Back
Back to Blog

Vishing: How Voice Phishing is Redefining Social Engineering Attacks

On this page

Vishing, or “voice phishing,” is a social engineering tactic in which attackers use phone calls to trick unsuspecting victims into revealing sensitive information or granting unauthorized access to systems. Vishing (voice phishing) differs from email phishing in that attackers use real-time phone calls to execute their attacks. The voice creates a sense of urgency and authority, making people more likely to comply.

Understanding Vishing

Vishing, short for voice phishing, is a type of cyberattack similar to traditional phishing. Instead of using email or fake websites, Vishing occurs over the phone, where attackers pose as trusted organizations or IT staff to deceive victims into revealing sensitive information or granting unauthorized access.

Who is Affected

Vishing attacks target both individuals and organizations. For individuals, attackers may pose as trusted institutions over the phone to trick victims into disclosing sensitive information, such as bank credentials, credit card details, or personal identifiers like Social Security numbers. For organizations, the risks are greater. Employees can be manipulated into approving fraudulent multi-factor authentication requests, resetting account passwords, or granting unauthorized access. These actions can directly compromise corporate systems and data, making vishing a serious threat to information security.

How These Attacks Work

Vishing attacks are generally executed in stages. First, attackers try to appear credible by spoofing caller IDs, making the call appear to come from a bank, a company help desk, or even a co-worker. Next, they create a sense of urgency or authority by warning victims of account suspensions, security alerts, or other consequences, prompting them to act quickly. Finally, they attempt to obtain something of value, such as login credentials, MFA codes, or permission to install remote-access software that grants them control.

Recent cases also reveal attackers using AI-generated voice clones to impersonate executives, making their calls more believable. Cisco confirmed in July 2025 that attackers gained unauthorized access to a customer database after successfully deceiving an employee in a vishing call (DarkReading, 2025).

Types of Data Stolen

Vishing attacks typically target credentials and access to specific systems or accounts. In general, the following information is at risk during a vishing attack:

  • Usernames and passwords are the most common targets across phishing and vishing schemes (CrowdStrike↗)

  • Attackers may trick users into sharing codes or consenting to fraudulent MFA requests (Cybernews.com)

  • Personal information, such as Social Security numbers, is often used for identity theft or to build trust in follow-up attacks. (fbisupport.com)

  • OAuth tokens or session tokens are also targeted because they can grant long‑term access without needing passwords. Malicious OAuth apps or “consent phishing” are used to trick users into granting access. (BleepingComputer↗)

  • Attackers also target customer and financial records, especially in tailored campaigns (fbisupport.com)

How the Stolen Data Is Used

The data stolen in a vishing attack is usually exploited for profit in several different ways:

  • Stolen credentials, financial details, and personal records are packaged and sold on dark web forums and marketplaces that operate much like online shops. Buyers typically use them for further fraud or attacks. (BlazeGuard ↗)

  • Usernames and passwords are used in credential stuffing and account takeovers, which exploit password reuse. Successful hits give attackers access to email, financial, or corporate accounts. (Huntress ↗ | Palo Alto Networks ↗)

  • On the consumer side, personally identifiable information (PII) such as Social Security numbers can be used to open accounts, apply for loans or credit, or file false tax returns. (Cyberdefense Magazine ↗)

  • Stolen credentials may give attackers a foothold in corporate networks, enabling them to steal sensitive files or launch ransomware attacks where data is both encrypted and used for extortion. (Brandefense ↗)

 Real-World Example: Workday, Inc.

In August 2025, we recorded a confirmed vishing incident affecting Workday, Inc. (US) in the VenariX platform, along with other similar cases tied to the same campaign.

ShinyHunters (AKA Sp1d3rHunters, Scattered Spider, 0ktapus, and UNC3944) called Workday employees while impersonating IT staff. Through social engineering, they persuaded an employee to approve access to a Salesforce CRM integration via OAuth. This granted attackers access to business contact information, including names, emails, and phone numbers. (TechRadar ↗ | Computer Weekly ↗)

Workday is a major SaaS provider for HR and financial management, serving thousands of organizations worldwide, including many Fortune 500 companies. In this case, attackers gained access through a Salesforce integration used by Workday staff, rather than through Workday’s core HR or financial systems. Even so, the incident shows how a single vishing call can open pathways into interconnected SaaS platforms, creating risk beyond the initial entry point. (ITPro ↗)

SCR-20260709-lzth.png
Screenshot of the VenariX platform showing details of a Vishing incident at Workday, Inc.

Prevention and Detection

Reducing the risk of vishing requires a layered defense approach that combines user awareness, processes, and technology to mitigate threats.

For Businesses

  1. Establish a process that requires identity verification whenever employees call the help desk for credential resets or access approvals, and when the help desk initiates calls to employees, to prevent attackers from impersonating IT staff.

  2. Adopt phishing-resistant MFA, such as FIDO2 hardware tokens or passkeys, to reduce exposure to MFA fatigue attacks, in which users are pressured into approving repeated login prompts.

  3. Include vishing simulations in the annual security awareness training program so employees can learn to recognize urgency, authority, and other pressure tactics in real-time.

  4. Prevent employees from granting consent to third-party OAuth applications that request access to company SaaS or PaaS platforms. Instead, require administrator review and approval for all app consent requests, and monitor for unusual authorization attempts or large-scale data exports.

For Consumers

  1. Never share passwords or MFA codes over the phone.

  2. Always verify suspicious calls by calling official numbers directly.

  3. Use unique passwords and MFA for all accounts.

  4. Treat all unexpected calls with caution, even if the caller ID appears familiar.

At VenariX, we track vishing incidents on our platform, link them to the responsible threat actors, and connect them to the affected industries and organizations. This approach provides users with context on how voice-driven attacks unfold and their real-world impact, rather than presenting isolated indicators.

VenariX

Every security decision,
backed by real data.

Start with a free plan or try Pro free for one week.