Caught in a vishing net

Written by Dominic Kearne

 

“Vishing, a voice phishing attack, is the fraudulent use of phone calls and voice messages using social engineering techniques to convince individuals to reveal private information such as bank details and passwords.”

In February 2025 CrowdStrike published their 2025 Global Threat Report, which included details of a 442% increase in vishing operations between the first and second halves of 2024. At the time, many in the cybersecurity community might have anticipated that the UK’s biggest cyberattack story of the year would begin with a phishing and/or vishing attack. They may also have expected the perpetrators to be threat actors located hundreds, if not thousands, of miles away, be they nation-state-sponsored, ransomware groups, or hacktivists.

 

Instead, the attack on household British high street brands allegedly came not from China, Russia or Iran but from homegrown members of the Scattered Spider threat actor group, some of whom were barely old enough to drive. Regarded as experts in social engineering , Scattered Spider had a track record for vishing IT company employees by persuading them to share passwords and multi-factor authentication (MFA) codes (thereby allowing remote access to networks). They even convinced a mobile phone service provider to transfer control of a target’s phone to their own SIM card. One UK media report in May 2025 suggested the group’s “native English”  accents meant they were better able to convince victims to lower their guards and unwittingly hand over the keys to the computer kingdom, but why?

 

Why does vishing work?

Vishing works for Scattered Spider and other threat actors because, as humans, we instinctively show more trust towards other human voices, with acoustic characteristics significantly influencing how trustworthy a speaker is perceived to be Social engineering (where people are persuaded to do something that is not in their own, or their organisation’s, best interests) has become easier for attackers, as humans become increasingly connected to communications devices for longer periods of time.

Many users display naivety in their online interactions and lack good cyber security hygiene and the awareness to go with their increased usage. For cyber threat actors, the attack surface has never been more fertile and the tools have never been more sophisticated. Increased tactical acumen, more widely available data, and the emergence of AI as an attacking tool means the cybercriminals now have the capability and opportunity to match their intent.

Whilst there are arguably many benefits to the cultural shift of working from home post-covid, one negative consequence is that the concept of “switching off” digitally from work is, for many, becoming harder. A Microsoft work trend report from June 2025 indicates more than 50 MS teams messages per day are sent or received outside of core hours, 29% of employees log back into their work email by 10pm and roughly 20% of employees check their work emails before noon on Saturday and Sunday.

More time online = more opportunities for threat actors to make contact.

Attackers are able to research and obtain details about individuals at the tap of a keyboard. This information becomes intelligence which can then be used as a targeted entry point for an attacker and a tool for ongoing manipulation via pressure and urgency tactics.  As we continue to lead busier and more electronically “switched on” lives, cognitive overload means threat actors are well equipped to use psychological manipulation to coerce a victim, especially when such tactics are coupled with “trustworthy” voice.

The increasing sophistication of social engineering means it has become easier for attackers to impersonate anyone from government organisations to friends and family. The combination of spoofed contact numbers , snippets of information obtained from a multitude of sources, and a human voice provides a convincing way to appear as a trusted source…and sometimes that voice only appears to be human.

 

AI

According to Ekco’s Infrastructure Modernisation Survey 2025, 59% of IT leaders believe AI threats now surpass traditional data breaches as the primary cloud concern. is the sophistication of Artificial Intelligence (AI), a person’s voice can now be cloned (and therefore replicated) from just 3 seconds of audio by AI-based systems capable of mimicking not only pitch and tone but also accent and timbre, with alarming accuracy. AI bots are now able to use Large Language Models (LLMs), along with speech-to-text and text-to-speech modules, to automatically generate bespoke scripts and conduct convincing conversations with potential victims.  They can also manage thousands of calls at scale, leading to a rapid rise in vishing-as-a-service and the use of “robo-call” infrastructure.

 

What can we do?

As with other phishing methods, mitigations against vishing require a multi-layered approach based around technology, processes and people. Ekco can help with the prevention and mitigation of vishing by offering a multitude of services from security awareness training for staff at one end to in-depth technical expertise at the other.

 

Technology

Implementing multi-factor authentication to add an extra layer of security beyond passwords, coupled with bolstering email security can help prevent an initial attack (many vishing attacks begin with a more “traditional” phishing approach).

Security Information and Event Management (SIEM) integration, Intrusion Detection Systems (IDS), and network analytics enabled by logging, alerting, and threat detection can all be used to prevent or detect vishing for voice communication systems.

Threat Intelligence teams are able to monitor the dark web for intelligence feeds related to vishing numbers or campaigns specifically for industry peers and suppliers. This intelligence can then be integrated with security and monitoring tools on Voice over Internet Protocol (VoIP) and/or other phone systems to detect Indicators of Compromise (IoCs) or anomalies that may result from a successful social engineering attack. The implementation and monitoring of identity and access management (IAM) to limit the impact if credentials are stolen via vishing is also recommended.

Monitored network activity can alert organisations to unusual behaviours that might follow a vishing attack (such as unauthorised or otherwise suspicious logins). If a vishing attack succeeds, incident response teams can carry out a thorough investigation to determine how it happened, help mitigate any damage and prevent future attacks.

 

People & Processes

People are the first line of defence against vishing attacks and regular training can help employees stay alert to new vishing tactics. Security awareness education should include ongoing simulated vishing attacks and encourage a clear process for reporting suspicious behaviour and passing on this information more widely to all necessary staff.

People should, where operationally possible, be sceptical of unsolicited calls and unknown callers and not rely on caller ID alone, as it can be easily spoofed. Instead, other means of verifying caller identity should be implemented.  Encourage employees to verify the identity of callers before providing any information.  If a call seems suspicious, call back on a known number for the individual or organisation (e.g. from their official website), establish a process for caller verification where possible. Train employees to recognise fear, urgency, or “too good to be true” opportunities and respond accordingly.

If in receipt of automated phone messages, avoid responding verbally or by pressing buttons. Doing so alerts potential attackers that your phone number is active and can allow them to obtain sensitive information such as account numbers, passwords, or MFA codes—under the guise of security alerts or urgent messages.

Consider registering with the Telephone Preference Service (for both business and personal use in the UK), which can reduce unsolicited phone calls. Tools are also available which can help identify and block vishing calls.

 

Final thoughts

The rise of vishing highlights a sobering truth: the most advanced cybersecurity systems can still be undone by a simple phone call. As threat actors like Scattered Spider continue to exploit human psychology, voice-based attacks are becoming more convincing, more scalable, and more difficult to detect, especially with the growing use of AI to mimic trusted voices.

In a world where we are constantly connected, the line between personal and professional, online and offline, has blurred. This always-on culture creates fertile ground for attackers who rely on urgency, familiarity, and trust to manipulate their targets. The threat is no longer just technical, it’s deeply human.

Defending against vishing requires more than just technology—it demands awareness, training, and a culture of security. At Ekco, we help organisations build resilience through a layered approach that combines cutting-edge tools, expert threat intelligence, and people-first education. Get in touch for more on our security services.