Table of Contents
The mechanisms and dangers of email phishing are well known, as are the best practices for hardening organizations against it. Its spin-off, called vishing, is nothing new, but it’s both rapidly evolving, and unlike the more mainstream counterpart, too often overlooked by security professionals. According to the CrowdStrike 2025 Global Threat Report, these offbeat attacks saw a 442% increase in the second half of 2024 compared to the first half of the year. This dramatic spike should be interpreted as a call to action in terms of countermeasures, especially in enterprise environments.
Vishing is a portmanteau of “voice phishing” and refers to social engineering campaigns that rely on audio (typically voice calls and prerecorded messages) to either extract information from a target or get them to perform certain actions. From an organizational perspective, this foul play can be aimed at stealing proprietary business data, granting the attacker access to internal systems, or initiating fraudulent fund transfers.
An effective tactic when aimed at individuals (especially those most vulnerable, like the elderly), it can be all the more devastating when targeted against an organization. Arguably, the most prominent vector of vishing evolution so far has been voice-cloning technology, from deepfakes to the broad spectrum of AI models. As the tools for performing such attacks have improved, so have the strategies employed by the bad actors who wield them.
Malicious actors generally want one of two things: information or action. They might go after information for its own sake (in which case data theft is their ultimate goal,) or they may want it to commit financial fraud, identity theft, or a network-wide malware incursion.
In a corporate setting, attackers will typically masquerade as a person or entity to which their target organization is likely to respond. These include:
- The company’s internal or outsourced technical support team.
- A current client or potential new client.
- A current or potential vendor.
- The relevant government office (the IRS, for example.)
- A partner software company.
- The organization’s CEO or another high-ranking member of the management team.
How Scammers Perpetrate a Vishing Attack
Whether the attacker is planning to engage in bank account compromise, invoice fraud, Vendor Email Compromise (VEC), or corporate espionage, access to sensitive internal information is key. Even if the goal is to capture information for use in a greater attack, the criminals need to know enough about the person they’ve called, their organization, colleagues, and potentially day-to-day tasks, and active projects to craft a convincing and compelling scenario, persona and backstory.
Fraudsters tend to collect readily available information first, drilling down to harder-to-get data as they go. They’ll likely start with Open-Source Intelligence (OSINT), gathering data from corporate websites, social media, forums, and any other places where the organization and its employees are active.
It’s at the OSINT stage that attackers can potentially obtain voice recordings of the would-be victim or people they intend to impersonate. They can then “train” their software on these samples to create a convincing impersonation of their voice.
Then, the attackers can search data brokers (on “people-finder” sites) for detailed profiles containing personal information that can further flesh out their false or mimicked personas, if not grant access to the personal or corporate accounts of people associated with their target.
Attackers might also comb through information from past data breaches, looking for any details that could help them, especially breached credentials. If an employee on the receiving end of the vishing scam reuses passwords, this could be enough to monitor or take over their accounts.
Bad actors can even resort to very low-tech methods like loitering around the target’s location or dumpster-diving for exploitable snippets of information. This just goes to show how valuable and indeed necessary background information is to a successful vishing attack.
Finally, there comes the execution stage, at which the tactics used and countermeasures required nearly match those for phishing attacks. The key difference in the case of vishing is the added immediacy and urgency of having someone on the phone in real time. All the more so if that someone is convincingly portraying the target’s CEO, a member of the organization’s cyber threat response team, or a representative of an important client or vendor.
Hardening the Organization from Within
When it comes to implementing effective countermeasures, there’s a huge overlap with those commonly recommended for phishing attacks, like employee training, realistic simulations, and enforcing checks and balances to put the brakes on any potentially harmful actions taken in haste or under duress. Vishing attempts require specific countermeasures, though, and many of these can help harden an organization from phishing campaigns and other cyber threats as well.
Employee Education
Too many organizations fail to even mention voice calls as a potential attack vector during regular cybersecurity training. Some forego such training entirely or make the mistake of excluding certain departments and business functions from the program. A compromised Human Resources worker can inadvertently reveal information that is later used to breach a system or perpetrate fraud, so any employee with access to sensitive information needs to be kept informed of these threats and taught how to respond to them.
Simulations
Teaching employees about the dangers of phishing and vishing isn’t enough. These threats also need to be demonstrated in as realistic a manner as possible, and responses practiced regularly. Phishing campaigns can be simulated relatively inexpensively and the results gathered automatically, all while putting a relatively small load on IT and cybersecurity staff.
In contrast, vishing campaigns require considerably more time, effort, and expense to conduct and don’t lend themselves as readily to post-hoc analysis. Yet these simulations are all the more necessary given how effective and quick-to-execute a vishing campaign can be. No email back-and-forth, no time to mull things over – just a quick phone call, a few clicks made or words spoken into the receiver, and it’s too late.
Technical countermeasures
One of the most attractive characteristics of social engineering tactics like vishing is the way they effectively bypass technical means of securing access to sensitive data and systems. This is not to say, however, that technical countermeasures aren’t worth implementing – far from it.
Multi-factor authentication
MFA is a good example of a basic technology that, if applied correctly, can retard the progress of an attacker through the organization’s systems. With enough background research on their target, an attacker can use breached credentials or simply deception to acquire them. MFA stops these methods from leading to full system compromise, and a request for a 2FA code or interaction with a hardware authentication device will raise concerns with targeted employees where simply entering or providing a password might not.
Activity monitoring
Various technical solutions exist for the monitoring of phone and VoIP-network communications, helping security teams identify and block calls coming from spoofed numbers, for example. Employee devices can also be monitored for suspicious activity and preloaded with call-blocking, robocall-detection, and other tools.
All these countermeasures come into play only after a vishing attack has begun, and all of them are focused on the organization and its employees. This essentially leaves the initiative with attackers, and represents a defensive posture. This is the appropriate posture for an organization to take, and a necessary one. But what if an organization were to take a more proactive stance, disrupting attacks at their earliest stages?
Protect the organization by tidying up its environment
If we go back to the earliest preparation stages of a vishing attack, we find that data-gathering is the first crucial step. This is the point at which the attackers’ momentum is the smallest and their operations easiest to disrupt.
OSINT can be disrupted through monitoring and sanitizing publicly available sources of personal and corporate information. In practice, this can be as simple as educating employees about the dangers of sharing images of ID cards, internal building layouts, and computer monitors. Employees with high-risk levels of access could even be discouraged from publishing voice samples online, although this may not always be practical.
Perhaps the largest and most comprehensive stores of personal information for an attacker can be found on people-finder sites. This kind of data broker, in many jurisdictions, is obliged by law to remove personal data upon request. Data-removal services exist to automate this process across hundreds of data brokers, making the mass-removal and suppression of employees’ data a cost-effective and low-effort way to stop vishing attacks before they fully get off the ground.
Although vishing attacks are on the rise, the methods to prevent an attack are simple and can be practiced both in a corporate, as well as a home setting.
About the Author:
David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Fortra.
 
			        