By Elin Gadegaard Gjørup | 895 words | Read time: 5 minutes
Cybercriminals are getting smarter, and so are their scams. Vishing is on the rise, using deception and urgency to trick victims over the phone. Attackers impersonate IT staff, exploit human trust and even leverage AI-driven voice cloning to gain access to systems and sensitive data. Here’s what you need to know to stay ahead of the threat.
What is vishing?
Vishing, also known as voice phishing, is an emerging telephone-based attack method that uses social engineering tactics to manipulate victims. Attackers may impersonate authority figures or create a false sense of urgency regarding a security issue to trick individuals into disclosing information, transferring money, or giving access to accounts[1].
According to CrowdStrike’s newly published Global Threat Report 2025, vishing attacks surged in 2024, with a 442% increase compared to 2023. This indicates a shift in cybercriminals’ tactics to gain initial access.
Vishing vs. phishing: What’s the difference?
Vishing and phishing are not that different – they are both social engineering attacks that exploit human feelings and shortcomings to gain access to sensitive information or accounts. The key difference lies in the method of attack: phishing uses email, while vishing uses telephone calls[2].
Phishing is sometimes used to lay the groundwork for subsequent vishing attacks. CrowdStrike notes that several vishing attacks used “spam bombing” before calling their targets and impersonating IT personnel. The attackers flooded their targets’ inboxes with phishing emails and used this as “evidence” that there was a security breach or outdated spam filters[1].
Phishing emails can also be used to obtain phone numbers, gain valuable intel about a target, or contain fraudulent invoices that lure targets into calling the scammers themselves.
Combining phishing and vishing allows cybercriminals to carry out sophisticated attacks, leveraging the information gained from phishing to establish credibility and urgency.
What does a vishing attack look like?
Vishing attacks are carried out in many different ways, and criminals are always finding new methods to pressure and trick people into giving them information or access.
CrowdStrike notes two distinct vishing strategies used in several attacks throughout 2024:
The IT-support scam
Threat actors targeting corporations will call employees, introduce themselves as IT-support staff, and claim they are resolving a security breach. They may use tactics like spam bombing before the vishing call to create a sense of panic and urgency. Their next move is to pressure the target to open a remote support session using tools like Microsoft Quick Assist or TeamViewer – thereby establishing access to the target’s computer and system accounts. This allows them to gain further control over systems, exfiltrate data or deploy ransomware.
The IT help desk scam
Another notable vishing strategy is to call the IT help desk and claim to be a legitimate employee who has been logged out of their account. The attackers then try to persuade the help desk to reset passwords or bypass multifactor authentication.
The IT help desk might require information to verify an employee’s identity, such as their full name, manager’s name, employee initials, or ID number. However, this information can often be found on company websites or social media—even sensitive information like social security numbers may be leaked and available for purchase on the dark web.
Both the IT-support scam and IT help desk scam are often more successful in large corporations where employees have limited interactions with IT-support and already use remote access tools to solve IT issues.
How to prevent vishing?
Vishing, like other social engineering attacks, exploits human error to gain access to sensitive information, systems, or finances. Staying vigilant and implementing preventative measures are both crucial to mitigating this threat. CrowdStrike recommends several actions that can effectively disrupt these criminal activities:
- Implement security awareness training that educates and prepares employees to recognize social engineering attacks such as vishing.
- Mandate video-based identity verification with government-issued ID for self-service password resets over the phone.
- Monitor for multiple users registering on the same device or phone number for multifactor authentication (MFA).
What’s next? AI and voice cloning in vishing attacks
With the rise of powerful AI tools, future vishing attacks may employ voice-cloning techniques, making it even harder to identify scams.
Although only a few threat actors have shown the capabilities to utilize sophisticated AI voice cloning in vishing attacks, one group has already succeeded in carrying out a major attack using AI: a company was scammed out of $25 million through voice cloning and deep fakes that impersonated the CFO and other employees[3].
The increasing availability of AI-powered tools, such as voice synthesizers, will undoubtedly enable more threat actors to carry out convincing vishing attacks in the future. By voice cloning, attackers can impersonate trusted individuals and manipulate victims into sharing sensitive information, transferring funds, or performing other harmful actions[3].
As cybercriminals continue to refine their tactics, vishing attacks will likely become even more convincing. Organizations must stay ahead by strengthening security policies, training employees to recognize social engineering techniques and implementing safeguards to verify identities.
Staying informed is the first step to staying secure. Read CrowdStrike’s latest Global Threat Report here.
[1] CrowdStrike. (No date). CrowdStrike Global Threat Report 2025. Located at: https://www.crowdstrike.com/en-us/global-threat-report/
[2] Terranova Security. (No date). What is Vishing? Located at: https://www.terranovasecurity.com/solutions/security-awareness-training/what-is-vishing
[3] Astranova, E. & Issa P. (23.07.2024). Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks. Google Cloud Blog. Located at: https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks