Vishing, short for voice phishing, is a social engineering attack conducted over the phone. Attackers call targets and impersonate trusted entities - IT support, executives, banks, government agencies - to manipulate them into revealing sensitive information, granting system access, or authorizing financial transactions..
What is Vishing?
Vishing, short for voice phishing, is a social engineering attack conducted over the phone. Attackers call targets and impersonate trusted entities - IT support, executives, banks, government agencies - to manipulate them into revealing sensitive information, granting system access, or authorizing financial transactions.
How Vishing Works
A vishing attack typically begins with reconnaissance. The attacker identifies the target, researches their role and organization, and builds a pretext - a believable cover story for the call. They may spoof the caller ID to display a trusted number, clone a voice using AI, or reference internal details to establish credibility. The call creates urgency (a security incident, an audit, an executive request) and pressures the target into acting before they can verify the request.
Why Vishing Matters
Vishing attacks surged 1,600% between 2023 and 2025 according to CrowdStrike. The Scattered Spider group - teenagers and young adults in the US and UK - used vishing to breach MGM Resorts, Caesars Entertainment, and over a dozen other major corporations by simply calling help desks and impersonating employees. AI voice cloning now allows attackers to replicate any voice from a few seconds of audio, making vishing attacks nearly indistinguishable from legitimate calls. In one documented case, deepfake voice cloning was used to authorize a $25 million wire transfer at engineering firm Arup.
How to Protect Against Vishing
- Run voice phishing simulations that test employee response to realistic phone attacks
- Establish verbal verification protocols for sensitive requests (callback procedures, codewords)
- Monitor employee exposure for data attackers use to build vishing pretexts
- Train employees on the specific tactics used in vishing (urgency, authority, fear)
- Never rely solely on caller ID for verification - it can be spoofed
Vishing vs. Phishing vs. Smishing
| Vishing | Phishing | Smishing | |
|---|---|---|---|
| Channel | Phone call | SMS / text | |
| Manipulation | Voice, tone, urgency | Written content, links | Short messages, links |
| Verification | Hard - real-time pressure | Easier - time to review | Moderate - brief content |
| AI risk | Voice cloning | AI-generated text | AI-generated text |
Frequently Asked Questions
How much did vishing attacks increase between 2023 and 2025?
Vishing attacks surged 1,600% between 2023 and 2025 according to CrowdStrike, driven by AI voice cloning and more sophisticated social engineering techniques.
What is voice cloning and why does it make vishing more dangerous?
AI voice cloning creates a synthetic replica of a person's voice from just 3-10 seconds of audio. Attackers can now replicate any voice from public sources like earnings calls or podcasts.
What happened in the Arup deepfake voice attack?
In 2024, attackers used AI voice cloning to impersonate a company executive and successfully authorized a $25 million wire transfer at engineering firm Arup.
Can employees reliably detect a cloned voice?
No. McAfee research found that 70% of people could not distinguish a cloned voice from the real person. Voice recognition can no longer be relied on for identity verification.