Vishing (Voice Phishing)
A phone-based social engineering attack in which attackers pose as IT support, a bank, or a government agency to trick victims into revealing login credentials, personal information, or making money transfers. AI-powered voice cloning makes vishing particularly dangerous in 2024—even the voices of well-known figures are being imitated.
Vishing combines the trust people place in phone calls with social engineering techniques. Unlike email phishing, attackers can react immediately during a call, address objections, and apply pressure—which makes vishing particularly effective.
Why Vishing Works
Several psychological factors work together to make vishing so effective:
Trust in voices: People generally trust phone calls more than emails. The belief that “A real person wouldn’t have called me if...” reduces skepticism.
Time pressure: During a conversation, there’s no time to calmly think and analyze—the opposite of an email, which you can review at your leisure.
Authority: A supposed “IT support” representative can credibly claim, “Your account has been compromised—act immediately!”; a supposed “police” officer can claim, “You are involved in an investigation.”
Caller ID spoofing: Attackers can use inexpensive VoIP services to display any phone number they choose. “02xx – Sparkasse München” looks completely legitimate to the victim.
Common Vishing Scenarios
IT Support Scam
The process follows a well-established pattern: A call claiming “Hello, this is Microsoft IT Support” leads to the assertion that unusual activity has been detected on the PC. The request to install TeamViewer or a similar remote access tool gives the attacker full access to the computer—and thus to online banking, passwords, and personal data. Optionally, an invoice for the “assistance” is sent at the end.
Warning signs:
- Microsoft and Windows never call unsolicited
- Request to install remote access tools
- Request for passwords “for diagnostic purposes”
- Credit card payment for supposed support
Bank vishing (phone scam)
The classic scenario: A call with a spoofed bank number, followed by “Security Department, your account shows suspicious transactions,” then a request to confirm your TAN or PIN—and finally, the account is emptied.
A more modern variant uses SMS codes: An initial call announces an incoming SMS. The SMS displays a code with the warning “Never share this!”—and during the call, the attacker asks for exactly this code for “identity verification.” With the code, the account is taken over or a transaction is confirmed.
> Reality: Banks never ask for PINs, TANs, or passwords!
CEO Vishing (Voice BEC)
The attacker researches the CFO and CEO in advance (LinkedIn, website) and then calls the CFO: “This is [CEO’s name]. I’m in a meeting right now; I don’t have time.” This is followed by a claim that an M&A transaction must be completed under strict confidentiality and an instruction to immediately transfer a large sum to a third-party account—coupled with an explicit request not to speak to anyone.
AI-powered voice cloning (2024): Public audio recordings of the CEO (YouTube, podcasts, interviews) are sufficient for modern AI models to clone the voice in real time. The CFO hears the “real” voice of their CEO—making verification via a return call significantly more difficult.
Real-life case (2024, UK): WPP CEO Mark Read was targeted in a deepfake voice attack during a Teams meeting. Criminals used a cloned voice and a fake video to impersonate the CEO. The fraud attempt failed—but clearly demonstrates the escalating nature of current attacks.
Prevention:
- Passcode system for financial instructions – including for CEOs
- Never issue financial instructions over the phone alone
- Always call back the CEO’s known, verified number
AI and Vishing – the New Threat Landscape
Current voice cloning tools significantly lower the barrier to entry:
| Tool | Capability |
|---|---|
| ElevenLabs | Voice cloning from 30 seconds of audio |
| PlayHT | Real-time voice conversion during a call |
| Resemble AI | Commercial voice cloning for various applications |
The AI attack scenario:
- Collect audio material: LinkedIn video, YouTube interview (30–60 seconds is sufficient)
- Train the AI model
- Real-time voice cloning during the call
- The attacker speaks—the target hears the cloned voice
Countermeasures against AI vishing:
- Pre-agreed code words unknown to the attacker: “Are you really [Name]? Say our code word!”
- Video call verification (live, not recorded)
- Call back to a verified number from the phone book – never use the call-back option via the calling number
Protective measures for businesses
Technical
- Caller ID verification: STIR/SHAKEN (established in the US and UK, still limited availability in Germany)
- Spam call filters: Microsoft Teams Anti-Robocall and similar solutions
- Callback verification: Always call back the official, pre-known number—never use the callback option via the displayed number
Procedural
- Dual-control principle for all financial transactions above a defined amount
- Designated communication channels for sensitive actions
- Code words for unusual CEO/CFO instructions
- “It’s OK to say no”: Employees may hang up and call back—without consequences
Training
- Vishing simulation with simulated calls to employees
- Specialized training for Finance, HR, and IT (high-risk groups)
- Role-playing: How do I respond to pressure? What do I say if I’m unsure?
Recognition checklist during a call
Red Flags – hang up if you notice these signs:
- Unannounced call regarding an urgent matter
- Request for a password, PIN, TAN, or confirmation code
- Request to install software
- “Don’t talk to anyone” – this is a clear red flag
- Time pressure: “Right now, no time”
- Unknown phone number despite a familiar caller ID
Safe response:
- Hang up
- Call back the official number (from the phone book or company website—do not use the call-back option via the displayed number)
- Report the call to IT Security
- Confirm instructions via a second channel (email or chat)
