Vishing is voice-call phishing - a phone call (live or automated) intended to manipulate the recipient into revealing credentials, reading out a multi-factor authentication code, authorizing a transfer or installing remote-access software. The attacker typically poses as a help desk agent, bank fraud investigator, executive or government official. Vishing has grown significantly since 2023 with the rise of inexpensive AI voice cloning.

What is an example of a vishing attack?

A common 2026 example: an attacker calls an employee posing as the IT help desk, says there is a security ticket on the user's account and asks the user to read out the six-digit code that just arrived on their phone 'so we can verify your identity.' The code is actually an MFA push the attacker triggered on a real login attempt; reading it out completes the attacker's account takeover.

How is AI voice cloning used in vishing?

Inexpensive AI tools can clone a recognizable voice from as little as 30 seconds of audio - easily harvested from earnings calls, podcast interviews, conference talks or voicemail greetings. Attackers use cloned voices to impersonate executives in finance-team calls (authorizing wires) or to leave urgent voicemails asking employees to call back numbers controlled by the attacker. ENISA and the FBI have both flagged AI-cloned vishing as a growing 2026 threat vector.

How do you train employees to defend against vishing?

Run actual simulated voice campaigns against employee desk and mobile lines, with appropriate authorization and policy disclosure. Email training does not transfer to phone calls. Employees need to feel the social pressure of a live call in order to learn to push back. The key behaviors to train are: never read out an MFA code, hang up and call back on a known number and authorize wires only through a documented out-of-band process.

Vishing is illegal in most jurisdictions and is reportable to the FBI's IC3 in the US, Action Fraud in the UK and equivalent national agencies elsewhere. It often violates wire fraud, identity theft and impersonation statutes. Running vishing simulations against your own employees, with appropriate authorization and a written policy, is legal and is now an explicit control under most security frameworks and cyber insurance applications.

What Is Vishing? Voice Phishing Attacks Explained

Picture a finance manager getting a call at 4:47 on a Friday afternoon. The voice on the other end belongs unmistakably to the CFO, who's traveling. There's a deal closing, a vendor that needs a wire by end of day and the CFO is apologizing for the late ask. The finance manager hesitates - wires need a second approval - but the CFO sounds stressed, says he'll text the wire details from his phone in a moment and asks her to "just get it queued so we don't miss the cutoff." Forty-five minutes later, $284,000 is gone. The voice was an AI clone trained on the CFO's last earnings call.

That scenario is no longer hypothetical. It's a documented 2026 attack pattern, and it's why vishing - voice-call phishing - has become the fastest-growing channel in social engineering.

A definition

Vishing is the use of phone calls - live, recorded or AI-generated - to manipulate the recipient into revealing credentials, reading out an authentication code, authorizing a transfer, installing remote-access software or performing some other action that benefits the attacker. The defining property is that the attack vector is voice. The attacker may also use SMS or email as a setup, but the moment of compromise is the phone call.

The term has been in use since the early 2000s but has changed substantially in the last three years thanks to two enabling technologies: cheap VoIP (which makes spoofed caller-ID and high-volume dialing trivial) and AI voice cloning (which makes impersonation of specific people possible from minutes of public audio).

Common vishing scenarios

The fake help desk. "This is IT. We're seeing a security alert on your account. I'm going to send a verification code to your phone - can you read it back to me to confirm it's you?" The "alert" is a real MFA push the attacker triggered against a real login attempt with stolen credentials.
The fake bank fraud team. "We've blocked a suspicious charge of $1,847 on your card. To verify the block, please confirm the security code we just texted you." Same pattern, different costume.
The CEO/CFO impersonation. Either a live impersonator or an AI-cloned voice asks an employee to authorize a wire, change vendor banking details or buy gift cards "for client gifts." This is the highest-loss scenario and the one that has driven vishing onto cyber insurance applications.
The vendor or auditor pretext. "I'm with [recognized auditor name], we're following up on a compliance request your CISO sent us. I just need to verify a couple of details about your environment." The attacker uses the conversation to map your internal systems for a later attack.
The remote-access install. "We need to fix a problem on your machine - please go to anydesk.com and read me the code on the screen." Typically combined with a fake invoice or refund pretext targeting consumers, but increasingly used against employees of small businesses.

The AI voice-cloning escalation

Several commercially available AI tools can produce a recognizable clone of a specific person's voice from as little as 30 seconds of clean audio. The source material is usually trivial to find: earnings calls, conference keynotes, podcast guest appearances, voicemail greetings, even the audio track of a LinkedIn video. ENISA's threat landscape reporting and the FBI have both flagged AI voice cloning as a 2026 threat-vector escalation, and at least three large-loss wire fraud cases attributed to cloned-voice impersonation have been publicly reported since 2024.

Two consequences for defenders. First, "I recognized the voice" is no longer a control - it's a vulnerability. Second, the social-pressure side of vishing gets stronger when the voice belongs to someone the recipient can't easily say no to.

