PHONE & VOICE SCAM GUIDE

Phone Call & Voice Scams (Vishing): The Complete Guide (2026)

Every major phone scam in one place: the bank fraud-team "safe account" call, IRS and police arrest threats, fake Microsoft tech support, AI voice clones of your own family, OTP theft, and robocalls. How each one works, the single rule that defeats all of them, and exactly where to report by country.

SB

SafeBrowz Team Security ResearchJune 7, 202612 min read

Why phone scams are getting worse in 2026

Voice fraud is no longer the clumsy robocall of a decade ago. The FBI Internet Crime Complaint Center 2024 Annual Report (published April 2025) logged more than $16 billion in reported internet-enabled crime losses, with impersonation, tech-support, and call-center fraud among the fastest-growing categories. The FTC Consumer Sentinel data for 2024 (February 2025) shows that while text and email start many scams, the phone is where the largest per-victim losses happen, because a live human voice applies pressure no email can.

Two forces made it worse. First, caller ID spoofing is effectively free. The number on your screen is just data the caller sends; spoofing your own bank's published number or a "neighbor" prefix takes seconds. Second, generative voice cloning crossed the consumer threshold. Pindrop and Hiya both reported sharp rises in synthetic-voice and AI-assisted fraud calls through 2024, and a few seconds of audio is now enough to clone a recognizable voice. Truecaller and Hiya estimate billions of unwanted and scam calls placed every month worldwide, and the UK regulator Ofcom continues to report that a large share of adults receive a suspicious call in any given month.

The good news: almost all of it collapses against one behavior, independent verification. The rest of this guide breaks down each call type so you can recognize it the second it starts.

The bank fraud-team "move your money to a safe account" call

This is the single biggest loss driver in phone fraud, and the most convincing. The caller says they are from your bank's fraud department. They already know your name, sometimes your recent transactions, and they call from a number that matches your bank's real published line because it is spoofed. The script: "We have detected fraud on your account. To protect your funds, we need you to move your balance to a new safe account in your name while we secure the old one."

There is no such thing as a safe account. The "safe account" is the criminal's account. UK Finance has tracked this exact pattern, often called authorized push payment fraud, as one of the largest categories of payment loss, precisely because the victim sends the money themselves, so many transfers complete instantly and irreversibly.

What makes it land is the appearance of legitimacy. The caller may tell you to hang up and call the number on your card to "confirm," then keep the line open so you reach the same scammer when you redial. On older landlines a call could be held open for a short time; on mobiles, simply wait a full minute or use a second phone before calling back.

The tells: any request to move money, any "safe account," any instruction to keep the call going while you do something, and any pressure to act before you can think. A real fraud team blocks the card and lets you call back at your own pace. For the full breakdown see our bank phone scam guide.

Government impersonation: IRS, Social Security, police, immigration

These calls run on fear, not on greed. A recorded or live voice claims to be the IRS, the Social Security Administration, your local police, or immigration enforcement. The message is a threat: there is a warrant for your arrest, your Social Security number has been "suspended" over suspicious activity, you owe back taxes that must be paid today, or you will be deported unless you settle a fine immediately.

The payment demand is the giveaway. Real agencies do not collect debts by phone with gift cards, wire transfers, cryptocurrency, or payment apps. The IRS states plainly that it initiates most contact by mail and never demands immediate payment by phone or threatens arrest over the line. The Social Security Administration says it will never suspend your number or call to demand money. There is no government agency that takes Apple, Google Play, or Amazon gift cards as payment.

• "There is a warrant for your arrest" delivered by phone, not by a sheriff at your door.
• "Your Social Security number has been suspended." Numbers are never suspended.
• Demand for payment in gift cards, crypto, wire, or a payment app.
• Instruction to stay on the line and not tell anyone, including your family or your bank.
• A spoofed caller ID showing the agency's real name or number.

Hang up. If you genuinely want to check, look up the agency's number yourself and call it. In the US, the IRS Impersonation hotline is run through the Treasury Inspector General (TIGTA) and consumer complaints go to reportfraud.ftc.gov.

Tech-support callback: fake Microsoft and Apple "your device is infected"

This one often starts on screen, then moves to the phone. A full-page browser popup, sometimes with an alarm sound, warns that your computer is infected and locked, and tells you to call a toll-free "Microsoft" or "Apple" support number immediately. Other times the call comes cold, with a heavily accented "Windows support technician" claiming your machine is sending error reports.

The goal is remote access. They ask you to install a remote-control tool such as a legitimate support app, then use it to "show" you fake infections (the Windows Event Viewer always shows harmless warnings, which they pass off as viruses). From there they either charge a "repair" fee, steal banking logins while connected, or trick you into logging into your bank so they can drain it. Microsoft is explicit: it never includes a phone number in security warnings and never makes unsolicited calls about your PC. Apple says the same about its security alerts.

