The one rule banks follow that scammers do not

If you remember nothing else from this article, remember this one sentence. Real banks do not call you to ask for your password, your PIN, or your two-factor code. Not ever. Not "for verification." Not "to stop a fraudulent charge." If a call asks for any of those three things, it is a scam. Period. Hang up.

This is published policy at every major US, UK, Canadian, and Australian bank - printed on the back of your debit card and repeated in every annual security mailing. Real banks already know your account exists. They hold or block a suspicious charge first and message you about it through the app afterward, not through a live cold call. Anyone asking you to "read me the code we just texted you" is a scammer. That code is the second factor on your account; giving it away is the same as handing over your password.

The 4 vishing patterns active in 2026

Different scripts, same goal. These are the four versions making the rounds this year.

1. The fake fraud-department call

"This is the fraud department at your bank. We noticed a $487 charge in Miami. Was that you?" You say no. The voice sounds relieved. "Good, we will reverse it. To secure your account I need the code we just texted you." That text really did arrive - because the scammer triggered a password reset on your account using your phone number. The code is the reset code. If you read it out, they are now inside your account.

2. Caller-ID spoof of your actual bank's number

Caller ID says "Chase" or "Bank of America" with the real customer-service number you have called before. That feels like proof. It is not. Caller ID can be set to any number through cheap internet calling services, and your phone cannot tell the difference. The number on the screen is meaningless on an incoming call.

3. AI voice-cloned family member emergency

"Grandma, it is me. I had an accident and I am at the police station. Please do not tell mom. I need bail money." The voice sounds exactly like your grandchild. Tools like Microsoft VALL-E and ElevenLabs clone a voice from about 3 seconds of audio - and almost every family member has 3 seconds of audio on Instagram, TikTok, or YouTube. The FTC issued a formal voice-clone scam advisory in March 2024 warning about this pattern.

4. The tech-support voice variant

"This is Microsoft technical support. We have detected a virus on your computer." Or "This is Apple. Your iCloud has been compromised." The caller talks you into installing remote-access software (AnyDesk, TeamViewer), then watches you log in to your bank and harvests the credentials. Real Microsoft, Apple, and Google never call customers.

Why caller ID is now useless

Most people grew up trusting caller ID. It used to be reliable because the phone network was a closed system run by the telephone company. That world is over. Modern internet phone services (SIP and VoIP) let any provider set the "from" number on an outgoing call to anything they want. Scammers buy bulk calling accounts, set the displayed number to your bank's published 1-800 line, and the call arrives looking authentic. Even your own bank's main number can be spoofed.

The US has a partial fix called STIR/SHAKEN - protocols that let carriers cryptographically sign that an outgoing call really comes from the number it claims. The FCC required major carriers to deploy STIR/SHAKEN by mid-2021, and large carriers now sign a majority of US-originated calls. But signing rates drop steeply for calls originating overseas, calls routed through small VoIP resellers, and calls placed from older equipment. In 2026 a substantial share of incoming calls still arrive with no verified signature, and most phones do not show the signature status clearly to the user. Practical takeaway: do not trust the number on the screen. Treat every unexpected incoming call the same way regardless of what caller ID says.

The AI voice clone era

Until about 2022, voice cloning required hours of clean studio audio and a research team. That barrier is gone. Microsoft published VALL-E, a model that produces a convincing clone from 3 seconds of source audio. ElevenLabs offers commercial voice cloning at consumer prices. Open-source alternatives can run on a laptop. Anyone who has posted a video on Instagram, TikTok, YouTube, or a family WhatsApp group has provided enough source material for an attacker.

This is not theoretical. In February 2024 a finance employee at the British engineering firm Arup, working out of Hong Kong, was tricked into wiring about $25 million after attending a video conference call in which the company's UK-based CFO and several colleagues appeared and spoke - all deepfaked. The employee was the only real person on the call. Hong Kong police confirmed the details in a public press conference shortly afterward, and the case is documented in CNN, Reuters, and the South China Morning Post.

The voice-clone family emergency scam works the same way at much smaller dollar amounts - $500 here, $2,000 there - across thousands of victims. The FTC's March 2024 advisory specifically flagged it as the fastest-growing AI-enabled fraud against consumers.

The "hang up and call back" rule

This is the single habit that defeats every vishing variant. The script is short.

  1. Hang up. You do not owe a stranger on the phone politeness, an explanation, or another minute. Just hang up. Real bank fraud lines will not be offended.
  2. Find the real number yourself. Flip your debit card over and read the number printed on the back. Or open your bank's app. Or type the bank's domain into your browser by hand (chase.com, not a link someone sent you) and find the customer-service number on the site.
  3. Call that number. If there really was a problem on your account, the real bank can see it on their screen and will pick up where the conversation left off. If there was no real problem, you have just confirmed the original call was a scam.

Why this works: a scammer cannot intercept your outbound call to a number you looked up yourself. Caller ID spoofing only works on incoming calls. The moment you dial out, you are talking to whoever actually owns that phone number - which, in the case of your bank's published line, is your bank.

Real bank policies that scammers cannot replicate

Beyond the no-password rule, banks operate in ways a scammer cannot fake on a cold call.

  • Real fraud teams use case numbers you can see in your app. If a fraud agent says "we are investigating case 88421," you should be able to open the bank app and see that case under Messages or Alerts. A case that does not exist in the app does not exist.
  • Real banks never ask you to "move your money to a safe account." This is the most reliable single tell of a scam. Your money is already safe at the bank. There is no parallel "safe account." This script is run by criminals because it is the fastest way to extract a wire.
  • Real banks block or hold suspicious charges first, then notify you. They do not call you in real time to ask permission. If a transaction looks fraudulent, it is paused on their side and you find out through the app or a follow-up text from a short code, not through a live phone call.
  • Real banks never need your full password, PIN, or one-time code. Their agents authenticate you with partial details they already have (last four of SSN, address on file) plus your callback to a verified number.

