Vishing Attacks: What They Are and How to Stop Them 2026

Last Updated: May 2026 | Reading time: ~10 minutes

In January 2026, a coordinated group of attackers worked through a list of companies and started calling employees. No malware. No exploit code. They called the help desk, said they were from IT, and asked the employee on the other end to confirm their login credentials so a ticket could be resolved. At hundreds of organizations, it worked. The attackers walked away with single sign-on credentials, enrolled their own devices into the victim’s multi-factor authentication system, and helped themselves to whatever cloud data they wanted.

That campaign, tracked by Mandiant and documented in detail by Google’s Threat Intelligence Group, is one of the clearest illustrations of where the threat is moving. Vishing attacks, voice-based phishing delivered by phone call, surged 442% between the first and second half of 2024, according to CrowdStrike’s 2025 Global Threat Report. They now account for more than 60% of phishing-related incident response engagements, and 19% of all data breaches trace back to vishing or smishing as the initial point of entry, according to the 2025 Verizon Data Breach Investigations Report.

The phone was supposed to be safer than email. For small businesses and their employees, it no longer is.

What Is a Vishing Attack?

Vishing is short for voice phishing. It follows the same logic as email phishing: an attacker impersonates a trusted person or organization to extract sensitive information. The delivery method is a phone call rather than a message.

A vishing attacker might pose as your IT department, a bank fraud investigator, an IRS agent, a benefits administrator, or a vendor your company actually uses. The goal is to get the person on the other end to hand over credentials, confirm account details, approve a transaction, or take an action they otherwise would not. The calls are frequently scripted, often professionally delivered, and increasingly backed by research pulled from LinkedIn, company websites, and data exposed in previous breaches.

Vishing sits alongside smishing (SMS phishing) and social engineering as part of the same family of human-targeted attacks. Unlike technical exploits that require finding a software vulnerability, these attacks target the person, not the system. Training and awareness are the primary defenses, which also makes them the defense most organizations underinvest in.

Why Vishing Works: The Psychology Behind the Call

Phone calls carry a level of trust that email has largely lost. Most employees have been warned about suspicious links in email. Far fewer have been trained to question a caller who sounds authoritative, knows their name, and references a plausible situation.

Vishing works because attackers exploit predictable human reactions. Urgency is the most reliable tool. A call that opens with “your account shows unauthorized access and we need to verify your identity right now” pushes the target toward action before they have time to think. Fear and authority follow closely. A caller who sounds like they belong to IT, security, or a regulatory body triggers a compliance instinct in most employees, especially newer ones.

The Keepnet 2024 Voice Phishing Response Report found that 6.5% of employees handed over sensitive information during simulated vishing calls. That number climbs significantly in high-pressure sectors: manufacturing and engineering showed a susceptibility rate of 19.2%, and customer support teams clocked in at 11.5%. For small businesses where one person handles multiple roles, a single successful call can expose far more than one account.

Small business employees face 350% more social engineering attempts than employees at large enterprises, according to industry research. Larger companies have IT security teams, call verification procedures, and dedicated training programs. Most small businesses have none of these. Attackers know which end of that equation is easier to work.

How AI Has Transformed the Threat

Vishing was already effective before generative AI made it significantly worse. Current voice cloning tools can produce a convincing replica of someone’s voice from as little as three seconds of audio, according to research cited by McAfee. Earnings call recordings, podcast appearances, LinkedIn videos, and company overview content on YouTube all provide more than enough raw material.

Deepfake-enabled vishing attacks surged more than 1,600% in the first quarter of 2025 compared to the final quarter of 2024. The FBI issued a formal public warning in December 2025 documenting cases where attackers used AI-generated voice messages to impersonate senior government officials, establishing trust before asking targets to hand over account access. The same technique that worked on government contacts works on employees who receive a call from someone who sounds exactly like their CEO or IT director.

AI has also scaled the operation. Voice bots can now handle thousands of simultaneous calls, conducting initial outreach and screening for targets before a human attacker takes over for the sensitive part of the conversation. What once required one attacker per call now allows a small group to run campaigns against hundreds of organizations at once, which is precisely what the January 2026 campaign demonstrated.

The FBI’s 2025 Internet Crime Report logged more than 22,000 AI-related fraud complaints with losses exceeding $893 million. Researchers at Deloitte project that AI-enabled fraud losses in the U.S. could reach $40 billion annually by 2027. Neither figure accounts for unreported incidents, which the FBI estimates represent the large majority of what actually occurs.

