What Is Vishing? Voice Phishing Explained
Vishing, short for voice phishing, is a social engineering attack that uses phone calls or voice messages to trick a target into giving up credentials, money, or system access.
In 2024, a finance employee at the engineering firm Arup joined a routine video call with people who looked and sounded like the CFO and several colleagues. Every face on the call was a deepfake. The employee approved 15 transfers worth 25.6 million dollars before the fraud surfaced. The lure was not an email or a link. It was a voice the victim trusted.
That is vishing. The attack moved off the keyboard and onto the phone, and the defender who only watches inboxes never saw it coming.
This article covers what vishing is, how the attack runs end to end, the callback-phishing and AI voice-cloning variants driving its growth, and the telemetry a SOC uses to catch it. It is written for defenders, not for an awareness poster.
What Is Vishing?
Vishing, short for voice phishing, is a social engineering attack that uses phone calls or voice messages to trick a target into handing over credentials, money, or system access. The attacker impersonates someone the victim trusts: a bank, the IT help desk, a government agency, or a senior executive. The channel is voice, which is what separates vishing from email-based phishing and SMS-based smishing.
Voice works because it removes the artifacts people are trained to inspect. There is no sender address to check, no URL to hover over, no misspelled domain. There is a human voice, time pressure, and an authority the target does not want to refuse. MITRE ATT&CK tracks the technique as Spearphishing Voice (T1566.004): adversaries use voice communications to manipulate users into granting access, leaning on impersonation and manufactured urgency.
Vishing rarely stands alone anymore. It is the initial-access stage of a larger intrusion. The phone call gets a credential, an MFA approval, or a remote-access tool installed, and the keyboard work follows.
How a Vishing Attack Works
Most vishing follows the same arc regardless of who the target is. The attacker establishes a pretext, builds urgency, extracts the asset, and pivots into the environment.
- Reconnaissance. The attacker collects names, roles, phone numbers, and org-chart relationships from LinkedIn, data brokers, breach dumps, and the company website. For a help-desk attack, they learn the internal lingo and ticketing process.
- Caller ID spoofing. The inbound number is forged to read as the bank, the help desk, or a known internal extension. Spoofing is cheap and undermines the victim's first instinct to trust the displayed number.
- Pretext and urgency. The script invents a problem that only the victim can fix right now: a fraudulent charge, an expiring account, a security incident, a payroll error. Urgency suppresses the pause where a victim would normally verify.
- Extraction. The attacker asks for the asset: a one-time passcode read aloud, a password reset, approval of an MFA prompt, a wire transfer, or permission to install a remote-support tool like AnyDesk or Quick Assist.
- Pivot. With a credential, a live session, or an approved push, the attacker moves into the environment. From here it becomes a normal cyberattack: lateral movement, privilege escalation, and data theft.
The defining trait is that nothing in this chain is technically exotic. The exploit is the human, and every step is designed to keep the victim from stopping to check.
Vishing vs Phishing vs Smishing
The three attacks share one goal and differ only in delivery channel. The channel matters, because each one defeats a different set of defenses.
| Attribute | Phishing | Smishing | Vishing |
|---|---|---|---|
| Channel | SMS / text message | Phone call or voicemail | |
| Primary lure | Malicious link or attachment | Short link or reply prompt | Live conversation, urgency |
| Inspectable artifacts | Sender domain, URL, headers | Sender number, link | Caller ID only (spoofable) |
| Typical defense | Secure email gateway, link rewriting | SMS filtering, carrier controls | Human verification, call-back policy |
| Scales by | Mass send | Mass send | Manual or AI-assisted calling |
Email phishing leaves forensic artifacts a gateway can scan and a SOC can hunt. Vishing leaves almost none. The "payload" is spoken, the session is ephemeral, and the only durable evidence often lives in VoIP logs, help-desk tickets, and whatever the attacker did after the call. That evidence gap is exactly why vishing is hard to catch and why it is growing.
