of your card and ask whether there really is any issue. Almost always there is not.
- If you already provided data or approved an operation, contact your bank immediately to block cards and accounts, and change your online banking login credentials.
- Review your transactions over the following days carefully.
- Report the incident to the National Police or the Guardia Civil. Keep the date, the time and the number you were called from.
- Ask for free help. The Spanish National Cybersecurity Institute (INCIBE) runs the 017 Cybersecurity Helpline, available to answer questions and guide you if you have been the victim of fraud. The call is free and confidential.
Turn information into collective protection
Every number a scammer reuses leaves a trail. When someone shares that a particular phone impersonated a bank or the tax authority, they warn whoever receives that same call afterwards. That is where your experience helps the whole community.
If you have received a suspicious call, check the number and report the case on NoCall: browse our spam number directory to see whether other people have already reported it and leave your warning to protect others. Together we make vishing less and less profitable.
Received a suspicious call?
Look up the number in NoCall before sharing data, calling back, or clicking any link.
Search a phone number or a company name (Telstra, Telstra and Optus...) to check if it has been reported as spam.
