Voice phishing

What is voice phishing (vishing)?

Voice phishing, or “vishing,” is a social engineering attack where fraudsters use phone calls (voice) to impersonate a trusted entity and deceive victims into divulging confidential information or taking an action. 

In a vishing scenario, an attacker might call claiming to be from the IT helpdesk, a bank, or government agency. They exploit the real-time pressure and trust of a phone conversation to, for example, ask the target for their one-time passcode (“Read me the code we just sent to your phone to verify your identity”) or to guide them through changing a password on a fake site. Vishing can also involve leaving convincing voicemails that urge a callback to a scam number. Essentially, it’s phishing via phone instead of email – using the human voice as the tool of deception.

How does it affect identity security?

As organizations improve email security, attackers turn to phones where users may be less on guard. Vishing attacks can bypass certain technical safeguards (like spam filters or clickable link warnings present in email) and rely entirely on human factors. 

For instance, in 2020 a high-profile Twitter incident involved hackers calling Twitter employees, posing as IT, and tricking them into revealing credentials which led to a takeover of famous accounts. The importance for identity security is clear: even with strong authentication processes, a well-crafted phone con can talk someone through undermining them. This means security awareness training must extend beyond digital communication to include phone vetting practices (e.g., verifying a caller’s identity via callback, or having internal procedures like helpdesk will never ask for your password or MFA code over phone). 

Some companies implement code words or use known extension numbers so employees can distinguish legitimate calls. Vishing has been used to execute SIM swap fraud: attackers call mobile carriers pretending to be customers to hijack phone numbers (a step that then enables them to get SMS 2FA codes). 

Thus, vishing threatens the integrity of MFA and account recovery processes. It’s also been leveraged in targeted “whaling” attacks – for example, scammers calling a CEO’s assistant, impersonating a vendor CEO’s voice (there was a case where deepfake audio was reportedly used) to get a fraudulent wire transfer authorized. This shows how voice channels are an increasingly important front in identity security. 

Moreover, with so much focus on email, attackers exploit that people might not expect a scam via a personal phone call. In summary, vishing is another avenue to steal credentials or takeover accounts by tricking users, highlighting that identity security defenses must be multi-pronged and not assume any medium is safe from social engineering.

Case studies

In July 2020, Twitter fell victim to a vishing-based breach. Hackers phoned Twitter IT contractors, pretending to be Twitter’s internal tech support, and convinced them to disclose credentials to Twitter’s admin tools. Using that access, the attackers hijacked high-profile Twitter accounts (like Elon Musk’s and Barack Obama’s) to post cryptocurrency scam tweets.

The investigation revealed the attackers used a combination of convincing social engineering over the phone and MFA prompt bombing (discussed earlier) to get past security. This incident underscored that even a company with strong tech security can be compromised via voice deception of employees. In the aftermath, Twitter significantly revamped its identity verification for sensitive actions – including training against vishing and adding additional approval steps for admin tool access (ensuring a single support agent can’t both receive a call and immediately make account changes without secondary verification). 

‍

Another example occurred in 2019 when an attacker deepfaked a CEO’s voice in a call to a subordinate, instructing them to transfer $240,000 to a supplier. The subordinate, believing it was their boss, complied. This startling case of AI-driven vishing shows how voice attacks can leverage new tech to enhance believability. It pushed companies to consider additional identity checks for high-risk transactions. According to Wall Street Journal, the subordinate later said there was no way to know it wasn’t the CEO, so now that company requires confirmation via text or email from the CEO’s known account in addition to any phone call. 

‍

‍