Callback Phishing (TOAD)
The fastest-growing vishing variant inverts the usual flow. Instead of cold-calling the victim, the attacker gets the victim to call them.
This is callback phishing, also called telephone-oriented attack delivery (TOAD). The victim receives an email that contains no malicious link and no attachment, just a fake invoice or subscription renewal and a phone number to dispute the charge. Because there is no link, the secure email gateway passes it. The victim, alarmed at a 500-dollar charge they did not make, dials the number. A fake call center answers, walks them through "cancelling" the charge, and in the process talks them into installing remote-access software. The attacker now has hands on the endpoint.
Proofpoint observed roughly 10 million TOAD attacks per month on average, peaking near 13 million in a single month, and found that 67 percent of organizations globally experienced at least one TOAD attack in 2023. Only about 23 percent of organizations train employees to recognize it. TOAD works precisely because it routes around the control most companies trust most: the email filter.
AI Voice Cloning and Deepfake Vishing
Vishing used to be limited by the attacker's ability to sound convincing and to scale one call at a time. Generative AI removed both limits.
With a few seconds of sample audio, scraped from a conference talk, a podcast, or a voicemail greeting, a voice-cloning model can produce a real-time clone of a specific person. The CFO can now call the controller in the CFO's own voice. The Arup case took this further: attackers deepfaked multiple participants into a single video call, so the victim saw and heard a room full of trusted colleagues. The 25.6 million dollar loss followed because every authenticity cue the victim relied on was synthetic.
This breaks the last defense vishing victims had, which was recognizing the voice. For defenders it means voice and even video can no longer serve as identity verification. The control has to move to something the attacker cannot fake: a callback to a known-good number, an out-of-band approval channel, or a shared secret that was never spoken on the call.
How Vishing Drives Real Intrusions
Vishing is not a fraud sideshow. It is a primary initial-access vector for hands-on-keyboard intrusion groups. CrowdStrike reported a 442 percent increase in vishing between the first and second half of 2024, driven by adversaries using voice calls, callback phishing, and help-desk social engineering to get inside.
The help-desk angle is the one SOC teams underestimate. An attacker calls the IT service desk posing as an employee who is locked out, supplies a few details harvested during recon, and persuades the agent to reset the password or register a new MFA device. No malware, no exploit, no phishing email. The attacker simply asks the help desk to let them in, and a human under pressure complies. Once inside, the activity looks like a legitimate user, which is why it evades tooling tuned for malware.
How a SOC Detects and Responds to Vishing
You cannot put a sensor on a phone call, but you can instrument everything the attacker has to do before and after it. Detection moves to the second-order effects.
- MFA and credential telemetry. Watch for password resets and new MFA device registrations clustered in time, especially from new locations or right after a help-desk ticket. A reset followed minutes later by a login from an unfamiliar IP is a classic post-vishing signature.
- Remote-access tool execution. Alert on AnyDesk, TeamViewer, Quick Assist, and ScreenConnect launching on endpoints where they are not standard. These are the install-it-while-I'm-on-the-phone tools of callback phishing.
- Help-desk process anomalies. Track identity-verification exceptions, out-of-process resets, and tickets that skip the call-back step. Correlate help-desk activity with the account events that follow it.
- VoIP and call metadata. Where you control the phone system, log inbound call patterns, spoofed-number indicators, and spikes in calls to finance or IT.
- Behavioral analytics. User and Entity Behavior Analytics catches the account that suddenly behaves wrong: a new device, an odd login time, access to systems the user never touches. The vishing call is invisible, but the compromised account's behavior is not.
On response, the controls are procedural as much as technical, and they belong in your incident response playbooks. Enforce help-desk identity verification with a call-back to the number on file, never the number the caller provides. Require out-of-band approval for wire transfers and payment changes, on a channel separate from the request. Treat any voice or video instruction to move money or grant access as unverified until confirmed through a known-good path. And feed confirmed vishing reports back into security awareness training so the workforce learns the current scripts, not last year's.
