What is Vishing? Voice Phishing Explained

How Vishing Works

Vishing attacks succeed through a combination of social authority, urgency, and information asymmetry. Callers impersonate figures with authority — IT support staff, bank fraud departments, IRS agents, law enforcement, executives — and create scenarios that make immediate compliance feel necessary. The victim is told their account has been compromised and they need to verify their credentials to protect it; that they owe back taxes and face immediate arrest if they do not pay; that their company is being audited and they need to provide access for the investigation; or that there is a technical problem requiring remote access to their device.

Caller ID spoofing allows attackers to display any phone number on the recipient's caller ID, including the actual phone numbers of organizations they are impersonating. A vishing call from a number matching the victim's actual bank branch number, combined with information about the victim gathered from OSINT or previous data breaches, produces a highly convincing scenario that is difficult to evaluate correctly under time pressure.

AI Voice Cloning

Emerging vishing attacks use AI-generated voice clones of known individuals. Attackers obtain voice samples from public sources — YouTube videos, podcast appearances, conference presentations, social media — and generate synthetic audio that convincingly mimics the target's voice. Documented attacks have used voice-cloned CEO audio to authorize wire transfers and voice-cloned family member audio to support grandparent scams. As voice synthesis quality improves, audio verification of caller identity becomes increasingly unreliable.

High-Profile Vishing Attacks

The MGM Resorts 2023 breach began with a 10-minute LinkedIn research effort followed by a vishing call to the MGM IT help desk, impersonating an employee. The attacker obtained a credential reset that initiated the attack chain leading to $100M+ in losses. The Twitter 2020 breach involved vishing calls to Twitter employees that convinced them to provide credentials to a fake Twitter VPN portal. The Uber 2022 breach included vishing calls to an employee by an attacker claiming to be IT support.

These cases share a pattern: sophisticated social engineering conducted by phone, targeting the human authentication mechanisms that technical controls cannot fully protect. Help desks, IT support, and executive assistants are consistently the highest-risk targets for vishing because their job function requires providing assistance to callers who claim to need it.

Defending Against Vishing

Help desk authentication procedures are the primary technical defense against vishing. Help desks that verify caller identity through something other than information the caller provides — requiring a callback to a verified number in the HR system, using a knowledge-based authentication question that only the legitimate employee would know, requiring manager approval for credential resets above certain privilege levels — provide structural resistance to social engineering that individual employee judgment cannot reliably provide.

Security awareness training specifically addressing vishing scenarios — not just phishing — helps employees recognize the pressure patterns that vishing attacks use: urgency, authority, request for credentials or access, and requests to bypass normal verification procedures. Employees who recognize these patterns as vishing indicators have a framework for resistance even when individual elements of a call seem plausible.

Real-World Example: MGM Resorts — A 10-Minute LinkedIn Search and a Phone Call

The ALPHV/BlackCat affiliates who breached MGM Resorts in September 2023 reportedly identified an MGM IT employee through LinkedIn, then called MGM's IT help desk impersonating that employee. The social engineering call obtained a credential reset that initiated the attack chain. Total impact exceeded $100 million in losses, including 10 days of operational disruption, ransom-related costs, and remediation expenses. The entire attack began with freely available information and a phone call — the simplest and cheapest attack technique available against a target with substantial technical security investment.