Vishing

Vishing is voice-based social engineering: phishing delivered over the phone. The attacker calls the target impersonating a bank, government agency, IT support, or other trusted entity, and manipulates the target into divulging information, transferring funds, or installing remote-access software. The fastest-growing social-engineering category in 2023-26 reports, partly because robocalling infrastructure makes the attack cheap and partly because traditional anti-phishing training has focused on email rather than voice.

What it means in practice

The vishing pipeline. The attacker obtains the target list (from breaches, data brokers, or publicly-scraped contact information). The robocall layer dials thousands per hour with a recorded message creating urgency (“your bank account has unusual activity, press 1 to speak with security”). The target who presses 1 is connected to a live operator (in a call center, often offshore, scripted for the impersonation). The operator extracts what the script asks for: account numbers, one-time codes received via SMS during the call, remote-desktop access via TeamViewer or AnyDesk, or wire-transfer authorization. The 2024 deepfake-voice escalation is the structural shift: AI voice cloning lets the attacker impersonate specific individuals (the CFO calling the controller, the parent calling the child) using audio samples scraped from social media or prior calls.

Who is targeted, and by whom

Targets: elderly populations (the dominant volume target; the AARP and FTC report consistently rank vishing as the top fraud category by victim count), corporate finance functions (BEC vishing variants targeting wire-transfer authorization), IT help desks (the Scattered Spider operating playbook), and (in the deepfake-voice variant since 2024) anyone whose family member could be impersonated for emergency-pretext extraction (the “your son was in an accident, send bail money” pattern, augmented with cloned voice). Operators: organized cybercrime call centers, romance-scam operators, BEC fraud rings, and the long tail of individual operators running smaller campaigns. The legitimate-call defense problem: caller ID is structurally spoofable, so the inbound call cannot be trusted as authentic regardless of the displayed number.

What you can change today

Four habits. First, never give sensitive information to an inbound caller; if the call is legitimate, hang up and call back on a known number (the number on your statement or card). Second, never authorize remote-access software (TeamViewer, AnyDesk, Quick Assist) from an inbound caller; legitimate technical support does not work this way. Third, when receiving an emergency call from a “family member” (especially with deepfake-voice quality matching), use a pre-arranged challenge phrase that the family knows in advance; the attacker does not. Fourth, talk to elderly family members about the vishing patterns and the callback rule; the cultural transmission of the procedural defense is what protects the population that is most targeted.

Related articles