What is Vishing
Vishing is phishing carried out over a phone call. Learn how attackers spoof caller ID, script past the help desk, and clone a familiar voice, and how to build a call-back-and-verify reflex that holds under pressure.
Vishing is the voice channel attackers use to breach the enterprise
Vishing is phishing carried out over a voice call. The word blends voice and phishing, and it covers any call that uses a false pretext to pressure a target into revealing a password or one-time code, approving an MFA prompt, moving money, or granting remote access. It works because a live voice carries an urgency and authority that text cannot, and because most organizations inspect email far more closely than the phone.
Voice has become a preferred path into large enterprises. The FBI 2024 Internet Crime Report ranked phishing and spoofing as the most reported crime type, and call-driven tech-support and impersonation scams remain among the costliest categories it tracks. Attackers spoof caller ID so the call appears internal, study help-desk scripts so they can answer the verification questions, and increasingly clone a familiar voice from a short audio sample.
The pattern is now proven at the top of the market. The 2023 breaches of MGM Resorts and Caesars Entertainment both began with a call to the IT help desk by the group Scattered Spider, which impersonated an employee found on LinkedIn and talked its way past multi-factor authentication. AI voice cloning has removed the last tell: in the 2024 Arup case, a finance worker authorized a $25 million transfer after a deepfake video call with people who looked and sounded like company executives.
How vishing attacks unfold
Target research and pretext building
The attacker builds a dossier from LinkedIn, breach dumps, and corporate directories: who works on the help desk, who has admin rights, which vendor the company uses for payroll or IT. That detail makes the call credible. Scattered Spider reportedly identified a target employee on LinkedIn before calling the MGM help desk in 2023, which let the caller answer basic identity questions and request a reset for a real account.
Caller-ID spoofing and channel setup
Voice-over-IP services let an attacker display any number, so the call can appear to come from the internal help desk, a known vendor, or a bank fraud line. Some campaigns open with a text or email first, so the call lands as the expected follow-up. The goal is to remove the recipient instinct to verify, because the number already looks right.
The call: authority, urgency, and rapport
The caller adopts a role the target is trained to help, an IT technician, a manager, a fraud investigator, and creates a reason to act now. Fluent English and a calm, professional manner do most of the work. Scattered Spider built its reputation on exactly this: young, native-English speakers who sound like a colleague and keep the target talking past the point where suspicion would normally kick in.
MFA and access manipulation
The objective is usually a credential, a one-time code, an MFA approval, or a help-desk action like a password or device reset. Attackers read the live code back into a login page, push an MFA prompt and ask the target to approve it, or convince the help desk to enroll a new device. In the 2023 Retool breach the caller extracted one extra MFA code, which was enough to add the attacker device to the employee Okta account.
Voice cloning and multichannel chaining
Modern voice-cloning models need only a short audio sample, available from a conference recording, a podcast, or a voicemail greeting. Attackers chain channels for high-value targets: a text opens the pretext, a call with a cloned voice reinforces it, and a deepfake video call closes a wire authorization. The 2024 Arup loss ran this full chain and moved $25 million before any out-of-band check.
Real-world vishing case studies
2023 MGM Resorts and Caesars help-desk vishing
In September 2023 the group Scattered Spider breached both MGM Resorts and Caesars Entertainment by calling the IT help desk and impersonating an employee identified on LinkedIn, then requesting a credential reset that bypassed multi-factor authentication. The attackers went on to deploy ALPHV/BlackCat ransomware, encrypting more than 100 ESXi hypervisors at MGM. MGM reported roughly a $100 million hit to its third-quarter results, and Caesars paid an estimated $15 million ransom. A single convincing phone call was the entire initial-access stage.
2023 Retool smishing-to-vishing account takeover
Retool, a developer-platform company, was breached in August 2023 after an employee received a text mimicking an internal identity portal, then took a follow-up call from an attacker using a deepfaked version of a real IT colleague voice. The employee provided one additional MFA code, which let the attacker add a device to their Okta account. A Google Authenticator cloud-sync feature widened the blast radius, and 27 cloud customers, all in the crypto industry, were affected. The case shows how text and voice combine to defeat MFA.
