What Is Vishing?

Vishing, short for "voice phishing," is a social engineering attack conducted via phone calls or voice messages to trick individuals into divulging sensitive information, authorizing transactions, or granting access to systems. According to CISA, vishing is "the social engineering approach that leverages voice communication" to deceive victims (CISA, "Avoiding Social Engineering and Phishing Attacks"). Unlike email-based phishing, vishing exploits the real-time, interactive nature of phone calls to create immediate social pressure that is harder to resist than reading an email. Vishing bypasses all email-based security controls entirely and leverages human psychology to extract credentials, financial data, or access authorization.

How does vishing work?

Vishing attacks leverage Voice over Internet Protocol (VoIP) technology to spoof caller ID numbers, making calls appear to originate from trusted organizations—banks, government agencies, IT departments, or the victim's employer. VoIP services are inexpensive and globally accessible, enabling attackers to create convincing "trusted" caller identities at minimal cost. Attackers research targets using social media (LinkedIn), corporate directories, data breaches, and public records to identify who to call and what organizational context to reference.

The attack setup may include pre-recorded robocall systems (IVR fraud) that scale vishing to thousands of simultaneous calls, or live attackers conducting one-on-one social engineering for high-value targets. The attacker studies the target organization's processes—how the IT helpdesk verifies callers, what information customer service representatives request before providing account details, what verification the finance team expects before approving wire transfers.

Common vishing scenarios include bank or financial fraud where the caller claims suspicious account activity and requests verification of account numbers, PINs, or passwords. Tech support scams impersonate Microsoft, Apple, or the victim's IT department, requesting remote access to the device or login credentials. Government impersonation poses as the IRS, Social Security Administration, or law enforcement, threatening arrest or penalties to create urgency. IT helpdesk exploitation occurs when a caller impersonates an employee and contacts the company helpdesk to reset credentials or gain access—the technique that compromised MGM Resorts. Telephone-Oriented Attack Delivery (TOAD) directs victims via email to call a phone number where a live attacker conducts social engineering.

Psychological manipulation drives vishing effectiveness. Urgency ("Your account has been compromised, act now"), authority ("I'm calling from the FBI"), fear ("Your account will be suspended unless you verify immediately"), and trust ("I have your account details here, let me confirm") combine to pressure victims into bypassing their normal caution. The attacker may reference real account information obtained from breaches, establishing credibility before pivoting to the malicious request. Isolation tactics—"Don't discuss this with anyone" or "Stay on the line"—prevent the victim from seeking verification or advice.

Live conversation allows attackers to adapt their approach based on victim responses. If the victim expresses skepticism, the attacker can provide additional "proof" from earlier research. If the victim seems reluctant, the attacker can escalate urgency or threats. This adaptive social engineering is far harder to resist than a static phishing email.

AI-enhanced vishing creates a new threat dimension. Voice cloning technology can create realistic impersonations from just a few seconds of target audio captured from podcasts, conference talks, earnings calls, or social media. Deepfake voice attacks combine cloned executive voices with real-time conversation ability or pre-recorded messages. Multi-channel attacks combine spear phishing emails (establishing context) with deepfake voice calls to execute fraud. A finance director receives an email about an urgent acquisition, followed by a voice call from what appears to be the CEO requesting wire transfer authorization. The combination of channels creates compounding trust that a single-channel attack cannot achieve.

How does vishing differ from smishing?

Vishing and smishing are both non-email attack vectors, but they exploit different trust dynamics and bypassing mechanisms. The comparison table illustrates these distinctions:

Neither is universally better. Vishing achieves extremely high success rates through live social pressure and the difficulty of hanging up on authority figures. Smishing reaches massive scale through SMS channel penetration and inherent user trust in text messages. Vishing requires live operator effort (or sophisticated AI), limiting scalability; smishing can be fully automated and sent to millions. Vishing's real-time nature creates higher per-target success; smishing's automation creates higher aggregate impact through volume.

Why has vishing gained traction?

