The rise of vishing: old tactics, new tools
Most organizations have come a long way in defending against phishing emails. From spam filters to phishing simulations and awareness campaigns, email-based social engineering is a familiar battlefield. But while phishing gets the spotlight, vishing — voice-based social engineering — has been quietly gaining traction among attackers.
And it’s working.
As NCC Group’s 2024 Threat Intelligence Report highlights, AI-driven phishing and deepfake impersonation are making attacks harder to detect and easier to scale.
Vishing, or voice phishing, involves attackers impersonating trusted individuals or organizations over the phone to trick employees into revealing sensitive information or performing actions that compromise security. Think of it as phishing’s more personal, and in many ways more dangerous, cousin.
Unlike email phishing, which now faces increasingly sophisticated spam filters and anomaly detection, vishing has fewer built-in protections. Email address spoofing is hard to pull off these days—but spoofing a phone number is trivial, especially with VoIP services and caller ID manipulation. This makes vishing attacks harder to detect and much easier to trust, especially when the attacker knows just enough about the target to sound convincing.
Why vishing works
The psychology behind vishing is deceptively simple: urgency, authority, and confusion. A convincing voice on the line claiming to be from IT, HR, or even the CEO can cause someone to bypass normal verification protocols—especially if the caller already knows personal or internal details gleaned from LinkedIn, company websites, or previous breaches.
And in an era of multi-factor authentication (MFA), vishing is increasingly used as a bypass technique. Attackers may impersonate support staff and coax employees into sharing one-time passcodes or clicking malicious links sent during the call. These hybrid attacks—blending voice and email—create dynamic scenarios that increase the attacker’s chances of success.
How to prepare for a vishing attack
The process your IT staff follow to verify staff members before carrying out password resets and MFA bypasses is critical. If attackers can exploit it, it may mean a direct compromise of a user account, and your domain.
Here are three areas you can review to check if you might be excessively exposed, and how you can increase your organizations resilience to these types of attacks:
- Policy review:
We start with an overt review of your organization’s policies and procedures for verifying inbound calls. Are staff trained to verify identity before sharing sensitive data? Do they understand lockout policies and escalation paths? Are the methods used to verify staff effective or trivial to defeat? Gaps here become red flags during the attack phase. - Open-Source Intelligence (OSINT) gathering:
Review the publicly available data about your organization, staff, and structure. This includes job titles, email formats, leadership names, and more—all information an attacker would use to correctly answer your company's verification process and successfully authenticate with the Help Desk. The better the intelligence, the more effective the attack. - Simulated vishing attacks:
Test yourself! Simulating attacks seen in the real world against your organization is the best method to determine whether you are likely to fall victim to these attacks. It raises the awareness of your teams to such attacks and helps them prepare to deter threat actors.
Vishing is a human risk—train accordingly
Many organizations still rely too heavily on digital defenses, assuming MFA and antivirus software will protect them from most threats. But vishing doesn’t target your tech—it targets your people. And when policies aren’t clear or training is outdated, even your most security-aware employees can be caught off guard.
Running vishing simulations and training your staff on phone-based attack indicators is no longer optional. It’s essential.
"Protect your organization from telephone-based social engineering attacks—resilience starts with awareness, preparation, and people."
- Duncan McDonald, UK Regional TAS Lead, NCC Group