What is vishing? Voice phishing explained for 2026

Your phone rings. The caller claims to be from your IT department — they've detected unusual activity on your account and need you to verify your credentials immediately. The voice sounds professional, the phone number looks internal, and the urgency feels real. You hand over your password.

You've just been vishd.

Vishing — voice phishing — is one of the fastest-growing attack vectors in cybersecurity right now. According to the CrowdStrike 2025 Global Threat Report, vishing incidents surged 442% between H1 and H2 2024, and the rise of AI voice cloning has made these attacks dramatically harder to detect. If your organisation hasn't addressed this threat yet, it's worth understanding exactly what you're dealing with.

What is vishing?

Vishing is short for "voice phishing." It's a social engineering attack where criminals use phone calls — or voicemail messages — to trick targets into revealing sensitive information, transferring money, or granting access to systems. The attacker typically impersonates a trusted authority: a bank, an IT helpdesk, a government agency, or even a colleague.

What makes vishing particularly dangerous is the human element. A live voice creates a sense of immediacy and credibility that a suspicious email simply can't match. When someone is speaking to you in real time, applying pressure, and answering your questions, your instinct to comply kicks in.

How vishing attacks actually work

Most vishing attacks follow a recognisable pattern, even if the specific script varies.

Caller ID spoofing is usually the first step. Attackers use VoIP technology to make their call appear to originate from a legitimate number — your bank's customer service line, an internal IT extension, or a government body. This alone is often enough to lower a target's guard.

Pretexting comes next. The attacker constructs a believable story — or "pretext" — to justify the call. Common pretexts include a detected security incident on your account, a failed payment, a missed delivery, or a compliance audit. The pretext is designed to create urgency and explain why the caller needs sensitive information from you right now.

Voicemail traps are a quieter variant. The attacker leaves a voicemail asking you to call back a spoofed number. When you call, you're speaking directly to the fraudster — but you initiated the contact, which makes you far more likely to trust the interaction.

AI-generated deepfake voices represent the current frontier. As reported by Right-Hand Cybersecurity, deepfake-enabled vishing spiked by over 1,600% in a single quarter in early 2025. AI can now clone a recognisable voice from just a few seconds of audio, allowing attackers to convincingly impersonate executives, colleagues, or family members.

Real-world vishing scenarios

These aren't hypothetical threats. Here are the attack types organisations are dealing with right now.

IT helpdesk impersonation — A caller pretending to be from your internal IT team contacts an employee, citing a security alert. They ask the employee to reset their password via a link or share a one-time code to "verify their identity." This is precisely how the Scattered Spider group has compromised major organisations, including by calling helpdesks and requesting MFA resets.

CEO/CFO voice fraud — In early 2025, a European energy company lost $25 million when attackers used a deepfake audio clone of the CFO to instruct a finance team member to authorise a wire transfer. The voice was indistinguishable from the real executive.

Bank impersonation calls — A caller claims your account has been flagged for fraud and asks you to confirm your PIN, card number, or one-time SMS code to "stop" the fraudulent transaction. The irony is that giving them the code is the fraudulent transaction.

Tech support scams — The caller claims your device or network is compromised and requests remote access or payment to fix it. According to FBI IC3 data cited by DeepStrike, tech support and impersonation scams resulted in over $924 million in US losses alone.

Tax authority threats — Callers pose as HMRC, the Belastingdienst, or another national tax authority, threatening immediate arrest or financial penalties unless payment is made over the phone. These are particularly effective because the prospect of government enforcement triggers fear and panic.

Signs a call might be vishing

Vishing attacks are designed to be convincing, but there are consistent red flags.

• The caller creates extreme urgency — you must act immediately or face consequences
• They ask for passwords, PINs, or one-time codes over the phone
• They request remote access to your device or systems
• The call involves an unexpected request that bypasses normal procedures
• They discourage you from verifying independently or calling back on an official number
• The number looks right but the conversation feels slightly off — pressure tactics, unusual phrasing, or oddly formal speech

If any of these apply, hang up and call back using a number you've independently verified from the organisation's official website.

Prevention tips for individuals and employees

The good news is that most vishing attacks can be defeated with a handful of consistent habits.