Vishing attacks have surged dramatically because they exploit a fundamental gap: organizations invest heavily in email security while largely neglecting voice communication security.

Vishing attack growth has been explosive. CrowdStrike recorded just 2 vishing attacks in January 2024, growing to 93 in December 2024—a 4,550% surge. This translates to a reported 442% increase in vishing attacks in the second half of 2024 compared to the first half (CrowdStrike via Hoxhunt, "Vishing Attacks Surge 442%," 2025). The volume of scam calls targeting Americans has reached epidemic proportions: 2.14 billion scam calls per month in 2024, increasing to 2.56 billion per month in 2025 (Programs.com, "Vishing Statistics 2026," 2026). Alternative data suggests 2.7 billion to 3.1 billion scam calls monthly, illustrating the scale of the problem.

Organizational impact is widespread. 70% of organizations report being victims of vishing attacks, with an average cost of $14 million per year per organization (Keepnet Labs, "Vishing Statistics," 2025). The tech support scam category alone—a subset of vishing—generated 37,560 complaints in 2023 with $924.5 million in losses, up from 32,538 complaints with $806.6 million in 2022 (FBI, "2024 IC3 Annual Report," 2025). These are conservative estimates; many vishing attacks go unreported because victims are embarrassed or organizations lack incident detection.

The MGM Resorts breach illustrates vishing's organizational impact. In September 2023, attackers from the Scattered Spider group researched MGM employees on LinkedIn, then called MGM's IT help desk impersonating a specific employee. A roughly 10-minute phone call yielded login credentials that led to a ransomware attack causing approximately $100 million in Q3 2023 losses across multiple Las Vegas properties (Mutare, "MGM Resorts Suffers Vishing Cyberattack"; Specops Software; Netwrix). This single vishing call—requiring no malware, no phishing email, no exploitation of technical vulnerabilities—cost a major corporation nine figures.

AI voice fraud is accelerating vishing's evolution. AI-powered voice fraud attempts jumped 194% in 2024 compared to 2023 (Deepstrike, "Vishing Statistics 2025," 2025). Projected losses from fraud using generative AI (including deepfake vishing) could reach $40 billion annually by 2027 (Deloitte Center for Financial Services). A single deepfake CEO voice fraud cost an energy company CEO $243,000 in unauthorized transfer. Financial sector deepfake vishing attacks now exceed $1 million losses for over 10% of surveyed institutions, with an average loss per case of approximately $600,000 (Reality Defender, "Deepfake Voice Phishing in the Financial Sector").

Proofpoint detects 10 million TOAD (Telephone-Oriented Attack Delivery) messages per month, showing how email phishing and vishing are operationally linked—attackers use email to establish context, then follow up with vishing to execute fraud (Proofpoint, "2024 State of the Phish Report," 2024). This multi-channel approach amplifies attack effectiveness beyond either channel alone.

What are the limitations of vishing?

Vishing's dependence on human operators creates scaling constraints. Live calls require real people with social engineering skills, limiting volume compared to automated email campaigns. Sophisticated AI voice clones are emerging but remain imperfect and resource-intensive to generate at scale, making truly scalable vishing attacks still limited in scope.

Phone calls leave forensic traces. Call records, VoIP logs, and telephony metadata can be traced by law enforcement and threat intelligence teams. Unlike email spoofing, which can be relatively anonymous, phone calls create a trail. Caller ID spoofing is detectable through forensic analysis of call routing patterns.

The FCC's STIR/SHAKEN mandate is making caller ID spoofing harder on major US carriers. Large carriers have been required to implement STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted Information Using toKENs) call authentication since June 30, 2021, with smaller carriers required since June 30, 2022. STIR/SHAKEN uses digital certificates to verify caller identity, making it harder (though not impossible) to spoof trusted numbers. However, the caveat is that coverage remains incomplete for small carriers and international calls, and the technology provides attestation rather than full authentication—attackers can work around it by using legitimate VoIP provider numbers.

