What is vishing?

Key takeaways

• Vishing uses the phone, where voice authority and time pressure work harder than text.
• Caller ID is trivially spoofable; treat any inbound caller ID as a hint, not authentication.
• Voice cloning has made vishing materially more dangerous: an attacker can sound like a specific executive after harvesting minutes of public audio.
• Help desks and finance teams are the highest-risk targets because their workflow encodes "respond to urgent requests".
• Defense is a workflow problem, not a training problem. Callback verification to looked-up numbers is the single highest-leverage control.

How does a vishing attack work?

A vishing attack has four stages. Each one is structurally similar to spear phishing in the email channel, but voice changes the dynamics.

1. Reconnaissance. The attacker builds a target profile: who handles wire transfers, who runs IT help desk during which shifts, who is currently traveling, who is on the executive team, which vendors have active business with the organization, and which time windows produce predictable operational pressure (month-end close, audit week, vendor visit days). See What is OSINT (open-source intelligence)? for the underlying mechanics.

2. Pretext construction. The attacker picks a role to impersonate (executive in transit, vendor account manager, IT help desk, auditor, regulator, fire marshal, attorney) and a request that fits the pretext (urgent wire approval, password reset, badge access verification, account information confirmation). The pretext is matched to a time window and a target whose normal workflow would respond to it.

3. Setup. Phone infrastructure stood up: a VoIP number with spoofed caller ID, an inbound channel for callbacks if needed, in some cases a backing "office" environment (background noise, hold music, an apparent second person to defer to). When voice cloning is used, training audio is collected from public sources and the synthesized voice is tuned. See What is voice cloning fraud?.

4. Execution. The call. The attacker uses time pressure, authority, and channel asymmetry to drive the target through the steps needed for the action: read out an MFA code, reset a password, approve a wire, change a vendor's bank account, escort a "vendor technician" through a controlled door. The call ends as soon as the action is taken; the loss is downstream.

The asymmetry that makes vishing effective: text gives the recipient time to think. Voice does not. The target is on the phone, the caller has authority and urgency, and the target's instinct is to resolve the call cleanly.

The role of voice cloning in modern vishing

Until recently, vishing relied on the target not knowing what the impersonated person sounded like, or on the call being routed through a "secretary" voice. Voice cloning has changed both of those assumptions.

Practical voice cloning in 2026 requires only minutes of high-quality audio of the target voice. Sources are readily available for any executive who has appeared in public:

• Earnings calls (uploaded by the company itself, captioned, time-stamped).
• Podcast appearances.
• Conference talks on YouTube.
• Industry-press video interviews.
• LinkedIn live sessions.
• Marketing video clips on the company website.

Once cloned, the voice can read any script in real time, with naturalistic prosody, on a phone call. The target hears the executive's voice asking for the action. Where the target has personal familiarity with the impersonated person, the cognitive override is faster, not slower: "I know exactly how she sounds, and that is her".

This is why caller ID and voice recognition have failed as authentication mechanisms simultaneously. Defense has moved to workflow controls that do not depend on identifying the caller. See What is deepfake vishing? and What is a deepfake CEO scam?.

Why help desks and finance teams are the highest-risk vishing targets

Two organizational functions are disproportionately exposed.

IT help desks. Workflow is built around "respond quickly to user requests". The defining tasks (password reset, MFA reset, account unlock, group membership change) are exactly the actions a vishing attacker wants to drive. Verification is often light: the caller "is" the user because they know the user's name and a recent project. Shift change and breaks create gaps where the verification protocol is informally relaxed.

Finance and AP teams. The workflow is built around processing payments and vendor information changes. A successful vishing call to AP can route a wire to an attacker-controlled account in hours. Where the call is framed as a CEO request before a flight, secondary verification feels insubordinate; the workflow is structured for compliance with executive requests.

Other high-risk functions include HR (employee information requests, payroll changes), front-desk reception (visitor authorization, badge issuance), and security operations (incident-claim manipulation). Each follows the same pattern: a workflow tuned for responsiveness encounters a request that exploits the response.

Examples of vishing attacks against manufacturers

Patterns ARG sees repeatedly:

• MFA reset for a "traveling executive". A call to the help desk during shift change, in a synthesized voice matching an executive who is publicly known to be at a conference. The technician resets MFA and reads the new code on the call. The attacker logs in within minutes. Detection happens later, when the executive returns and finds their account in an unusual state.
• Vendor bank-account verification. A call to AP from a "vendor accounting representative" confirming a routing-number update to the next month's invoice. AP updates the ERP record. The next invoice processes against the new account. See What is business email compromise (BEC)?.
• Executive wire approval. A call to the CFO ahead of a Friday close, in the CEO's cloned voice, referencing a known acquisition discussion the CFO believes is confidential. The CFO routes a wire that day; recovery is unlikely after 48 hours. See What is voice cloning fraud? and What is social engineering fraud (SEF) coverage?.
• Badge-issuance pretext. A call to facility security from a "contractor coordinator" announcing an inspector arriving in twenty minutes, requesting a temporary badge be ready at the gate. The inspector arrives, signs in under a fabricated name, and reaches the engineering control room before the pretext is verified.
• Help desk callback after phishing failure. A spear phish was sent and the user did not click. Twenty minutes later, the help desk receives a call from the "user" saying their account is locked and asking for a password reset. The reset is performed; the attacker logs in.

