Is This Phone Call a Scam? Vishing Red Flags & What to Do

Sarah Mitchell

Consumer Protection Editor · Atlanta, GA, USA · Editor since 2019

B.A. Journalism · NCL Fraud-Awareness Program

Focus: Romance, government impersonation, Medicare, and lottery schemes.

Sarah Mitchell leads consumer protection coverage at ScamReporting.org, focusing on romance fraud, government impersonation, Medicare robocalls, and lottery and inheritance schemes. Before joining the editorial team in 2019, she spent eight years working with state-level consumer advocacy programs and now…

Our editorial standards

If a phone call pressures you to pay, share a code, or “verify” personal information — pause. Voice phishing (“vishing”) accounts for roughly half of all U.S. fraud losses by dollar amount. This guide is the phone-call companion to our “>text-message phishing guides: how to spot the red flags in seconds, the seven most-reported patterns, and what to do if you already said yes.

The 30-second vishing check

Before you give any information on an unexpected call, run this four-step check.

1. Did they call you, or did you call them? If they called you, treat every claim with skepticism — caller ID spoofing is trivial and free. Look up the official number for the company or agency yourself and call back from your phone, not theirs.
2. Is there urgency or threat? “Arrest warrant,” “account suspended in 30 minutes,” “your grandson is in jail” — urgency is the single most reliable scam tell. Real banks, the IRS, the SSA, and law enforcement never demand same-call payment or threaten arrest for unpaid taxes over the phone.
3. What payment method are they asking for? Gift cards, cryptocurrency, wire transfer to an unknown account, or “purchasing protection codes” are always scam payments. No legitimate U.S. agency or business takes these as payment.
4. Are they asking you to keep it secret? “Don’t tell your bank teller why you’re withdrawing” or “don’t discuss this with family” is a confirmed scam tell. Real institutions encourage you to verify with others.

Seven phone scam patterns Americans report most

1. SSA / IRS “you owe back taxes, arrest warrant pending”

A spoofed call claiming to be from the Social Security Administration or Internal Revenue Service threatens arrest, asset seizure, or “suspended SSN” unless you pay immediately, usually in gift cards or crypto. The IRS only initiates contact by mail. The SSA does not call people to suspend SSNs because SSNs are not suspended. See our “>Medicare phone scam guide.

3. Bank fraud department “Zelle reversal”

A spoofed call from “your bank’s fraud team” reports a suspicious Zelle or wire transfer and walks you through “reversing” it — which is really a fresh transfer to the scammer. Real banks never ask you to Zelle yourself to fix a fraud. See our “>tech support guide.

5. Grandparent / family emergency (now with AI voice cloning)

A frantic call claims a grandchild is in jail, hurt, or stranded. Bail or hospital bills must be wired immediately, and the caller insists on secrecy (“don’t tell mom”). AI voice cloning now reproduces the relative’s voice from 30 seconds of social-media audio. Always hang up and call the family member back on a known number. See our “>lottery scam guide.

Caller ID spoofing: why “but it says it’s my bank” is meaningless

The number displayed on your phone screen is information the caller chose to send. There is no verification. Anyone with a $10/month VoIP account can display any number they want — including your bank’s, the IRS’s, or even your own phone number. Treat caller ID as a label, not as proof.

The only way to verify a call is to hang up and call back using a number you found independently — on the back of your card, on a recent bill, or on the official website. Never call back the number that called you and never use a number the caller gives you.

The “don’t say yes” rule (and why it’s only partially true)

You may have heard the advice not to say “yes” on unknown calls because scammers will record it and use it to authorize fraudulent charges. The threat is real but narrower than the viral claim. A recording of “yes” by itself is rarely enough to actually authorize a charge — banks and merchants require more (card details, knowledge-based questions, biometric voice match for some accounts).

Still, the safe practice is to answer with a neutral “Hello?” or “Who is this?” rather than “Yes, this is Sarah.” Better defenses than the “don’t say yes” rule:

• Don’t share knowledge-based info (mother’s maiden name, last four of SSN, date of birth) on inbound calls.
• Don’t read codes aloud — one-time passwords, debit-card PINs, or “security codes” should never be spoken to a caller.
• Don’t agree to “stay on the line” while you go to the bank, the store to buy gift cards, or another room “for security.” Staying on the line is a tactic to isolate you from people who would talk you out of it.

Robocall tells vs. live-agent tells

Robocall tells

• Long initial silence after you say “hello” — the auto-dialer is connecting an agent or a recording.
• Generic openings like “This is an important call regarding your account.”
• Press 1 / press 2 to speak with an agent — pressing only confirms your number is live and sells you to a higher-tier scam list.
• Synthetic or slightly off-cadence voice — especially common in IRS, SSA, and tech-support robocalls.

Live-agent tells

• The agent gives a name and a “badge / employee number” — theater designed to project authority.
• Background sounds of a call center — doesn’t mean it’s legitimate; scam call centers exist too.
• You’re transferred between agents — “let me put my supervisor on” is a confidence ladder, not real escalation.
• They refuse to let you hang up and call back. This is the single strongest live-agent scam tell.

How to report scam calls

1. Hang up first. Do not press any buttons, do not say “yes,” do not reply to the offer.
2. Report to the FTC at reportfraud.ftc.gov for any scam call (lost money or not). For Do-Not-Call list violations, also use donotcall.gov.
3. Report to your carrier. Verizon (Call Filter), AT&T (ActiveArmor), T-Mobile (Scam Shield) all let you report scam numbers in their app to improve filters network-wide.
4. Report SSA impersonation at oig.ssa.gov/report. Report IRS impersonation to TIGTA at tigta.gov.
5. Submit details on ScamReporting.org via our “>Scammer Lookup tool used by other readers.

What to do if you already gave information or money

1. If you gave a credit / debit card number: call the card issuer (number on the back of the card) to flag fraud and replace the card. Do not call back the scammer’s “support number.”
2. If you gave a bank login or one-time code: call your bank using the number on the card. Ask them to lock the account, reset online banking, and review pending transfers.
3. If you gave your Social Security number: follow our “>”can I get my money back?” guide for the realistic odds by payment method.
4. If a tech-support scammer got remote access: disconnect from the internet, change every password from a different device, run a full malware scan, and contact your bank in case banking sessions were captured.
5. If the call exposed you to a “family emergency” scam: verify the relative is safe by calling them back on a known number. Most of these scams are total fabrications; the family member is fine.