Skip to content
Breachroad
Back to the blog
Vishing

'Your bank is calling' — vishing and caller-ID spoofing

A call from the bank's number, a calm 'consultant' and a supposed break-in on your account. We break down the fake-bank-employee scam and how to stop it.

KR
Karol Rapacz
1 June 2026 · 6 min read
'Your bank is calling' — vishing and caller-ID spoofing

Your phone rings. On the screen — the number of your bank’s hotline. A friendly “consultant” informs you that an unauthorised transaction attempt has been detected and your funds “need securing”. This is vishing — voice phishing — and one of the most dangerous scams, because it plays out live, under pressure, with the criminal in full control of the narrative.

Caller-ID spoofing: why your bank shows up

Just like with SMS, the calling number can be faked. The criminal arranges for your phone to display the real number of a bank, the police or the prosecutor’s office. This is the strongest social-engineering element — we see a known number and trust it automatically. That’s why the number on the screen is not proof of the caller’s identity.

The recurring scenarios

  • The “bank employee” — “we’ve detected a break-in; to save your money, transfer it to a technical / safe account”. The “technical” account belongs to the criminal.
  • The “police / CBŚP officer” — “you’re taking part in an operation to catch a dishonest bank employee; please cooperate and keep it confidential”. The secrecy cuts the victim off from the loved ones who might snap them out of it.
  • Installing a “security app” — in reality a remote-access tool that hands the screen and banking to the fraudster.

The common denominator: pressure, secrecy and haste. The criminal gives no time to think and keeps the victim on the line so they can’t verify the story.

The rules that defuse vishing

  • A bank never asks you to transfer money to a “safe account”, for your full password or card PIN, or to install a remote-access app. Ever.
  • Hang up and call back on the number from the back of your card or the bank’s official site — typed in manually, not “call back” from your call history. A real bank will understand.
  • No genuine institution requires secrecy from your family. A request for discretion is an alarm signal.

What to do in practice

If you get such a call: don’t share any details, end the conversation and call the bank yourself. Don’t install anything at the caller’s instruction. If you’ve already shared details or installed an app — immediately disconnect the device from the network, call the bank from another phone and block access.

In organisations, it’s worth training finance teams on second-channel verification for any unusual phone instruction — the same discipline that protects against phishing. Spoofing technology is cheap and available; the only effective defence is a habit: don’t trust the displayed number, call back yourself.

Want to see how your finance team would react to such a call? We run controlled social engineering tests and trainingget in touch.

Sources and further reading: CERT Polska, Niebezpiecznik, CSIRT KNF.

Share this article

Services Book a consultation