The tells: a phone number inside a security warning (real ones never have one), an unsolicited call about your computer, and any request to install remote-access software or "stay connected" while you log into anything. The fix is simple: never call a number shown in a popup, and never let a stranger control your screen. Our deeper write-up is in the 2026 scam guide.

AI voice cloning: the family-emergency and CEO-fraud calls

This is the fastest-rising category, and the most emotionally brutal. With a few seconds of audio scraped from a social-media video, voicemail greeting, or podcast, a generative model can produce a convincing clone of a specific person's voice. Pindrop and Hiya both flagged synthetic-voice fraud as a defining 2024-2025 threat.

Two main flavors. The first is the grandparent or family-emergency scam: you get a sobbing call in your grandchild's or child's voice saying they have been in an accident or arrested and need bail money or a lawyer's fee wired right now, "please don't tell Mom." The cloned voice plus panic plus secrecy is the whole trick. The AARP Fraud Watch Network has documented this exact escalation as cloning tools have spread.

The second is CEO or finance fraud: a cloned executive voice calls an employee in finance and authorizes an urgent wire transfer, sometimes backing up an email request. This is a voice-enabled twist on business email compromise, which the FBI IC3 has tracked as one of the most costly fraud categories overall.

The defense is a family safe-word. Agree on a private word or question with your family and close colleagues, something not on any social profile. If an "emergency" call comes in, ask for the safe-word. A clone cannot supply it. Other tells: extreme urgency, a demand for secrecy, a request to wire money or buy gift cards, and a call from an unknown or blocked number when it claims to be someone you know. Hang up and call the real person back on their normal number. See our deep dives on AI voice-cloning vishing and the cloned-voice fake-arrest scam.

OTP and 2FA theft: "read me the 6-digit code we just sent"

A one-time code (OTP) is the last lock on your account. Scammers know it, so the entire script exists to make you read it aloud. The caller poses as your bank, a delivery service, or a marketplace and says they need to "verify your identity" or "confirm it's really you," so they will send a code and you just read it back.

What actually happened: the attacker already has your username and password (from a breach or a phishing page) and is logging in right now. The login triggers a real code to your phone. When you read it out, you hand them the final key, and they take the account, often locking you out. This is also the core move in SIM-swap setups and account-takeover fraud.

• Anyone asking you to read out a code is committing fraud. Codes are for you to type, never to say.
• The message itself often says so, "never share this code with anyone, including bank staff."
• Real verification calls do not need a code you received; they verify other ways.
• Pressure to read it quickly "before it expires" is the tell.

Never read a code to anyone on a call, full stop. If you already did, change the password and lock the account immediately. For how this connects to phone-number takeover, read our SIM-swap attack guide.

Robocalls, press-1, wangiri one-ring, and neighbor spoofing

Some phone scams are about volume, sorting for victims at scale before a human ever gets involved.

• Robocalls and "press 1." An automated voice ("your car warranty is expiring," "to speak to an agent press 1") routes anyone who responds to a live scammer. Pressing any key, or even saying "yes," confirms your number is live and gets you more calls.
• Wangiri (one-ring) callback. Your phone rings once from an unfamiliar, often international, number and hangs up. Curiosity makes you call back, and the number is a premium-rate line that bills you per minute while it stalls you. Never call back a one-ring number you do not recognize.
• Neighbor spoofing. The caller fakes a number with your own area code and prefix so it looks local and familiar. It is the same scam content, just a more clickable disguise.

The blanket rule: do not engage. Do not press a key, do not say "yes," do not call back unknown one-ring numbers. Let unknown calls go to voicemail; real callers leave a message. In the US you can report unwanted and spoofed calls to the FCC. In the UK, forward suspicious texts to 7726 and report scam calls to Action Fraud.

The defenses that actually work

Strip away the variations and the same handful of habits defeat every call above.

• Hang up and call back the official number. Use the number on the back of your card, on a statement, or on the agency's website you typed yourself. Never the number the caller gives you, and never the one shown on caller ID.
• Treat caller ID as meaningless. It is spoofable in seconds. A "verified" bank or agency name on your screen is not verification.
• Never read out a one-time code. Codes are typed by you, never spoken to anyone, including someone claiming to be your bank.
• Agree a family safe-word. The single best defense against voice clones. Pick something private, never posted online.
• Know what real institutions never do. No real bank or government asks you to move money to a "safe account," pay in gift cards or crypto, install remote software, or keep a call secret from family.
• Slow down. Urgency is the weapon. Every legitimate matter survives a five-minute pause and an independent callback.
• Let unknown calls go to voicemail. Genuine callers leave a message; most scammers do not.

