Login Book a call
Search
Clear search icon

What is vishing in cybersecurity, and how can you protect your business?

Frankie
what is vishing in cybersecurity
Back to blog

Table of contents

Want to speak with sales?

Book a call

We’ve all heard of phishing, but what is vishing in cybersecurity? It’s short for voice phishing and is a type of social engineering attack where cybercriminals use phone calls, voicemails and voice messages to trick people into divulging sensitive information. 

It might sound like the sort of thing only the elderly would fall for, but with the rise of AI, it’s an increasing threat and one that you can’t afford to ignore.

Understanding vishing in cybersecurity

Vishing weaponises something we instinctively trust – human conversation. While most of us have learned to spot suspicious emails – the typos, the urgent demands, the dubious sender addresses – phone calls bypass these defences entirely. A confident voice claiming to represent your bank, IT department, or tax authority taps directly into our tendency to trust spoken communication.

This psychological advantage helps explain why vishing attacks rose by 442% in the second half of 2024.

How AI’s transforming vishing

Although vishing is a type of phone scam, it’s far more sophisticated than someone phoning to say you’ve won a prize in a competition you never entered, but have to pay taxes and registration fees to claim it. 

Today, cybercriminals are automating vishing campaigns with AI-powered tools and techniques, such as:

  • Text-to-speech engines, which convert written text into realistic human speech
  • Voice cloning and deepfake audio, which replicate a person’s voice 
  • Automatic speech recognition (ASR), which allows AI to understand what the victim is saying in real time

As AI tools become more accessible, the barrier to launching convincing voice scams is dropping, making vishing more dangerous and difficult to detect.

How vishing works in practice

Here's an example of the sequence of events in a typical vishing attack:

  • You receive a call that appears to be from your bank
  • The caller creates urgency, for example, by claiming there has been suspicious activity on your account
  • They ask you to verify your identity by providing account details or passwords
  • Once they have your information, they use it to access your accounts or sell it on the dark web

Common vishing techniques

Help desk social engineering

Attackers pose as legitimate help desk or IT staff. They call employees to trick them into: 

  • Sharing login credentials
  • Disabling multi-factor authentication 
  • Installing remote access tools

Wardialing

Cybercriminals use automated tools to systematically call hundreds or even thousands of numbers based on predictable telephone number structures within specific area codes. They play a pre-recorded message to trick victims into calling back or revealing sensitive information.

Caller ID spoofing

Attackers use technical or third-party tools to falsify the displayed caller ID, showing names such as “Bank of England,” “IRS,” “Police,” or even personal contacts.

Dumpster diving

Also known as trash tracing, this technique can be digital or physical and involves combing through discarded documents to glean information, like names, account numbers, balances and more. Having this information makes vishing attempts appear a lot more credible.

VoIP

Scammers use Voice over Internet Protocol (VoIP), which allows them to make calls over the internet instead of traditional phone lines. This helps them conceal their locations and identities.

3 signs of vishing

Unfortunately, you can't examine a voice call like you would a suspicious email. Instead, listen for these warning signs:

1. Unexpected urgency

If the caller’s pushing you to act immediately, hang up. Real organisations give you time.

2. Asking for information they should have

Banks don't need your PIN. IT doesn't need your password. If they're fishing for details, it's a scam.

3. Threats and pressure

Saying things like "Your account will be closed" or "You'll face legal action". Scammers use fear to cloud your judgment.

How to protect your business from vishing

Building strong defences against vishing, or other mobile phishing attempts, doesn't require a massive budget or technical expertise. Start with these practical steps:

Train your team regularly

Make vishing awareness part of your regular cybersecurity training. Run simulations where employees practice handling suspicious calls. Focus on anyone who handles sensitive data.

Implement verification procedures

Create clear protocols for verifying caller identities. If someone claims to be from a supplier or partner, hang up and call them back on a known number.

Use technology

While email filters can't stop voice calls, you can use call-blocking services and apps that identify potential spam calls. Consider implementing multi-factor authentication that doesn't rely on SMS, as scammers often try to intercept text messages.

Don't let scammers have the last word

Now that you understand what vishing in cybersecurity is, you can take simple, proactive steps to keep your business and team protected.

Want to give your people the skills to recognise cyber threats before they turn into breaches? Check out CyberSmart Learn, our cybersecurity focused learning management system.