How a Vishing Attack Actually Unfolds

Understanding the sequence of a vishing attack helps employees recognize it before they get to the part where they hand over credentials. The pattern is more predictable than it feels in the moment.

Reconnaissance comes first. Before the call, the attacker builds a target profile. Your employee’s name, role, and manager are on LinkedIn. Your company’s phone system, vendors, and software tools are often findable through job postings, review sites, or prior breach data. The attacker uses this to make the call feel internal rather than external.

The call opens with context, not a request. A caller who immediately asks for your password triggers suspicion. A caller who opens by referencing your ticketing system, your IT vendor by name, or a recent company event first sounds like they belong. The request comes after trust is established, often framed as a routine verification step.

Urgency closes the gap. Once the target is engaged, the attacker introduces a problem that requires immediate action: an account showing suspicious login attempts, a system update that must be completed before end of day, a fraud alert that will lock the account in minutes. The urgency is designed to short-circuit the instinct to pause and verify.

The follow-through varies by goal. Some attackers want credentials directly. Others direct the target to a convincing fake login page. In the 2026 ShinyHunters campaign, the goal was often to get employees to approve a new MFA device enrollment, which handed the attacker persistent access to the account even after the call ended. Recovery from that kind of compromise is significantly more complicated than a simple password reset.

Recognizing a Vishing Call: What Employees Need to Know

No technical tool stops a vishing call before it reaches an employee. The recognition has to happen during the conversation. These are the signals employees should learn to identify.

Pressure to act immediately. Legitimate IT teams, banks, and government agencies do not require instant action over the phone to prevent account suspension. If a caller insists that you must do something right now and cannot call back to verify, that urgency is the attack. Slow down, not down.

Requests for credentials, MFA codes, or remote access. No internal IT person needs your password to fix a problem on your account. Not one bank needs your full card number to investigate fraud. No government agency resolves a matter by requesting payment over the phone. Any caller asking for these things, regardless of how plausible the context sounds, is asking for something a legitimate caller never would.

Caller ID that matches a known organization. Caller ID is trivially spoofed. A call appearing to come from your bank’s main number, your company’s IT line, or a government agency phone number proves nothing about who is actually calling. The display is not authentication.

Escalating pressure after initial resistance. When an employee says “let me call you back on the number I have on file,” a legitimate caller agrees. An attacker objects, explains why that will not work, and escalates the urgency. That objection is itself a red flag.

Requests to install software or approve a notification. Being directed to install a remote access tool or approve an authentication push mid-call is a reliable indicator of a compromised interaction. Stop the call and report it to IT or a manager before taking any action.

What Small Businesses Should Put in Place

Technical controls help but are not sufficient on their own. The goal is to reduce the window where a successful vishing call can cause damage before anyone notices.

Establish a verbal verification procedure. Employees should know exactly what to say when they receive an unsolicited call requesting sensitive action: “I need to verify this request by calling you back on our internal directory.” Write the procedure down. Include it in onboarding.

Adopt phishing-resistant MFA for critical systems. Push-notification MFA is better than nothing but can be manipulated in a live call. Hardware security keys and passkeys are significantly harder to compromise through social engineering because they do not produce a code an employee can read aloud or approve remotely.

Limit what employees can do in a single call. High-risk actions such as resetting account credentials, approving new device enrollments, or authorizing wire transfers should require a second channel of verification. A call-back to a known number, a manager confirmation, or a written ticket submission each add a step an attacker cannot easily replicate.

Train employees on the specific scripts attackers use. General security awareness training is less effective than training that shows employees what an actual vishing call sounds like. KnowBe4 and other providers offer vishing simulation programs that test employees with realistic calls and follow up with targeted coaching for those who engage.

Create a no-consequence reporting culture. An employee who almost fell for a vishing call and then caught themselves needs to feel safe reporting it. If the culture punishes near-misses, the near-misses stop getting reported and the organization loses the early warning signals it needs to respond before a breach occurs.

If an Employee Does Fall for a Vishing Call

Speed matters more than perfect procedure in the first hour. Assume the account is compromised and act accordingly.

