Cybersecurity threat trends continue to evolve, but seemingly outmoded threats vectors don’t always go away; sometimes, like in the case of vishing, they keep coming back. In the end, threat actors take the easiest routes- quick, cheap and accessible threat avenues are always in style. Vishing, utilizing phone calls to try to impersonate and social engineer someone, is on the rise, again.
The CrowdStrike 2025 Global Threat Report identified a 442% increase in vishing attacks in the second half of 2024. What is going on? For about the same monthly subscription fee as a music streaming service, anyone can utilize deep fake voice generation software to create voice recordings that sound like someone else. First came the concept of using phone calls to scam people. Then came phone number and organizational spoofing using VoIP. Now, AI tools facilitate an interactive conversation that can be crafted to fake the voice of someone you know.
Threat actors continue to use social engineering as a tactic to attempt to gain credentials, financial payments, convince a user to install malware or gain remote access to the user’s device. Pair the ongoing use of human desires to be helpful or comply along with the new voice technologies, and the resurgence of vishing as a social engineering tactic naturally results.
This sharp increase in vishing demands a response. Social engineering through various methods, including vishing, as a gateway into your organization’s systems and data must be considered. Here are a few strategies for mitigating the threat of vishing attacks:
User Training
- Coach users that phone calls could be an avenue for cyber threats.
- Introduce the concept of deep fake technologies that can be used for impersonation.
- Emphasize that credentials should never be shared over the phone.
- Encourage users to report suspicious phone calls.
- Develop checks and balances before users complete financial transactions and software installation.
- Patch systems and devices to remove risk of vulnerability exploitation.
Incident Response Planning
This might be the year to craft a tabletop exercise scenario that starts with vishing. Consider playing a deep fake voice simulation as part of the tabletop, to show rather than tell the response team the reality of this risk.
Patching and Hardening
Keep patching, to prevent software vulnerability exploitation that either starts the attack or is targeted during the attack. Removal of local administrator rights and other system hardening add defense layers to mitigate the risk from vishing.
A significant increase in a cyber threat vector indicates that this threat yields desired results for the threat actors. It is time to take a serious second look at vishing as a tactic. Vishing continues to be an attack vector as long as it succeeds.