Vishing (voice phishing)

Vishing — short for voice phishing — is a phishing attack delivered over a phone call, typically reinforcing or following an email pretext. The attacker impersonates IT support, a fraud-prevention desk, an executive, or a courier, and uses the live channel to push the target into an action the email alone could not: approving an MFA prompt, reading an OTP aloud, installing a remote-control tool, or executing a wire.

Vishing has shifted from a fringe technique to a recurring vector in major incidents. The 2022 Uber breach started with a vishing call to an employee while a contractor’s credentials were already in play; the 2023 MGM Resorts and Caesars compromises both began with social-engineering calls to the IT helpdesk, walking the attacker through a password reset. ANSSI’s Panorama de la cybermenace notes the same shift in France: voice channels exploit a confidence gap that email no longer enjoys.

Defining properties:

• Live pressure. Voice removes the seconds of reflection an inbox affords. Tone, urgency, and a credible backstory compress the decision window.
• Multi-channel pretext. A vishing call is rarely cold. It follows an email, a fake CRM ticket, or a SMS that primes the target to expect the call.
• MFA-bypass enabler. The attacker holds the target on the line through an MFA fatigue sequence or talks them through reading a one-time code.
• AI-amplified. Voice cloning (see deepfake voice cloning) now makes “the CFO called me” credible enough that the well-known 2024 Hong Kong USD 25M case ran through a deepfake video conference, not just a phone call.

The defensive lever is the same as for BEC: a procedural rule that any sensitive request requires a callback on a number the employee already has, plus enough rehearsal — via simulation and post-incident nudges — that the rule survives time pressure.