Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
AI voice cloning technology has made social engineering attacks even more dangerous to enterprise cybersecurity. With just 30 seconds of audio — easy to get from a phone call, answering machine, or YouTube video — cybercriminals can mimic the voices of coworkers, managers, executives, customers, and nearly anyone else. To strengthen your organization’s defenses, the first step is understanding what vishing is in cybersecurity.
Vishing is short for voice phishing. It’s a type of phishing attack that uses voice calls instead of emails. During the call, the attacker pretends to be an authority figure, a government employee, or someone the victim trusts.
The objective is to trick victims into giving up sensitive information, sharing password details, sending funds, or visiting a fraudulent website. Similar social engineering attacks include smishing (SMS texts), and spear phishing campaigns (targeted attacks on specific personnel).
Unlike hacking attempts, vishing doesn’t mean breaching hardware or finding software vulnerabilities. Instead, scammers get company employees to “open the front door” by accidentally sharing passwords, user IDs, and other security info.
Vishing attacks come in many forms, but they all prey on the same weak link: human error.
Virtually all vishing attacks rely on pretexting, a manipulation technique where cybercriminals create a false story to convince victims to take action. Pretexts usually aim to create a sense of fear, confusion, or urgency, but some try to build trust instead.
Some vishing attacks rely on volume to beat enterprise cybersecurity. With the help of specialized software, scammers can dial all the phone numbers in an area code and play a prerecorded message, such as a “fraud alert” or “urgent announcement.” Many of these attempts will fail, but it only takes one employee’s credentials to introduce a vulnerability into your system.
Cybercriminals often spoof caller ID numbers during a vishing attack so it looks like they’re calling from a reputable source. Readily available VoIP software and digital tools can show you a fake area code or display name, such as “Phoenix PD” or “Miami-Dade IRS Office.” Seeing a local area code can make it seem like the source of the call is harmless, but the opposite is true.
Don’t think that vishing is the only attack vector available to skilled cyber attackers. Social engineering attacks often combine audio and text channels to make the fake scenario seem real. This combination can work both ways:
Emails that list a phone number for verification have a legitimate feel. When the person who answers on the other end has a pleasant voice or sounds exactly like a coworker, even skeptical people can fall for the attack.
Generative AI has gotten worryingly good at faking voices — or even generating video deepfakes. It’s not overly difficult for cybercriminals who have done enough homework to fake a phone conversation with instructions to send money or help with a password reset. Knowing how to prevent vishing is tricky if you can’t rely on your ears to tell if the person calling you is a real acquaintance or an imposter.
In early 2024, the Federal Communications Commission issued a ruling that made AI voice cloning in robocalls illegal. The need for regulations highlights how prevalent vishing scams have become, even going so far as to impersonate former President Biden during election primaries.
“Tech support” calls an employee and says there’s a system issue that requires an urgent but simple fix. The scammer walks the employee through steps to allow a remote network connection or simply asks for the worker’s user ID and password to “fix” the issue remotely.
Cybercriminals pose as clients and claim that your business overcharged their company, demanding order cancellation and a refund. If they did their homework, they may even have a legitimate customer ID number but provide a fraudulent bank account number. Whether your employees send the funds or simply send an invoice to the fake customer’s email address, the vishing scam has succeeded.
Scammers contact an employee in your financial department pretending to be a bank manager. The “manager” warns of an abnormal deposit or claims the bank is going to cancel an important transaction because of suspicious activity. The goal is to trick your employee into providing bank account details for “verification.”
There are some technical methods to prevent vishing — like strong access control and identity verification measures — but most anti-vishing defenses rely on training your employees.
With the prevalence of social engineering attacks, many businesses prohibit sharing financial information by email or phone at all. Another option is to require at least two people to confirm any requests for sensitive data or payments. Always involve IT or cybersecurity professionals when creating data management policies.
Outline exactly how employees should respond in common vishing scenarios. Create a list of red flags, including urgent calls from “executives” or “customers” asking for protected information.
A good defense against vishing means accepting that some attacks may get through. Prepare for worst-case scenarios by using monitoring tools. That way, even if vishing is successful, you can catch suspicious logins before the damage is done.
Technology isn’t going to stop advancing. To prepare for emerging threats, you need to adopt a flexible risk mitigation framework, such as GRC. Evolving tools help you recognize what vishing looks like and take immediate action. Learn more about GRC and data security solutions from Compyl today.