Victims can simply hang up and call back the organization's official number to verify. This simple procedure—"I'll call you back at the number on your bank statement"—completely disrupts vishing attacks. Attackers cannot prevent call callbacks to independently verified numbers.

Recording and reporting suspicious calls creates threat intelligence. Call recording systems, combined with centralized reporting, allow organizations to detect patterns of vishing attacks and share intelligence with carriers and law enforcement. These patterns enable filtering and caller ID verification improvements.

How should organizations implement defenses against vishing?

Vishing defense requires technical controls on the carrier and organizational levels, supplemented by human controls and awareness.

Technical controls at the carrier level include STIR/SHAKEN call authentication, which verifies caller ID information using digital certificates. This makes it harder for attackers to spoof trusted numbers, though it is imperfect. Call blocking and filtering solutions—both carrier-provided and third-party tools like Nomorobo, Robokiller, and Hiya—use threat intelligence feeds and heuristic analysis to block known scam numbers and flag suspicious calls.

AI-powered call analysis tools detect deepfake voice patterns, robocall signatures, and anomalous calling behavior in real-time. These solutions analyze voice characteristics, detect audio generation artifacts, and flag calls with unnatural pauses or speech patterns.

Multi-factor authentication (MFA) on all accounts—especially those with financial authority or system access—provides defense-in-depth. Even if attackers obtain credentials via vishing, they cannot access accounts without the second factor. Phishing-resistant MFA (FIDO2/WebAuthn hardware keys) is preferred because it cannot be compromised through vishing-captured codes (Thales; CISA, "Implementing Phishing-Resistant MFA Fact Sheet," 2022).

Network-level protections include IVR (Interactive Voice Response) fraud detection that identifies automated robocall patterns, voice biometrics for caller verification, and anomaly detection on call center traffic. These tools flag inbound calls with suspicious characteristics before they reach human operators.

Operational controls are critical because the MGM Resorts attack exploited helpdesk vulnerability specifically. Helpdesk identity verification procedures must establish rigorous protocols for phone-based support requests. The MGM attacker succeeded by calling the helpdesk impersonating an employee, but if the helpdesk had required multi-step verification—employee ID cross-check against directory, manager confirmation, or callback to a registered number—the attack would have failed. Current best practice requires: (1) verify the caller's identity through a registered employee directory; (2) obtain independent confirmation from their manager or supervisor; and (3) document the call and verification performed.

Callback verification policies should mandate that sensitive information or action is never provided based on an inbound call. Establish a universal organizational policy that legitimate entities will never request passwords, MFA codes, wire transfer authorization, or data access via phone. If an employee receives a suspicious call, they should hang up and call back using an independently verified number—the organization's main number from the website, or a business card.

Never share MFA codes or passwords by phone should be a universal organizational policy. This simple rule, consistently enforced, defeats most vishing attacks.

Dual-approval for financial transactions prevents a single compromised account or vishing victim from authorizing large transfers. Wire transfers and vendor payment changes should require two independent approvals from different individuals.

Human controls require vishing-specific awareness training. Most security awareness training focuses on email phishing and misses vishing entirely. Training programs should include vishing simulations—recorded voice calls that teach employees to recognize urgency, authority, and isolation tactics. Real-time feedback on why simulated vishing succeeded improves learning more effectively than generic training.

Psychological pressure recognition training helps employees identify manipulation tactics. Urgency ("Act now or your account closes"), authority ("I'm calling from the FBI"), and isolation ("Don't tell anyone about this") are standard vishing techniques. When employees recognize these patterns, they are more likely to pause and verify.

Executive voice verification procedures should establish code words or multi-factor voice verification. For executive-initiated phone requests—especially those involving financial transactions or data access—establish verification protocols. This prevents deepfake voice attacks from succeeding, as attackers would need to know the verification code.

Report culture should encourage employees to report suspicious calls without fear of retaliation. Centralize call threat intelligence to identify patterns of vishing targeting specific departments or roles.