Skip to Content
Threats and Attacks

What is vishing (voice phishing)?

Vishing (a blend of "voice" and "phishing") is a social engineering scam carried out over a phone call, in which the criminal poses as someone trustworthy, the bank, a supplier, IT support or the boss, to convince the victim to reveal passwords, approve payments or install a program. It is phishing taken out of email and moved to the voice, where the pressure of real time and, increasingly, AI voice cloning make the deception far more convincing.

Zamak TechnologiesUpdated on July 10, 2026

How a vishing scam happens

Vishing does not need sophisticated technology to start: it needs trust and urgency. The scam usually follows four stages.

1

Preparation

The criminal gathers public information about the victim and the company (website, social media, a past breach) to sound convincing and cite real names and details.

2

The call

They call while masking the number (caller ID spoofing) to appear as a legitimate contact, and introduce themselves as the bank, a supplier, support or an executive of the company itself.

3

The pressure

They create an urgent scenario: a fraud to stop, an overdue payment, an access to confirm right now. Haste is the weapon, because it stops the victim from pausing to verify.

4

The action

Under pressure, the victim hands over the password, the verification code, authorizes the transfer or installs the program the scammer asks for, giving away the access without realizing it.

Source: N-able Cyber Encyclopedia and CrowdStrike (Global Threat Report).

Signs of a vishing call

  • Exaggerated urgency: it demands immediate action and discourages you from hanging up to verify
  • A request for confidential data by phone: password, two-factor code, card details
  • The identity does not add up: the number looks official, but the request is odd for that contact
  • Pressure for secrecy: "do not tell anyone", "this is confidential", to keep you from confirming
  • An instruction to install a program or visit a website during the call itself
  • A familiar voice asking for something unusual: it could be AI voice cloning imitating an executive

The variations of the voice scam

  • Masked number (caller ID spoofing) The scammer fakes the number on your screen to pose as the bank, an official body or a known internal contact.
  • AI voice cloning With a few seconds of public audio, artificial intelligence imitates an executive's voice to authorize transfers, the so-called CEO fraud.
  • Hybrid vishing (email leads to the phone) An email asks you to call a "support" number: on the other end, a vishing operator completes the scam by voice.
  • Fake tech support The criminal calls claiming to have detected a problem on your computer and asks for remote access or the installation of a program to "fix" it.

Why vishing became one of the fastest-growing threats

+442%
rise in voice phishing calls between the first and second half of 2024 (CrowdStrike Global Threat Report 2025)
$25.6M
the value of a single deepfake voice-and-video fraud on a video call with a fake "chief financial officer" (public case, 2024)
15
fraudulent transfers authorized in a single day in that attack, before the fraud was noticed

Vishing exploded because artificial intelligence removed its biggest limit: the voice. Voice phishing calls grew 442% between the first and second half of 2024, and voice cloning turned executive fraud from an exception into a routine. The best-known case shows the scale of the risk: at a global engineering firm, a finance employee was convinced to make fifteen transfers totaling about $25.6 million, after joining a video call in which the "chief financial officer" and other colleagues were all AI-generated deepfakes built from public recordings. What makes vishing dangerous is that it bypasses technical defense: there is no attachment for antivirus to block and no link for the filter to stop, only a person pressured into making a decision in seconds. That is why protection runs through process and training, not just technology.

How to protect the company against vishing

Because vishing attacks the person, not the machine, defense combines process and behavior. In the order that reduces risk the most:

  1. Verification through a second channelFor any request for money or sensitive data by phone, hang up and confirm through a known, independent channel (an official number, an already-registered contact), never the number that called.
  2. A dual-approval rule for paymentsNo significant transfer depends on a single person or a single channel. A second approval built into the process disarms executive fraud.
  3. A second identity check (MFA)If a password is handed over on a call, a second factor keeps it from opening the door on its own.
  4. Training and simulationA team that has seen the scam up close, including simulations, recognizes the pressure and the inconsistency before acting.
  5. Combine voice with emailSince vishing often comes alongside email and messaging, managed email security and filtering cut the hook that leads the victim to the phone.

In practice

The question that reveals the real risk: if someone called right now with the chief financial officer's voice asking for an urgent, secret transfer, is there a company rule that would require confirming through another channel before paying, or would the decision rest on the composure of one person under pressure?

How Zamak reduces vishing risk in your company

Zamak Technologies treats vishing as a people-and-process risk, not only a technology one. The program combines social engineering training and simulation, managed email security (which cuts the hybrid hook that leads the victim to the phone) and a second identity check, all supported by a security operations center that monitors for signs of compromise. Technology underpins the defense, but it is a prepared team that disarms the scam. A good starting point is the phishing simulation, which shows in a safe test how your team would react to a fraudulent request.

Frequently asked questions about vishing

What is the difference between phishing, vishing and smishing?
They are variations of the same social engineering scam, changing the channel. Phishing uses email, vishing uses a phone call ("voice phishing") and smishing uses text messages or messaging apps. Many attacks combine all three: an email that asks you to call, a message that confirms the "call from the bank".
How does voice cloning work in these scams?
With a few seconds of public audio of a person (a video, a talk, a recorded meeting), artificial intelligence tools can generate a convincing imitation of their voice. The scammer uses that cloned voice to pose as an executive and authorize transfers, the so-called CEO fraud.
Does caller ID prove that a call is legitimate?
No. Criminals use a technique called caller ID spoofing to make the number of a bank, an official body or an internal contact appear on your screen. Seeing a known number proves nothing: the only guarantee is to hang up and call back on a number you looked up yourself.
What should I do if I suspect a vishing call?
Do not provide any data or take any action during the call. Hang up and confirm through an independent, known channel. Alert the security or IT team, because one attempt often comes in a series against several employees.
Are small companies also a target for vishing?
Yes, and often a preferred target, because they tend to have fewer process controls. Executive fraud and fake tech support work well when a single person can approve a payment or grant access without a second check.
Does training alone solve vishing?
Training is essential, but not enough on its own. It lowers the chance of someone falling for it, and process (dual approval for payments, verification through a second channel) ensures that, even if someone is fooled, the scam does not complete. Layered defense of behavior and process, not a single measure.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake