The Rise of Vishing

Over the past decade, most organisations have transformed the way they defend against phishing. Email gateways, filtering technology and regular awareness training have made it far more difficult for attackers to land a convincing message in an inbox. Yet while email defences have matured, another form of social engineering has quietly become one of the most effective ways to bypass them. The telephone call. 

Vishing, short for voice phishing, uses a phone call to deceive someone into revealing sensitive information or performing an action that compromises security. It might saound old-fashioned, but the method has evolved. Attackers now use artificial intelligence, voice cloning and publicly available data to impersonate real people with alarming accuracy. The results are highly convincing and increasingly damaging. 

According to CrowdStrike’s 2025 Global Threat Report, vishing incidents rose by more than 442% between the first and second halves of 2024 as threat actors turned to callback phishing and helpdesk social engineering to gain initial access to target networks. This makes vishing one of the fastest growing forms of social engineering worldwide. It is not difficult to understand why. Spoofing a phone number costs almost nothing, and with VoIP and caller ID manipulation, attackers can make calls appear to come from trusted internal extensions. 

Example – The M&S breach
In April 2025, Marks & Spencer confirmed that attackers had impersonated one of the 50,000 people working with the company to persuade a third-party provider to reset an employee’s password. (BleepingComputer, 2025) The breach led to unauthorised access and significant disruption, showing how a single convincing call can bypass even well-established security measures. 

Why phone-based attacks still work 

Vishing is effective because it feels personal. A human voice conveys authority, empathy and urgency which can easily override logic and caution. An attacker who sounds confident and knowledgeable can quickly build trust. When that voice claims to be from IT support, HR or a senior executive, most people’s instinct is to cooperate. 

Attackers rely on three common psychological triggers: authority, urgency and familiarity. They sound credible, they reference genuine details taken from company websites or social media, and they apply just enough pressure to discourage verification. It is a subtle but powerful form of manipulation that takes advantage of natural politeness and a desire to be helpful. 

Recent figures from NatWest Group’s 2024 Scam Report show that 42% of UK adults were targeted by a scam in the previous year, with AI-powered voice cloning among the fastest-growing fraud types.  

How a modern vishing attack unfolds 

Contemporary vishing campaigns rarely occur in isolation. They often form part of a multi-channel approach that blends email, SMS and phone contact. A typical sequence might look like this: 

• Preparation – The attacker will collect open-source intelligence, using LinkedIn, company websites and data leaks for personal and organisational details that can be pieced together to create a bigger picture. 
• Pretext creation – A believable scenario is developed. This could be an IT ticket, a payment verification, or an urgent security alert. 
• Initial contact – An email or text message is sent to build familiarity. The phone call follows shortly after, referencing that earlier communication. 
• Execution – The attacker applies pressure, asking the target to confirm an authentication code, reset a password, or process a transaction. 
• Exploitation – Once trust is established, the attacker moves quickly, using the gained access to escalate privileges or extract further information. 

Strengthening your defences 

Unlike email phishing, there is no reliable filter that can block a phone call. Building resilience against vishing requires a mixture of process, culture and practice. 

1. Establish clear verification procedures
   Ensure that staff know exactly how to verify the identity of internal or external callers before sharing any information. Critical actions such as password resets, payment approvals or data disclosures should always be verified through a known channel, not through the same call. Encourage employees to say, “I’ll call you back on the main number” as a normal part of the process.
2. Reduce public exposure
   Review how much information about your organisation is available online. Limit unnecessary details in staff profiles and company announcements. Even minor information, like internal structure or job responsibilities, can be used by an attacker to build credibility.
3. Run realistic vishing simulations
   The most effective training is experiential. Simulated vishing calls allow employees to practise responding under pressure in a safe environment. These exercises should be professionally designed, with clear debriefs and constructive feedback, so that staff build confidence rather than fear.
4. Harden your helpdesk and support functions
   IT helpdesks remain a prime target because they can reset accounts and issue credentials. Introduce multi-step verification for any user identity requests. Do not rely solely on information that could be obtained through social media or previous breaches.
5. Encourage open reporting
   People need to feel comfortable admitting when they are uncertain. Create a culture where reporting a suspicious call is encouraged and rewarded. The faster an organisation identifies a potential vishing attempt, the less damage it can cause.

Five checks before sharing information on a phone call 

When a caller asks for information or requests an action, a few simple checks can make the difference between caution and compromise. Treat these steps as part of normal due diligence, not suspicion. 

1. Verify who you are speaking to
   Ask for the caller’s full name, department, and job title. 
2. Confirm the context of the call
   Was the contact expected? Genuine internal teams rarely make unsolicited or urgent calls requesting credentials, payments or system changes. If the call seems out of place, pause and check with your manager or IT team before proceeding.
3. Validate the request through a trusted channel
   If you are asked to perform any sensitive action such as sharing an authentication code, changing a password or authorising a payment, end the call and verify the request through a known, trusted number or official internal system.
4. Be alert to pressure or urgency
   Attackers often create a sense of urgency to push quick decisions. Phrases like “your account will be locked” or “this must be done immediately” are designed to prevent verification. Slow down – a legitimate caller will understand the need to confirm.
5. Follow policy
   If a request breaks normal process or bypasses standard approval routes, treat it as a red flag. Follow established verification procedures and report any suspicious contact to your security team.

Moving from awareness to behaviour 

Traditional awareness campaigns often focus on information, not behaviour. Telling employees to “be careful” doesn’t prepare them to handle a convincing call. The goal should be practised response and not a theoretical understanding. 

When staff have rehearsed what to do in a real-world scenario – hanging up, verifying through a trusted channel, or escalating they act instinctively when it matters. This behavioural readiness is the difference between awareness and resilience. 

The takeaway 

Vishing has evolved from simple scams into a professional attack method. It thrives on trust, cooperation and politeness, qualities that every organisation values. Defending against it requires more than technology, it requires a shift in culture. 

The solution is not to make people suspicious of every phone call but to help them be prepared. Clear policies, regular training and a culture that normalises verification make it far harder for a convincing voice to cause harm. 

When staff understand that hesitation is a form of protection and that verification is policy rather than distrust, the organisation becomes far more difficult to manipulate. 

Attackers are taking advantage of the one channel that still feels human. It is time for defenders to give it the same level of attention.