Frequently Asked Questions
What is vishing in simple terms?
Vishing is voice phishing: a scam where an attacker calls you, or gets you to call them, and impersonates a trusted party like your bank or IT department to trick you into giving up passwords, codes, money, or computer access. The defining feature is that the attack happens over a phone call or voicemail rather than email or text.
What is the difference between vishing and phishing?
Phishing is delivered by email and relies on a malicious link or attachment that leaves inspectable artifacts like a sender domain or URL. Vishing is delivered by phone call and relies on a live, urgent conversation. Vishing is harder to filter because there is no link or attachment to scan, only a spoofable caller ID.
What is a callback phishing or TOAD attack?
Callback phishing, or telephone-oriented attack delivery (TOAD), is a vishing variant where the victim receives a link-free email, often a fake invoice, with a phone number to dispute it. When the victim calls, a fake call center talks them into installing remote-access software. Because the email contains no malicious link, it bypasses most email security gateways.
Can attackers fake someone's voice in a vishing call?
Yes. Modern AI voice-cloning tools can reproduce a specific person's voice from a few seconds of sample audio, and deepfakes can fake voice and video together. In 2024 attackers deepfaked a company's CFO and colleagues on a video call and stole 25.6 million dollars, which is why voice and video can no longer be trusted as identity verification.
How can a SOC detect vishing if there is no email to analyze?
By instrumenting the attacker's actions around the call. Monitor for clustered password resets and new MFA device registrations, execution of remote-access tools like AnyDesk or Quick Assist, help-desk verification exceptions, and account behavior anomalies flagged by behavioral analytics. The call itself is invisible, but the compromise that follows it produces telemetry.
How do organizations prevent vishing attacks?
Enforce help-desk identity verification using a call-back to the number on file rather than the number the caller gives, require out-of-band approval for wire transfers and account changes, and treat any voice or video instruction to move money or grant access as unverified until confirmed through a separate known-good channel. Reinforce these procedures with ongoing, scenario-based awareness training.
Frequently asked questions
<p>Vishing is voice phishing: a scam where an attacker calls you, or gets you to call them, and impersonates a trusted party like your bank or IT department to trick you into giving up passwords, codes, money, or computer access. The defining feature is that the attack happens over a phone call or voicemail rather than email or text.</p>
<p>Phishing is delivered by email and relies on a malicious link or attachment that leaves inspectable artifacts like a sender domain or URL. Vishing is delivered by phone call and relies on a live, urgent conversation. Vishing is harder to filter because there is no link or attachment to scan, only a spoofable caller ID.</p>
<p>Callback phishing, or telephone-oriented attack delivery (TOAD), is a vishing variant where the victim receives a link-free email, often a fake invoice, with a phone number to dispute it. When the victim calls, a fake call center talks them into installing remote-access software. Because the email contains no malicious link, it bypasses most email security gateways.</p>
<p>Yes. Modern AI voice-cloning tools can reproduce a specific person's voice from a few seconds of sample audio, and deepfakes can fake voice and video together. In 2024 attackers deepfaked a company's CFO and colleagues on a video call and stole 25.6 million dollars, which is why voice and video can no longer be trusted as identity verification.</p>
<p>By instrumenting the attacker's actions around the call. Monitor for clustered password resets and new MFA device registrations, execution of remote-access tools like AnyDesk or Quick Assist, help-desk verification exceptions, and account behavior anomalies flagged by behavioral analytics. The call itself is invisible, but the compromise that follows it produces telemetry.</p>
<p>Enforce help-desk identity verification using a call-back to the number on file rather than the number the caller gives, require out-of-band approval for wire transfers and account changes, and treat any voice or video instruction to move money or grant access as unverified until confirmed through a separate known-good channel. Reinforce these procedures with ongoing, scenario-based awareness training.</p>