Why vishing succeeds where email fails

Three reasons:

Real-time pressure. An email gives you minutes or hours to think; a phone call gives you seconds. Attackers exploit the response gap.
No artifact to inspect. An email has a header, a sender domain, a URL - surface area the user can examine. A phone call has tone of voice and a (often spoofed) caller ID.
Cultural deference. Most people are conditioned to be polite to whoever called them, especially if the caller claims authority. Saying "I need to hang up and call you back" feels rude. Attackers count on that.

How to train employees to defend against vishing

Email and SMS training do not transfer to voice calls. The cognitive and emotional context is different enough that employees who score 100% on email phishing tests will still authorize a wire on a vishing call. The fix is to run actual simulated voice campaigns. Bait & Phish supports vishing campaigns that place automated calls to employee numbers, deliver a scripted scenario and record what the employee did. Anyone who falls for the simulation is auto-assigned a remediation module specifically about voice-phishing patterns. Behavior-triggered training at the moment of failure produces measurable improvement on the next campaign.

The rules to teach

Five behaviors. Train them, drill them and reinforce them in policy:

Never read an authentication code out loud. Legitimate IT, banks and fraud teams will never ask you to do this. The single rule that, if followed universally, eliminates most account-takeover vishing.
Hang up and call back on a known number. Not the number that called, not a number the caller gives you - the number on the back of your card, on the company directory or on the official website.
Wires require a documented out-of-band confirmation. A second channel, a second person and a process that doesn't depend on the urgency of the moment. The CFO can wait fifteen minutes.
Don't install software because someone called. Especially remote-access tools. There is no legitimate scenario in which an unsolicited caller needs you to install AnyDesk, TeamViewer or anything else.
Push back. Say no. Hang up. The most important behavior is psychological permission. Make it culturally acceptable to be "rude" to a caller who's pressuring you.

Vishing in the post-MFA world

Multi-factor authentication should, in theory, neutralize credential-only phishing. In practice, vishing is the workaround attackers most often use, because MFA depends on the user not handing over the second factor - and a phone call is the most effective way to get them to do exactly that.

Three vishing patterns specifically built around MFA:

The push-bombing assist. The attacker triggers a flood of MFA push notifications against a stolen credential, then calls the user posing as IT: "We're seeing a lot of those alerts on your account, can you just approve the next one so we can clear them?" The user approves, the attacker is in.
The verification-code read-back. The attacker triggers a real login and asks the user to read out the code "to confirm it's you." Same outcome.
The MFA reset social engineering. The attacker calls the help desk (rather than the user), impersonates the user and asks for an MFA reset on a "lost phone." Help desks have a hard time saying no without making the wrong customer experience for a real lost phone, which is exactly the gap attackers exploit.

The defensive answer isn't to abandon MFA - it's to move toward phishing-resistant MFA (FIDO2 hardware keys or platform authenticators) for high-privilege accounts, and to build a help-desk verification workflow that doesn't depend on caller-asserted identity. The CISA Zero Trust guidance and NIST SP 800-63 both reinforce phishing-resistant authentication as the modern standard.

Building a vishing simulation program

A first vishing program tends to scope tighter than a first email program. Three practical steps:

Get explicit policy authorization. Vishing simulations are unambiguous calls to employee phone numbers; the policy and consent path needs to be airtight, especially in jurisdictions with stricter consent rules around recorded calls.
Start with finance, IT and executive cohorts. These are the highest-risk vishing targets and the highest-value learning audience. A first-quarter pilot against these groups produces the most actionable data.
Use scripted scenarios that mirror real attacker patterns. Generic "this is a vishing test" recordings teach nothing. Bait & Phish ships voice templates that resemble actual help-desk impersonation, fraud-team impersonation and executive-impersonation scenarios, with consistent reporting alongside email and SMS.

Reporting and incident response

Define a specific channel for reporting suspected vishing - typically the same one as email phishing. Capture: caller ID, time of call, recipient, claimed identity, what was asked, what was disclosed (if anything) and any associated email or SMS. If credentials, codes or money were exposed, treat it as an incident, not a near-miss. File a report with the FBI's IC3 (ic3.gov) and follow your established IR process. Vishing is one of the channels CISA and ENISA both track in threat-landscape reporting; your report contributes to public defense.

Where this fits in your program

Cyber insurance applications now ask whether your phishing simulation program covers SMS and voice (see what cyber insurers ask about phishing training). SOC 2 and ISO 27001 auditors increasingly want evidence of multi-channel coverage. Most importantly, the loss profile of vishing - wire fraud, account takeover, ransomware ingress via help-desk impersonation - is the highest-severity tail of phishing claims. A program that doesn't cover voice is leaving the highest-loss channel undefended.

You can start a free trial of Bait & Phish for up to 25 users, no credit card and run a vishing campaign alongside your first email and SMS simulation in the same week. For larger rollouts, see pricing or talk to us about scoping voice coverage for your environment.

Related definitions

24sep