For a vishing attack, the initial information can come from the dark web. This information is oftentimes some time of data dump from a database breach. Usually you can get information such as name/email/address/phone that is not encrypted. You can use this information to search for social media forums posts where the victim often provides other personal information. It is this combination of information that can be used to make a call with enough compelling information to establish trust with the victim