Fighting voice-based phishing needs to be a big part of your human risk management (HRM) plan.
KnowBe4 and the HRM industry have been warning about voice-based social engineering and phishing for decades. Some of the biggest and most notable hacks have long been based on it. Stories have often been told of brazen calls that resulted in big hacks. KnowBe4’s one and only Chief Hacking Officer, Kevin Mitnick (RIP), was known as a legend for the stuff he pulled off with phone calls when he was a teenager.
About a decade ago, the name vishing was assigned to it. For most of that decade, vishing wasn’t a huge thing. It occurred but was fewer in numbers as compared to all the email phishing.
That has changed.
A combination of improved email and online phishing countermeasures, along with a continued weakness in voice call anti-phishing protections, has led more and more hackers to call you to scam you out of money and confidential information. Today, it’s big business. Tens of billions of dollars, if not more, are being stolen using voice calls, voicemails and prompts to potential victims to call a phone number.
If there is one fact I want you to take away from this post, it is this: Voice-based social engineering is a huge threat to your work and personal environments. It’s everywhere all the time!
This was most recently re-driven home by the latest FBI hacker warning, officially known as the
FBI FLASH-20250912-001 report, covering a large swath of nation-state hacking that has been breaking into Salesforce customers around the world. It includes the following relevant quotes about the hacker’s initial access methods:
- “…threat actors have obtained initial access by leveraging social engineering attacks, in particular voice phishing (vishing), to gain access to organizations’…”
- “…directing victims to visit from their mobile phones or work computers during the social engineering calls.”
It is the rare warning from the FBI or CISA (Cybersecurity Infrastructure Security Agency) these days that doesn’t mention voice-based social engineering as a primary way hackers are obtaining access to the targeted victim.
Here’s another recent CISA warning about the prolific Scattered Spider hacking group, where it says the hackers, “posed as company IT and/or help desk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network.”
Nearly every warning from anyone these days, warning you about social engineering, is warning about voice-based (and/or video-/audio-based) scams. It’s negligence not to. They are everywhere.
Vishing Scams
I’m pretty sure I get more fake calls from scammers on my phone than real calls. I never pick up a number I don’t recognize. Most vishing scams are from call center-based scammers pretending to be from well-known brands like AT&T, Verizon, T-Mobile, Amazon, Microsoft, etc. I also receive numerous inquiries from people supposedly interested in buying my house for a substantial amount of money.
If you pick up the active incoming call, the scam starts right away. If you don’t pick up, they leave you a voicemail and/or maybe a text. Some of them can be quite tricky.
I covered vishing scams where they either call you or leave an SMS message saying your phone or cable service is offering you a major discount (30% to 50%) on your monthly bills if you respond quickly. They claim they will pay off your current bills and give you a substantial discount going forward if you pay a “small fee.” They often have information about you, including your name, address, and relevant account information, which they have usually obtained legally or illegally beforehand.
I wrote about a similar T-Mobile scam and an Xfinity scam.
The vishing scams that really make me mad are the ones targeted at older and elderly adults, often living off retirement income. The scammers call pretending to be Amazon, the FBI, or the Secret Service. They are somehow able to convince otherwise great people to go to their bank, withdraw all their money, and hand all their cash off to a complete stranger (or mail it). People in my extended family have been impacted.
I wrote about these “cash bag” scams.
Callback Scams
Some of the vishing scams start with email or SMS messages. The scammer sends a phishing lure that seems legitimate in most respects, often some sort of unexpected bill that the recipient is being told they need to pay. The message includes a phone number for the victim to call, which takes them to a professional-sounding call center that then talks them into giving the scammer remote access to their computer, installing malware, or giving their credit card information to someone over the phone. Because the initial contact messages don’t contain a phishing link, they are harder to block for content filtering systems.
Here’s an example of a callback scam I covered.
Artificial intelligence (AI) is just going to make vishing far worse. We’ve already had huge hacks accomplished through AI-enabled deepfake calls, such as this $25M scheme or this scam where a developer was convinced he was talking to or messaging his CEO and it led to a compromise of the company’s customer password databases (and compromises of customers).
The only difference is that what used to be here and there…almost a trickle of background noise…is becoming a river of cacophony. Now, looking at the current trending, it is very likely that by the end of 2026, AI-enabled deepfakes and vishing will be a significant portion of social engineering and hacking. Email isn’t your only problem now. SMS messages aren’t the only worries involving your telephone number.
Voice-based social engineering scams are coming into their own and are going to proliferate like never before. You must train yourself, your family and your co-workers about the rising threat and how to mitigate it.
Defenses
Educate yourself and everyone about these threats. Share the examples from above. Share training about vishing.
Of course, I’m a big believer in my simple two-point check analysis to determine if an incoming message is at higher risk of being a social engineering attack (shown graphically below). If an incoming unexpected message is asking you to do something you’ve never been asked to do before, treat the incoming request as a high-risk message and research using an independent method before performing the requested action.
This doesn’t stop all scams, but it stops most of them. There are a lot of things other people like to add to my two-point check, but that makes it harder to teach and possibly incorrectly filters out some of the scams. Simpler is better.
Warn People About Vishing Scams
We used to warn people about fake emails. Then we had to warn them about fake SMS messages. Then fake WhatsApp messages. Now we need to tell them they cannot immediately trust any digitized audio or video, including calls to them. Phone numbers and voices turn out to be poor authenticators.
When possible, do simulated vishing, smishing and callback phishing exercises. And if someone fails one of them, give them more education.
Times have changed, and so have the primary mediums for social engineering and phishing. It used to be mostly an email problem. It’s not anymore.
Ask yourself if you’ve updated your HRM program to take into account this new reality. Not just a little bit, but as a main part of your HRM program.
If you haven’t, someone might give you a call.
