Hard2bit
← Back to glossary Offensive techniques

Vishing

What is vishing

Vishing (voice phishing) is phishing over the phone: the attacker calls — or gets the victim to call — and uses the live conversation to steal credentials, verification codes or money, or to have actions carried out on their behalf. It is the oldest form of social engineering and still one of the most effective, because a human voice builds a kind of trust no email can match, and because the pressure of a real-time call leaves no room to stop and think. Caller ID is trivially spoofed, so "the call comes from the bank's number" proves absolutely nothing.

Why it matters

Vishing has graduated from household scam to first-rate corporate intrusion technique. Groups tracked under the name Scattered Spider have shown that phoning a large company's helpdesk, posing as an employee and requesting a password and MFA reset works even against organisations with multi-million security budgets: it exploits no software vulnerability, it exploits the procedure. The inverse variant, callback phishing, first sends a harmless email — a subscription about to renew, an odd invoice — with a "customer service" phone number; when the victim calls, they are the one initiating contact, and the call sails past every email filter because the original message contains no links or attachments. AI voice cloning has removed the last barrier: a few seconds of public audio are enough to imitate an executive's voice requesting an urgent transfer. When a voice is no longer proof of identity, the only defence left is the verification procedure.

Key points

Fake technical support: the attacker poses as Microsoft, the IT provider or the bank's support desk, warns of a non-existent problem and walks the victim through installing a remote access tool or reading verification codes aloud.

Employee impersonation against the helpdesk: the signature technique of groups like Scattered Spider. Armed with data from LinkedIn and breaches, the attacker phones internal support posing as a real employee and asks for a password and MFA reset. If the helpdesk does not verify identity rigorously, the account changes hands in a single call.

Callback phishing: an email with no links or attachments — a renewal you do not recognise, a strange charge — invites you to call a support number. Because the victim places the call, trust is inverted: nobody suspects a call they made themselves. It typically ends with remote access software being installed.

Multi-channel combinations: vishing rarely travels alone. A prior smishing text or a spear phishing email sets up the story and the call closes it; or the other way round, the call announces "an email we have just sent you" to lend it legitimacy.

AI voice cloning: seconds of audio from a talk, a webinar or a corporate video are enough to generate a convincing synthetic voice of the CEO or a relative. Urgent requests for transfers or purchases arriving by voice alone can no longer be validated by how the caller sounds.

Defences: verification over an alternative channel before any sensitive action (hang up and call the official number), helpdesk procedures requiring robust identity checks before resetting credentials or MFA, agreed passphrases for critical requests, and training with vishing simulations.

Example: the helpdesk call that reset the wrong MFA

Monday, 8:55 am. The internal support technician at a 400-employee distribution company takes a call: "Hi, this is Marta from sales in the southern region. I'm at a client's site and I can't get into the CRM — I switched phones over the weekend and the authenticator app stayed on the old one. I need you to reset it right now, the client is sitting in front of me". The caller knows the real employee's name, her region, her manager's name and even that a CRM migration happened the previous week: all of it was on LinkedIn and in an old data breach. The technician, facing Monday's ticket queue, resets the MFA against the "new" number the caller provides.

Within twenty minutes, the attacker is inside the real employee's mailbox, has exported the client portfolio and has sent three clients a bank-detail change notice from the legitimate inbox. The subsequent investigation finds no malware and no exploits: just a four-minute phone call. The fix is not technological either: the procedure now requires every MFA reset to be verified via a camera-on video call or confirmation from the direct manager over a channel already on record, and the helpdesk is given explicit authority to say "no" without penalty, however urgent the caller sounds.

Common mistakes

  • Trusting caller ID. Number spoofing is trivial: the bank's or the company's real number appearing on screen proves nothing. Identity is verified by hanging up and calling the official number, never by accepting the incoming call as evidence.
  • Leaving password and MFA resets to helpdesk discretion with no procedure. It is the favourite door of modern attackers: if identity verification relies on data available on LinkedIn or in breaches (name, job title, date of birth), there is no verification.
  • Training only against email phishing. Employees who delete every suspicious email still answer the phone with complete confidence; without vishing simulations, half the attack vector goes untrained.
  • Yielding to urgency. Any call demanding action 'right now' — transfer, install, read out a code — is suspicious by definition. Legitimate processes survive a five-minute verification; fraudulent ones do not.
  • Believing that recognising the voice is enough. With AI cloning, the voice of the CEO, a colleague or a child can be imitated from seconds of public audio. Sensitive requests received by voice alone need confirmation over a second channel, no exceptions.

Related services

This concept may be related to services such as:

Frequently asked questions

What is the difference between vishing, smishing and phishing?

The channel. Classic phishing arrives by email; smishing by SMS and messaging apps; vishing by voice: phone calls or voicemails. The psychological mechanics are the same — impersonating a trusted identity and pressuring the victim to act — but vishing adds real-time interaction: the attacker adapts the script on the fly and gives the victim no time to reflect or check with anyone.

What is callback phishing and why is it so hard to filter?

It is the variant where the initial email contains no links or attachments, only a reason to call: a subscription about to renew, an unrecognised charge. Email filters find nothing malicious to block, and when the victim dials the number provided, the trust relationship inverts: they initiated the contact. From there, the 'agent' walks them through installing remote access software or making a payment.

How does a helpdesk protect itself against employee impersonation?

With identity verification that does not depend on public data. Before resetting passwords or MFA: a camera-on video call, confirmation from the direct manager over a channel already on record, or a check against something only the real employee possesses. The procedure must also give technicians explicit authority to refuse under pressure and urgency, and every reset should raise an alert that can be reviewed afterwards.

Does AI voice cloning make any phone verification useless?

It defeats verification based on recognising the voice, not procedural verification. The right response is to assume a voice is no longer proof of identity: sensitive requests — transfers, account changes, resets — are always confirmed over a second, already-known channel, with agreed passphrases for family or corporate emergencies. The rule is simple: hang up and call the usual number.