If you already gave information or sent money, do not freeze with embarrassment, act fast. Walk through the recovery steps in I got scammed, what to do now, then call your bank's fraud line and your country's reporting authority below.

How to report a scam call, by region

Reporting feels pointless in the moment, but it is how authorities map and shut down scam call centers. Report even if you lost nothing.

• United States: FTC at reportfraud.ftc.gov; FBI Internet Crime Complaint Center at ic3.gov; unwanted and spoofed calls to the FCC; AARP Fraud Watch Network helpline 877-908-3360 for guidance and support.
• United Kingdom: Action Fraud on 0300 123 2040, or online at actionfraud.police.uk; forward scam texts to 7726 (spells "SPAM"). In Scotland, report to Police Scotland on 101.
• Canada: Canadian Anti-Fraud Centre (CAFC) on 1-888-495-8501, or online at antifraudcentre-centreantifraude.ca.
• Australia: Scamwatch, run by the National Anti-Scam Centre, at scamwatch.gov.au.
• India: National Cyber Crime helpline 1930 for financial fraud (report fast, the golden hour matters), and online at cybercrime.gov.in.

If money left your account, call your bank's fraud line first, immediately, then file the report. Fast action gives the best chance of a freeze or recall.

How SafeBrowz blocks this threat

SafeBrowz cannot answer your phone, but most voice scams have a digital tail: a follow-up text with a "secure login" link, a popup with a fake support number, a phishing page where the caller tells you to enter your details. That is where SafeBrowz steps in, with a 3-layer detection engine: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus a 550+ brand-specific signature database (including Cyrillic and Punycode homograph variants) plus community whitelist/blacklist, all running directly in the extension before the page renders. Catches bank, IRS, and tech-support lookalike domains the second a scam text or popup link tries to open one.
• Layer 2 - API checks: aggregates threat-intelligence sources (Google Safe Browsing, PhishTank, URLhaus) plus 30+ scam-TLD heuristics for known malicious domains used in vishing follow-ups.
• Layer 3 - AI deep scan (Premium): content analysis in 100+ languages catches novel variants in seconds, including freshly registered fake-bank and fake-support pages that have not yet reached any blocklist.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

How do I know if a phone call is really from my bank?

You cannot tell from the call itself, and you do not need to. Caller ID can be faked to show your bank's real number, and a scammer can know your name and recent transactions. The only reliable check is to hang up and call back the number printed on the back of your card or on your statement. Wait a minute or use another phone first so the original call has fully disconnected. A genuine fraud team is happy for you to call back; a scammer will pressure you to stay on the line.

Will a real bank or the government ever ask me to move money to a safe account?

No. There is no such thing as a safe account, and no legitimate bank or government agency will ever ask you to transfer your money somewhere "for protection." That request is, by itself, proof of fraud. A real bank freezes or blocks the affected card and lets you keep your money where it is. Anyone telling you to move it is trying to move it to themselves.

Why should I never read out a one-time code (OTP)?

A one-time code is the last security check on your account. When someone calls asking you to read one back, they are almost always logging into your account at that moment, which is what triggered the code being sent to you. Reading it aloud hands them the final key and they take over the account. Codes are meant to be typed by you into the app or site, never spoken to anyone, including a caller claiming to be from your bank.

How can I tell if a caller is using an AI voice clone of my family?

You often cannot tell by ear, which is the danger. A few seconds of audio is enough to clone a recognizable voice. The reliable defense is a family safe-word: a private word or question agreed in advance and never posted online. If an emergency call comes from a "relative," ask for the safe-word; a clone cannot supply it. Other warning signs are extreme urgency, a demand for secrecy ("don't tell Mom"), a request to wire money or buy gift cards, and the call coming from an unknown number. Hang up and call the real person back on their normal number.

I pressed a key or said "yes" on a robocall. Is that dangerous?

Pressing a key or answering a question confirms to the system that your number is live and that you engage, which usually means more scam calls, not fewer. It does not, on its own, drain your bank account, so do not panic. The risk comes later if a live scammer then talks you into sharing card details, codes, or payments. Going forward, do not press keys or respond to robocalls; just hang up. If the call led you to share any financial information, treat it as a real incident and contact your bank.

What should I do right after a scam call if I gave them something?

Act fast. If you shared a card number, password, or one-time code, call your bank's fraud line immediately to block the card and lock the account, then change the password and any reused passwords. If you sent money, call the bank at once to attempt a freeze or recall; speed is everything. Then report it: in the US to reportfraud.ftc.gov and ic3.gov, in the UK to Action Fraud on 0300 123 2040, in Canada to the CAFC on 1-888-495-8501, and in India to 1930. Our recovery guide walks through every step in order.