.png)
What is Vishing?
Vishing is voice-based phishing using phone calls to steal credentials, reset MFA, or authorize fraud. Learn how MGM, Uber, and others were compromised by vishing.
How Vishing Attacks Work
A vishing attack follows a preparation-then-execution sequence. The attacker first conducts research: LinkedIn identifies the target employee or help desk, breach databases provide personal information that can be used to pass identity verification (date of birth, employee ID, last four of SSN), and company websites or social media provide internal terminology and context. With sufficient research, the attacker can impersonate an employee convincingly enough to defeat knowledge-based identity verification.
The call itself exploits three psychological dynamics. Authority: the caller claims to be a manager, executive, IT administrator, or external auditor — someone the help desk employee is conditioned to assist without pushback. Urgency: the caller creates time pressure ('I'm locked out and I have a board call in ten minutes') that reduces the target's deliberation time. Familiarity: the caller uses the target's name, references real internal systems or projects, and uses insider terminology that makes the impersonation feel authentic.
The objective of most enterprise vishing attacks is MFA reset — getting the help desk to reset multi-factor authentication for an account the attacker has already compromised the password for. Once the MFA is reset, the attacker can complete authentication and establish access. This is exactly what Scattered Spider did at MGM Resorts, Caesars Entertainment, and multiple other organizations.
AI Voice Cloning: The Escalation
AI voice cloning tools can generate convincing voice replicas from as little as 3-10 seconds of source audio — which is publicly available for most executives through earnings calls, conference presentations, media interviews, and LinkedIn videos. An attacker with a voice clone of the CEO can call the CFO and request an urgent wire transfer. An attacker with a voice clone of the IT director can call the help desk and request account changes.
Documented cases are no longer theoretical. A 2024 case in the UK involved a finance executive who received a WhatsApp call from what appeared to be a senior colleague — the voice was AI-generated — requesting an urgent payment. The payment was made. A Hong Kong case involved a $25 million wire transfer executed after a deepfake video call impersonating the CFO. Voice cloning attacks are in the documented incident record, not in the threat modeling future.
Defending Against Vishing
Help desk authentication procedures are the primary control. The specific failure that enabled the MGM and Caesars breaches — and multiple others — is that help desk identity verification relied on knowledge-based factors (information the attacker could obtain from LinkedIn and breach databases) rather than verification methods that cannot be researched. Requiring cryptographic proof, hardware token confirmation, or manager callback through a known-good channel rather than knowledge-based answers defeats the vishing-plus-MFA-reset attack chain.
Callback verification is the process control that defeats most high-consequence vishing attacks against executives and finance teams. When receiving an unexpected request for financial transactions, account changes, or sensitive information via phone, employees should terminate the call and call back using a number obtained from official organizational directories — not a number provided by the caller. This single procedure defeats the attacker who calls claiming to be the CEO, the auditor, or the IT helpdesk.
Out-of-band verification for voice clone attacks requires establishing a secondary verification channel that cannot be spoofed by audio. A pre-agreed code word used between executives for high-stakes requests, a follow-up text from a verified number, or a video call on an established organizational platform provides verification that AI audio cannot replicate (though deepfake video is also advancing).
Vishing in PE-Backed Companies
PE-backed companies face specific vishing risk because the PE relationship creates known attack pretexts. An attacker who researches a portfolio company knows the PE firm name, the operating partner relationship, and potentially the deal timeline. A vishing call claiming to be from the PE firm's IT team, legal counsel, or operating partner — requesting urgent access for due diligence — is a targeted pretext that exploits publicly available information about the PE relationship.
Related Reading
MGM Resorts: One Vishing Call, $100M in Losses
In September 2023, Scattered Spider breached MGM Resorts International using a single vishing call to the MGM IT help desk. The attackers identified an MGM IT administrator on LinkedIn, obtained personal information to pass identity verification, called the help desk impersonating that administrator, and successfully convinced the help desk to reset the administrator's MFA. With authenticated access, they deployed BlackCat/ALPHV ransomware across MGM's systems. MGM disclosed approximately $100M in financial impact — hotel booking systems offline, slot machines dark, room keys inoperative across multiple Las Vegas properties. Caesars Entertainment, targeted with the same technique around the same time, paid approximately $15M in ransom to avoid the same outcome. The attack required no technical exploitation of any system vulnerability. It required one phone call and one cooperative help desk employee operating under identity verification procedures that were insufficient against a well-prepared attacker.
increase in vishing attacks between 2021 and 2022, according to SANS Institute research, driven by the availability of AI voice cloning tools and the documented success of vishing against corporate help desks. The phone call is now the most dangerous initial access vector for sophisticated threat actors targeting enterprise organizations.