1. Never provide credentials or codes over the phone. Legitimate banks, IT departments, and government agencies won't ask for passwords or one-time codes during an inbound call. Full stop.
2. Hang up and call back. If you receive an unexpected call asking for sensitive action, end the call and dial the organisation directly using a number from their official website.
3. Use a call-back codeword with your bank. Many UK banks now offer verbal passwords to confirm the caller is genuinely from the bank — use this.
4. Be sceptical of caller ID. A number showing your company's internal extension or your bank's main line does not mean the caller is who they claim to be.
5. Slow down. Urgency is the attacker's most powerful tool. Taking even 60 seconds to verify before acting is enough to defeat most vishing attempts.

Organisational controls and policies

For compliance and security teams, individual awareness isn't enough on its own. Vishing is now a governance issue.

Security awareness training should include vishing simulations specifically — not just phishing email tests. Securance's phishing test service covers realistic attack simulations that help teams measure and reduce their human risk exposure. Employees who've experienced a simulated vishing call are far less likely to comply with a real one.

Phone verification procedures should be formalised in policy. Any request made over the phone that involves credentials, fund transfers, system access, or sensitive data should require a secondary, out-of-band confirmation — for example, verifying via a separate messaging channel or calling back on a pre-registered number.

MFA should be mandatory — but it's not sufficient alone. Attackers increasingly pressure victims to read out the one-time code they've just received. Phishing-resistant MFA (such as hardware tokens or passkeys) removes this weakness entirely.

Out-of-band authorisation for financial transactions is essential. No wire transfer or payment detail change should be approved solely on the basis of a phone call, regardless of who appears to be calling. This single control would have prevented several high-profile losses in 2024 and 2025.

For organisations working towards or maintaining frameworks like ISO 27001 or SOC 2, vishing controls belong directly in your human risk and access management policies. The ISO 27001 certification benefits extend precisely to this area — structured governance frameworks create the procedural controls that make social engineering attacks far less effective.

A broader cybersecurity risk assessment aligned with ISO 27001 and NIS2 can help you identify where your people-level exposures actually sit.

Vishing vs email phishing: the key differences

Both are social engineering attacks, but they work differently and require different defences.

Email phishing

Vishing

Channel

Email, fake websites

Phone calls, voicemail, VoIP

Scale

Highly scalable — sent to thousands

Targeted — often individual or small group

Manipulation method

Links, attachments, fake login pages

Real-time conversation and pressure

Traceability

Leaves digital artefacts (headers, URLs)

Harder to trace; VoIP numbers rotate

Primary defence

Email filtering, link scanning

Human behaviour, verification procedures

Vishing is generally considered harder to defend against at a technical level precisely because the attack happens in real time, through a trusted channel (voice), and targets human psychology directly. Email filters can catch a phishing link; no filter catches a manipulative conversation.

That said, many modern attacks combine both. A vishing call often follows a phishing email — the email sets up the pretext, the call closes it.

What to do if you or your organisation fall victim

Speed matters. If you realise you've given sensitive information to a vishing attacker, take these steps immediately.

1. Change compromised credentials — passwords, PINs, account numbers — before the attacker can use them
2. Notify your IT or security team so they can monitor for unusual access and lock affected accounts
3. Contact your bank or payment provider if financial information or a transaction was involved — many transfers can be recalled quickly if reported within hours
4. Document everything — the time, number, what was said, what was disclosed
5. Report the incident to Action Fraud (UK) or your national cybercrime reporting body
6. Review what data was exposed and assess whether it affects client data, triggering GDPR breach notification obligations under Article 33
7. Conduct a post-incident review to identify where the control failed and update your procedures accordingly

For SaaS and tech organisations, a vishing incident that results in a data exposure may also affect your SOC 2 or ISO 27001 compliance standing — which is another reason incident response procedures should be tested before they're needed, not after.

Vishing isn't a niche threat for large financial institutions. It's a daily risk for any organisation whose employees answer the phone. The organisations that take it seriously — with real training, verified procedures, and tested controls — are the ones that don't end up in an incident report.

If you'd like to understand where your team's human risk exposure really sits, operational risk management and regular simulated attack testing are the place to start.