2024 Arup deepfake video wire fraud, $25M
Engineering firm Arup confirmed that a finance employee in its Hong Kong office authorized 15 transfers totaling about $25 million after joining a video call with what appeared to be the company CFO and other colleagues. Every other participant was a deepfake generated from public footage. The pretext arrived first, the live call closed the trust loop, and the money moved before any callback to a known number. The case redefined the threat for treasury teams: a familiar voice and face on a live call are no longer proof of identity.
How to defend against vishing
Harden help-desk identity proofing
Most enterprise vishing targets the help desk. Require a second, independent verification before any password or MFA reset, such as a manager approval, a callback to a number on file, or a check against a system the caller cannot influence. Never let a reset proceed on the strength of answers a caller could find on LinkedIn. The MGM and Caesars breaches both turned on a help-desk reset granted to a convincing voice.
Require out-of-band call-back verification
Write a one-page policy that requires a callback to a published internal number before any wire change, banking update, MFA reset, or remote-access grant, no matter how legitimate the inbound call sounds. Adopt a code word for high-value finance and IT requests so a cloned voice cannot complete the chain alone. The 2024 Arup loss was preventable by this single control.
Treat caller ID as unverified
Caller ID is trivially spoofed over VoIP, so a number that looks internal proves nothing. Train staff to assume any unexpected call could be impersonated and to hang up and call back on a known number before acting. This breaks the attack because it moves the conversation to a channel the attacker does not control.
Deploy phishing-resistant MFA
When the second factor is a FIDO2 hardware key or a platform passkey bound to the legitimate domain, a code read aloud over the phone is useless to the attacker, because there is no code to relay. Move employees, starting with help-desk, finance, and admin roles, off SMS and app-push codes. This removes the single most common thing a vishing caller asks for.
Reduce what a phone call can change
Tighten account-recovery and self-service reset flows so that high-impact changes cannot be completed by phone alone. Limit which roles can approve device enrollment and payment changes, and log and alert on out-of-hours help-desk resets. The fewer levers a single call can pull, the less a convincing pretext is worth.
Run recurring role-based vishing exercises
Voice pressure is a skill that fades without practice. Role-based exercises that mirror live tradecraft (help-desk reset requests for IT, vendor-payment calls for finance, executive-impersonation and deepfake-voice scenarios for leadership) keep the call-back reflex current. Measure how often staff verify and report, not just how often they fail, and refresh the scenarios as cloning tooling improves.
How RansomLeak trains employees to spot vishing
RansomLeak runs immersive, scenario-based exercises rather than recorded videos and static quizzes. The vishing exercise puts the learner on a live-feeling call with a help-desk or fraud-line pretext and forces a decision under the verbal pressure that makes voice attacks work. Each scenario ends with immediate feedback that names the cues the learner missed and the call-back step that would have stopped the real attack.
Coverage extends across the voice and deepfake surface. The callback phishing exercise drills the text-then-call pattern, the deepfake voice cloning and deepfake audio detection exercises build the muscle for synthetic-voice calls, the MFA fatigue exercise covers the push-approval ask, the whaling-with-a-deepfake exercise puts executives inside the Arup scenario with a spoofed email, a cloned-voice voicemail, and a deepfake video call, and the smishing exercise covers the text that often opens a vishing chain. Every exercise ships as SCORM 1.2 and SCORM 2004 for any standards-compliant LMS.
Programs are scoped by role. Help-desk and IT staff get reset-request and account-recovery pretexts, finance and AP get vendor-payment and wire-change calls, and executives and their assistants get impersonation and deepfake-video scenarios. The result is a verification reflex that holds across phone, text, and video, measured by how reliably staff verify and report rather than by failure rate alone.
Recommended exercises
Scenario-based simulations from the 100+ catalogue.