The pattern across these examples: a single workflow action, on a phone call, drives a financial or access outcome.

How to detect a vishing call in progress

For a target on a call who suspects it might be vishing, five signals are reliable:

1. Time pressure on a high-impact action. "Do this in the next ten minutes, before my flight." Real urgency from internal stakeholders almost always has a written counterpart; voice-only urgency is suspect.
2. A request that bypasses normal workflow. A wire approved outside the ERP system, a password reset outside the ticketing system, a badge issued outside the visitor management system. Workflow bypass is the most reliable signal.
3. Caller ID that "matches" the expected person. Spoofing is trivial. If the call is from someone whose number you have, the answer is to hang up and call back the saved number, not to continue the call.
4. Refusal or reluctance to be called back. "I have to take another call, just do it now." The reluctance is the signal.
5. Channel switching pressure. "Don't email about this, keep it on the phone." Real high-impact actions tolerate written confirmation.

A trained employee who recognizes one of these signals and refuses to act, even at the cost of feeling rude or insubordinate, is the most reliable defense. That training only sticks when adaptive simulation keeps exercising it.

Best practices for defending against vishing

1. Callback verification to looked-up numbers. For any high-impact action (wire transfer, vendor change, password reset, badge issuance), the recipient ends the call and dials back a number sourced from the ERP, HRIS, or corporate directory. Numbers supplied during the call are not used. This single control defeats most vishing.
2. Out-of-band, multi-party approval for high-loss actions. Wire transfers, vendor information changes, and payroll diversions require a second approver via a different channel. The mechanism belongs in the ERP and the procedure, not in the email or phone system.
3. Help desk identity verification that does not rely on call content. Knowledge of recent projects, the user's manager's name, or the user's role does not authenticate. Verification methods that do: code sent to a known channel, video-call confirmation with corporate ID, a second technician validating from the ticketing system, or a defined sequence of out-of-band steps. See What is privileged access management (PAM)?.
4. Reception and gate-staff scripts. Visitor verification requires written authorization in the visitor management system, plus a callback to the hosting employee at a directory-sourced number. Voice authorization alone does not suffice.
5. Continuous vishing simulation against real workflow. Annual classroom training does not produce durable behavior change. Adaptive simulation against named individuals in finance, AP, IT help desk, HR, and reception, using rotating pretexts and (where authorized) cloned voices, builds and maintains the reflexive callback habit.
6. Insurance alignment. Most cyber and crime policies have specific verification requirements for social engineering fraud claims; failing to meet them is a routine denial reason. See What is social engineering fraud (SEF) coverage?.

Vishing FAQs

Is vishing illegal?

Yes, when carried out by a malicious actor against a real target. Vishing as part of an authorized security engagement, conducted under signed rules of engagement against an organization's own employees with appropriate scoping, is legal and is the standard way to test resilience against voice-based attacks.

How is vishing different from regular phone scams?

Mass phone scams target broad consumer audiences with generic pretexts (warranty expiry, tax authority, package delivery). Vishing in a corporate context is targeted: the attacker has researched the organization and the individual, picked a pretext matching internal workflow, and is calling for a specific business-impact outcome (credential reset, wire transfer, vendor change).

What is the difference between vishing and deepfake vishing?

Vishing covers any voice-based social engineering, including a human attacker imitating a role. Deepfake vishing uses a synthesized voice (typically cloned from public recordings of a specific person) to make the impersonation match the target's expectation of how that person sounds. See What is deepfake vishing?.

Can caller ID be trusted?

No. Caller ID is trivially spoofable through commercial VoIP services. Treat caller ID as a hint, never as authentication. Verification of a high-impact request requires a callback to a number the recipient looks up independently, not one supplied during the call.

How ARG simulates vishing with adaptive scripts and voice cloning

ARG runs vishing simulation as a standing part of every engagement. The simulation tests the workflows that actually fail in real incidents: help desk verification, AP vendor changes, executive wire approvals, badge-issuance procedures.

The simulation is operated by James Wall on infrastructure ARG owns and controls. Scripts are written per target, calibrated to the target's role and the moment of operational pressure most relevant to that role. Where the engagement scope permits and the executive sponsor has authorized it, public-source voice cloning is used to test resilience against the threat that the workforce will actually face. Where it is not authorized, human operators run pretexts without cloned voices.

Targets include finance and AP (vendor-change and wire-approval workflows), IT help desk (password and MFA reset workflows), HR (employee-information requests), and reception or gate security (visitor-authorization workflows). The rotation across roles ensures the workforce sees pressure on the actual workflow that matters, not a generic "phishing call".

Each call is logged. The packet shows: who was called, what pretext, what the target did, where the callback would have stopped the loss, and the change since the prior round. The quarterly review tracks trend: callback rates rising, response time tightening, control changes (a new wire-approval policy, a new help desk script) demonstrably working under contact.

For founding clients, vishing simulation is part of the monthly retainer alongside spear phishing simulation, continuous penetration testing, and on-site physical engagements.

Apply as a founding client or see how the engagement works for the full delivery cycle.