If you already gave info or sent money

Speed matters more than anything else in the next hour.

  1. Within 30 minutes. Call your bank using the number on the back of your card. Ask for the fraud team. Freeze every card on the account. If you wired money, ask whether the wire can still be recalled - same-day domestic wires are sometimes reversible if you act before the cutoff window. International wires are usually not.
  2. Within 2 hours. Change every password the scammer might have heard or recorded. If they had remote access to your computer, also change your email password from a different device and turn on two-factor everywhere.
  3. Within 24 hours. File a written dispute through your bank's official channel. In the US, debit card fraud is covered under Regulation E - you have up to 60 days from the statement date to dispute unauthorized electronic transfers, and the bank is required to investigate. Credit card fraud is covered under the Fair Credit Billing Act with similar windows.
  4. Within 48 hours. File a report at reportfraud.ftc.gov and the FBI's IC3 at ic3.gov. UK victims report through Action Fraud. Australian victims report through Scamwatch. These reports feed law-enforcement priority lists and sometimes lead to recovery of frozen funds.
  5. Within 1 week. Place a free fraud alert on your credit file at any one of the three US bureaus (Equifax, Experian, TransUnion). The other two are notified automatically. If you gave your SSN, also consider a credit freeze, which is also free and stops new accounts being opened in your name.

Family voice-clone scams - the safeword defense

The voice on the phone sounds exactly like your son, your daughter, your grandchild. They are crying. They say they have been in an accident, or arrested, or kidnapped, and they need money right now. In the panic of that moment your brain does not stop to test whether the voice is real. You act.

The single most effective defense, recommended directly in the FTC's March 2024 voice-clone advisory, costs nothing and works against every current cloning model.

Agree a family safeword in advance. Pick a word together at a holiday dinner - something random and specific that you would never put on social media. A childhood nickname, a vacation town, a pet's middle name. From now on, if anyone in the family calls in an emergency asking for money, the rule is they have to say the safeword first. If "your grandchild" calls and cannot produce the safeword, it is not your grandchild. Hang up and call them on their real phone.

AI voice cloning copies how someone sounds. It cannot copy what someone knows. A safeword turns the call from a voice test (which AI now wins) into a knowledge test (which AI still loses).

Where browser security fits in

Most vishing defense is phone behavior - hang up, look up, call back, safeword. Browser security does not block a phone call. But many vishing scripts end with the caller telling you to "go to a website to verify your account" or "download our security tool from this link." That handoff to the web is where a browser-layer scanner catches them. SafeBrowz is a free Chrome, Firefox, and Edge extension that recognizes bank-impersonation pages, fake Microsoft support pages, and fake remote-access download pages before they load. If a vishing call sends you to a URL, SafeBrowz blocks the landing page. As a phone-side defense, install a call-blocking app such as Hiya, Truecaller, or Robokiller. They will not catch every spoofed number but they filter out a meaningful share of known scam-call patterns, especially the high-volume robocall variants.

Frequently asked questions

The caller ID showed my bank's real number. How can that be a scam?

Caller ID on an incoming call can be set to any number by the originating service. It is essentially a label, not proof. SIP and VoIP services let scammers display your bank's published number, your local police number, or any other number they choose. The only reliable way to confirm you are talking to your bank is to hang up and dial the number on the back of your card yourself.

The voice sounded exactly like my son. I am sure it was him.

It probably sounded exactly like him. Modern AI voice tools can clone a convincing version of any voice from about 3 seconds of audio, and almost every family has more than 3 seconds of their child's voice on social media. Voice recognition is no longer a reliable identity check. A pre-agreed family safeword is. Hang up, call your son on his real number, and confirm.

The fraud agent said there was a charge in another state. Was the charge real?

Almost certainly not. The "fraudulent charge" is the lure, designed to make you panic and cooperate. Real banks already block or hold suspicious charges automatically and notify you through the app or a short-code text, not through a live cold call. If you want to check, hang up and open your bank app - if a charge is really pending, you will see it there.

Should I press 1 to talk to a representative when the robocall asks?

No. Pressing any button confirms your phone number is active and answered by a real person, which puts you on a higher-value list for future scam calls. Just hang up. If a robocall claims to be from your bank or the IRS, dial the official number yourself to check.

The caller asked me to move my money to a "safe account." Is that ever legitimate?

No. This is the single most reliable indicator of a scam. Real banks never ask you to move your own money to a different account for safekeeping. Your money is already safe where it is. If a charge is fraudulent, the bank pauses or reverses the charge - they do not need to move your balance.

I already gave the caller my one-time code. What do I do now?

Move fast. Call your bank on the number on the back of your card right now and tell them you may have been phished. Ask them to lock all cards, freeze online access, and reset every credential on the account. Then change your email password from a different device and turn on two-factor authentication everywhere. File a Reg E dispute in writing for any transactions that posted. The 60-day Reg E window protects US debit card holders against unauthorized electronic transfers.

Related reading

Bottom line: Your bank will never call you to ask for your password, your PIN, or your one-time code. The scammer always will. Caller ID is no longer proof of who is calling. AI can clone any voice from 3 seconds of audio. The two habits that defend you cost nothing - hang up and call back on a number you look up yourself, and agree a family safeword in advance for emergency calls. Add a call-blocking app on your phone and a browser-layer scanner like SafeBrowz for the web pages a scammer might send you to next.