® 
Vishing (Voice Phishing)
Definition
Vishing is a social engineering attack via phone calls. Attackers call victims pretending to be employees of a bank, government agency, or IT department to extract sensitive information.
Vishing (voice phishing) is a social engineering attack via phone calls where attackers impersonate bank staff, government officials, IT departments or other trusted parties to extract sensitive information or manipulate victims into taking actions. With the rise of AI voice technology, vishing attacks are becoming increasingly convincing.
How does vishing work?
The attacker calls the victim and creates a sense of urgency or fear: there is a suspicious transaction on your account, your computer is infected, there is an investigation into your identity. By conducting the call professionally and showing knowledge of personal details, the attacker builds trust. The victim is persuaded to share credentials, install remote access software or transfer money. Caller ID spoofing displays the impersonated organisation's number.
Types of vishing
Banking fraud vishing: attackers call as bank staff reporting suspicious activity. Tech support fraud: attackers claim to be from Microsoft or IT helpdesk. CEO fraud via phone: attackers use AI-generated voice to impersonate executives requesting urgent transfers. Tax fraud vishing: attackers impersonate tax authorities threatening fines.
Impact on organisations
Vishing increasingly targets employees. CEO fraud with deepfake voice technology has caused losses of millions per incident. MFA bypass via vishing is effective: attackers call employees asking them to share MFA codes. NIS2 requires awareness training covering vishing.
Protection
Train employees never to share sensitive information by phone without verification. Implement callback procedures: hang up and call back via the official number. Use multi-channel verification for sensitive transactions.
How DEFION helps
DEFION conducts vishing tests as part of Red Teaming and Social Engineering Assessments. Security Awareness Masterclasses train employees to recognise telephone manipulation.