What is vishing (voice phishing)?
Vishing (a blend of "voice" and "phishing") is a social engineering scam carried out over a phone call, in which the criminal poses as someone trustworthy, the bank, a supplier, IT support or the boss, to convince the victim to reveal passwords, approve payments or install a program. It is phishing taken out of email and moved to the voice, where the pressure of real time and, increasingly, AI voice cloning make the deception far more convincing.
How a vishing scam happens
Vishing does not need sophisticated technology to start: it needs trust and urgency. The scam usually follows four stages.
Preparation
The criminal gathers public information about the victim and the company (website, social media, a past breach) to sound convincing and cite real names and details.
The call
They call while masking the number (caller ID spoofing) to appear as a legitimate contact, and introduce themselves as the bank, a supplier, support or an executive of the company itself.
The pressure
They create an urgent scenario: a fraud to stop, an overdue payment, an access to confirm right now. Haste is the weapon, because it stops the victim from pausing to verify.
The action
Under pressure, the victim hands over the password, the verification code, authorizes the transfer or installs the program the scammer asks for, giving away the access without realizing it.
Source: N-able Cyber Encyclopedia and CrowdStrike (Global Threat Report).
Signs of a vishing call
- Exaggerated urgency: it demands immediate action and discourages you from hanging up to verify
- A request for confidential data by phone: password, two-factor code, card details
- The identity does not add up: the number looks official, but the request is odd for that contact
- Pressure for secrecy: "do not tell anyone", "this is confidential", to keep you from confirming
- An instruction to install a program or visit a website during the call itself
- A familiar voice asking for something unusual: it could be AI voice cloning imitating an executive
The variations of the voice scam
- Masked number (caller ID spoofing) The scammer fakes the number on your screen to pose as the bank, an official body or a known internal contact.
- AI voice cloning With a few seconds of public audio, artificial intelligence imitates an executive's voice to authorize transfers, the so-called CEO fraud.
- Hybrid vishing (email leads to the phone) An email asks you to call a "support" number: on the other end, a vishing operator completes the scam by voice.
- Fake tech support The criminal calls claiming to have detected a problem on your computer and asks for remote access or the installation of a program to "fix" it.
Why vishing became one of the fastest-growing threats
Vishing exploded because artificial intelligence removed its biggest limit: the voice. Voice phishing calls grew 442% between the first and second half of 2024, and voice cloning turned executive fraud from an exception into a routine. The best-known case shows the scale of the risk: at a global engineering firm, a finance employee was convinced to make fifteen transfers totaling about $25.6 million, after joining a video call in which the "chief financial officer" and other colleagues were all AI-generated deepfakes built from public recordings. What makes vishing dangerous is that it bypasses technical defense: there is no attachment for antivirus to block and no link for the filter to stop, only a person pressured into making a decision in seconds. That is why protection runs through process and training, not just technology.
How to protect the company against vishing
Because vishing attacks the person, not the machine, defense combines process and behavior. In the order that reduces risk the most:
- Verification through a second channelFor any request for money or sensitive data by phone, hang up and confirm through a known, independent channel (an official number, an already-registered contact), never the number that called.
- A dual-approval rule for paymentsNo significant transfer depends on a single person or a single channel. A second approval built into the process disarms executive fraud.
- A second identity check (MFA)If a password is handed over on a call, a second factor keeps it from opening the door on its own.
- Training and simulationA team that has seen the scam up close, including simulations, recognizes the pressure and the inconsistency before acting.
- Combine voice with emailSince vishing often comes alongside email and messaging, managed email security and filtering cut the hook that leads the victim to the phone.
In practice
The question that reveals the real risk: if someone called right now with the chief financial officer's voice asking for an urgent, secret transfer, is there a company rule that would require confirming through another channel before paying, or would the decision rest on the composure of one person under pressure?
How Zamak reduces vishing risk in your company
Zamak Technologies treats vishing as a people-and-process risk, not only a technology one. The program combines social engineering training and simulation, managed email security (which cuts the hybrid hook that leads the victim to the phone) and a second identity check, all supported by a security operations center that monitors for signs of compromise. Technology underpins the defense, but it is a prepared team that disarms the scam. A good starting point is the phishing simulation, which shows in a safe test how your team would react to a fraudulent request.