Have the employee report it immediately, without shame or delay. The faster the response, the narrower the attacker’s window.
Reset the affected account credentials and revoke any active sessions from the administrative side, not just by changing the password from the user side.
Audit recent MFA device enrollments on the account. If a new device was added during or after the call, remove it immediately and investigate what was accessed during that enrollment window.
Check connected SaaS applications. In the 2026 campaign pattern, once attackers had SSO access they moved laterally across every connected platform. The breach is rarely limited to the one account the employee handed over.
Notify affected employees whose personal data may have been accessed. If employee records, HR data, or benefits information was in scope, those individuals may face downstream identity theft risk and should be informed promptly.
File an IC3 complaint with the FBI. Vishing incidents are underreported, which limits law enforcement’s ability to track and disrupt the groups running these campaigns.

The recovery burden falls on the individual employee as much as it falls on the company. A vishing call that results in credential theft can be the starting point for identity fraud that follows that employee for years: fraudulent accounts opened in their name, tax fraud filed under their Social Security number, or unauthorized benefit claims that create complications across multiple agencies. That recovery process is slow, stressful, and time-consuming without help.

Identity theft protection services with live recovery advocates can handle much of that process on behalf of the affected employee, including contacting credit bureaus, disputing fraudulent accounts, working with government agencies, and monitoring for new fraud as it surfaces. Offering that coverage as an employee benefit means your team has somewhere to turn the moment a call goes wrong, rather than spending weeks figuring it out alone.

Frequently Asked Questions About Vishing Attacks

What is the difference between vishing, phishing, and smishing?

Phishing is the broad category of attacks that use deception to steal information or credentials. Phishing delivered by email is simply called phishing. Smishing is phishing delivered by text message. Vishing is phishing delivered by voice call. All three use the same psychological mechanics but reach the target through a different channel.

Can caller ID be trusted to verify who is calling?

No. Caller ID spoofing is cheap, widely available, and requires no technical expertise. Attackers routinely display the phone numbers of banks, government agencies, or internal company lines to make their calls appear legitimate. A phone number on your screen is not evidence that the caller is who they claim to be.

Are small businesses really targeted by vishing attackers?

Yes, and disproportionately so. Smaller organizations typically lack the call verification procedures, dedicated security staff, and employee training programs that make vishing harder to execute against larger enterprises. Research shows small business employees face significantly higher rates of social engineering attempts per person than their counterparts at large companies. The lower defenses make the effort-to-reward ratio attractive for attackers running volume campaigns.

What should an employee do when they receive a suspicious call?

Tell the caller you need to verify the request and that you will call back on a number from your company’s internal directory or the organization’s official website. Do not use a number the caller provides. If the caller objects or escalates pressure, end the call and report it to IT or a manager immediately. The willingness to wait for a call-back is one of the clearest separators between a legitimate caller and an attacker.

How does AI voice cloning make vishing more dangerous?

AI voice cloning tools can replicate a person’s voice convincingly from a small sample of recorded audio. That means attackers can impersonate a CEO, a manager, an IT director, or anyone else whose voice appears in a recording online. Earnings calls, podcast appearances, company videos, and even voicemail greetings can all serve as source material. The result is a call that sounds exactly like a trusted person, which significantly raises the likelihood that an employee will comply with the request.

Does MFA protect against vishing attacks?

Standard push-notification MFA provides some protection but can be defeated in a live call. An attacker who has already obtained a username and password can trigger an MFA push and then ask the employee to approve the notification during the call. Phishing-resistant MFA methods, specifically hardware security keys and passkeys, are substantially harder to compromise through a phone call because they do not produce an approvable code the employee can act on mid-conversation.

What information do attackers typically try to steal through vishing attacks?

The targets vary by campaign. Corporate vishing attacks most often go after login credentials, MFA codes, or approval of remote access. Consumer-targeted calls tend to focus on Social Security numbers, bank account numbers, credit card details, or Medicare and benefits information. Employment-related vishing, where attackers obtain enough information to file fraudulent tax returns or claim benefits under a victim’s name, is one of the fastest-growing subcategories and the one most directly connected to long-term identity theft.

The CTA: Give Employees Somewhere to Turn

Vishing attacks succeed by exploiting individuals, not systems. The employee who approves an unauthorized MFA device or reads a one-time code to the wrong person is not the weak link you fix with a firewall. They are the person your organization needs to support before and after an attack lands.

Defend-ID provides identity theft protection as an employee benefit. U.S.-based Recovery Advocates handle the restoration process, start to finish, when an employee’s identity is compromised. When the next vishing call succeeds, your team has somewhere to call. Learn more at defend-id.com.