Vishing
Puts learners on a live-feeling help-desk or fraud-line call and forces a decision under the verbal pressure that makes voice attacks work.
Try the exerciseCallback Phishing
Drills the text-then-call pattern where the message asks the target to dial a number, the most common opener for a vishing chain.
Try the exerciseDeepfake Voice Cloning
Builds the reflex for synthetic-voice calls that impersonate a known colleague from a short audio sample.
Try the exerciseDeepfake Audio Detection
Trains learners to question a familiar voice on the phone, the assumption the Retool and Arup attacks exploited.
Try the exerciseMFA Fatigue Attack
Covers the push-approval ask, a frequent goal of a vishing call once the attacker has a password.
Try the exerciseWhaling With a Deepfake
Puts executives inside the Arup scenario with a spoofed email, a cloned-voice voicemail, and a deepfake video call requesting a wire.
Try the exerciseSocial Engineering
Covers the authority, urgency, and rapport tactics that every vishing call relies on, independent of channel.
Try the exerciseSmishing
Covers the text message that frequently opens a vishing chain before the call arrives.
Try the exerciseFurther reading
Deeper guides on adjacent topics.
Related glossary terms
Quick definitions for the terms in this pillar.
Frequently Asked Questions
What security leaders ask about this threat.
What is the difference between vishing and phishing?
Phishing is the umbrella term for fraudulent-message attacks that impersonate a trusted source. Vishing is the branch of phishing carried out by voice call, rather than by email or text.
The levers are the same, authority, urgency, and trust, but a live call adds pressure that a written message cannot, and the phone is far less monitored than corporate email. That is why vishing has become the channel of choice for breaching help desks and finance teams.
What is the difference between vishing and smishing?
Vishing is phishing over a voice call. Smishing is phishing over a text message. Both move the attack onto the phone, where defenses are thinnest and people respond fastest.
The two are often chained: a smishing text sets up the pretext and a vishing call closes it. The 2023 Retool breach worked exactly this way, with a text lure followed by a call using a deepfaked voice. Training for the phone means covering both channels.
How does a vishing attack work?
The attacker researches a target, spoofs a caller ID so the call looks internal or official, and adopts a role the recipient is inclined to help, an IT technician, a manager, or a fraud investigator. Under that pretext they ask for a password, a one-time code, an MFA approval, or a help-desk reset.
Modern attacks add voice cloning built from a short audio sample, and chain channels so a text or email precedes the call. The 2023 MGM and Caesars breaches both started with a single help-desk call.
Does caller ID prove who is calling?
No. Caller ID is trivially spoofed over internet calling, so a number that appears to be your help desk, your bank, or a known vendor proves nothing about who is actually on the line.
The safe response to any unexpected call asking for credentials, codes, or payment changes is to hang up and call back on a number you already trust, taken from an official app or website rather than from the call itself.
Can I run a vishing simulation with RansomLeak?
Voice-call simulations are in development. Today the RansomLeak phishing simulation platform runs live email campaigns and SMS (smishing) simulations against your own workforce, with full tracking and automated remediation.
For voice specifically, the immersive vishing exercise builds the call-back-and-verify reflex now, and voice campaign delivery will join the simulation platform when the channel ships. Talk to us if vishing simulation is a priority for your program.
What should I do if I gave information to a vishing caller?
Act fast. If it was a work account, report it to your security team or help desk through the published channel right away, and tell them exactly what you shared. If you gave a password or code, the team can rotate the credential, revoke active sessions, and remove any device the attacker may have enrolled.
If you authorized a payment or banking change, contact your bank and finance team immediately, because a quick recall request is sometimes able to stop the transfer.
References
Primary sources cited above.
- 2024 Internet Crime Report — FBI Internet Crime Complaint Center (IC3)
- #StopRansomware: Scattered Spider (help-desk social engineering) — CISA
- How a Phishing Attack Led to a Breach (incident write-up) — Retool
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.