Vishing is voice phishing: fraud conducted by phone. It is also the brand impersonation vector that bypasses every digital defense an organization has built.
In February 2025, attackers used a cloned CFO’s voice to call a Canadian insurance company’s finance department and authorize nearly $12 million in fraudulent transfers. The voice was synthetic, generated from publicly available recordings. The call was convincing enough to bypass every internal control designed to prevent unauthorized payments. The company did not discover the fraud until the money was gone.
Around the same time, a cybersecurity veteran named Richard Werner, a professional with 20 years of experience teaching companies to resist exactly this kind of attack, received a call from someone claiming to be European law enforcement. Over several hours, a team of callers working in rotation convinced him to transfer €5,000 in Bitcoin. He later described the experience as a masterclass in emotional manipulation, one that worked precisely because the callers sounded authoritative, knowledgeable, and official.
These are vishing attacks: fraud conducted through voice communication. The term combines “voice” and “phishing,” and what started as a marginal scam technique has become one of the fastest-growing threats in cybersecurity. If you have ever received a suspicious call claiming to be from your bank or your company’s IT department, you have encountered the entry-level version. The cases above show what the professional version looks like.
Why vishing attacks surged 442% in a single year
CrowdStrike’s 2025 Global Threat Report documented a 442% increase in vishing attacks in the second half of 2024 compared to the first half. By Q1 2025, vishing accounted for over 60% of all phishing-related incident response engagements, making it the dominant social engineering vector facing enterprises.
Three developments converged to produce the surge. The first is voice cloning. AI tools can now produce a convincing replica of a specific person’s voice from as little as three seconds of recorded audio, with 85% accuracy. Earnings calls, conference keynotes, podcast appearances, and social media videos all provide source material. The barrier to creating a convincing voice impersonation dropped from specialized expertise and significant cost to effectively zero.
The second is caller ID spoofing, which has become trivially cheap. Attackers can make any number appear on the recipient’s screen, including the main line of the victim’s bank, the direct extension of a colleague, or a government agency switchboard. The visual signals that people use to evaluate whether a call is legitimate, the number displayed and the name attached to it, are fully controllable by the attacker.
The third is reconnaissance at scale. Data from prior breaches gives attackers names, titles, reporting structures, and enough context to make a call sound internal. When the caller already knows your manager’s name, your department, and the project you are working on, the social engineering requires almost no invention. It just requires a confident delivery. Criminal networks have formalized this at scale, recruiting vishers through job postings on underground platforms the same way legitimate companies hire call center staff.
How vishing works as a brand impersonation vector
Every vishing attack involves someone pretending to be an entity you have reason to trust: your bank, your employer, a government agency, or a colleague. That makes vishing a brand impersonation problem, not just a phone fraud problem. The attacker is borrowing someone else’s authority and delivering it through a voice channel rather than a web page or email.
The FBI warned in May 2025 that attackers were using AI-generated voice messages to impersonate senior U.S. government officials, targeting current and former federal and state officials for credential harvesting and account takeover. The bureau updated the advisory in January 2026 after discovering the campaign had been running since at least 2023. They impersonated Cabinet-level officials, members of Congress, and state government leaders, using the authority of the institution to make the request feel routine.
In the financial sector, Group-IB’s research found that over 10% of surveyed financial institutions had suffered deepfake vishing losses exceeding $1 million, with average losses around $600,000 per incident. The attacks impersonate executives, auditors, regulators, and IT support personnel.
What ties these cases together is that the attacker borrows the authority of a trusted identity and uses the phone as the delivery mechanism. The social engineering is the same as what drives email phishing and fraudulent websites, but the channel is harder to defend because there is no URL to scan, no domain to block, and no page to take down.
Why traditional defenses do not cover vishing
Your organization probably invests heavily in email filtering, domain monitoring, web-based brand protection, and takedown services. These controls address the channels where brand impersonation has historically concentrated. Vishing bypasses all of them.
There is no equivalent of a spam filter for phone calls that evaluates whether the caller is actually who they claim to be. Caller ID spoofing means the number on your screen cannot be trusted. Voice cloning means the voice itself cannot be trusted. Your only defense in the moment is your own judgment, exercised in real time, under conditions the attacker has designed to suppress analytical thinking.
This is why a cloned CFO voice authorized $12 million in transfers. This is why a 20-year cybersecurity professional lost money to a vishing team. And this is why CrowdStrike reports that breakout time for attacks initiated through voice channels has dropped to 79 minutes, meaning the attacker can go from initial phone call to full network compromise in under an hour and a half. The detection window is shorter than most organizations’ incident response escalation timelines.
The Bottom Line
Vishing is voice phishing, and it has become the fastest-growing social engineering vector in cybersecurity. Attacks surged 442% in a single year, vishing now accounts for over 60% of phishing-related incident response engagements, and AI voice cloning has reduced the cost of a convincing impersonation to near zero. Every vishing attack is a brand impersonation attack conducted through a channel that domain monitoring, email filtering, and web-based takedowns cannot reach. The organizations whose brands are being impersonated over the phone face a detection gap that most have not yet closed.
Key Takeaways
Vishing, or voice phishing, is fraud conducted through phone calls or voice messages. Attackers impersonate trusted entities such as banks, executives, government agencies, or IT support personnel to manipulate targets into revealing credentials, authorizing transfers, or granting system access.
Vishing attacks surged 442% in the second half of 2024 according to CrowdStrike, and by Q1 2025 vishing accounted for over 60% of all phishing-related incident response engagements. Deepfake-enabled vishing specifically increased over 1,600% in Q1 2025 compared to Q4 2024.
Modern AI tools can clone a specific person’s voice from as little as three seconds of audio with 85% accuracy. Source material is widely available through earnings calls, conference recordings, podcasts, and social media. The cost and expertise required to create a convincing voice impersonation have dropped to near zero.
Email filters, domain monitoring, and web-based brand protection address digital channels. Vishing bypasses all of them. There is no URL to scan, no domain to block, and no page to take down. Caller ID spoofing means the displayed number cannot be trusted, and voice cloning means the voice itself cannot be trusted.
Every vishing attack involves impersonating a trusted identity: a bank, an executive, a government official, or an IT support team. The attacker borrows the authority of the brand to make the request feel legitimate. The social engineering is the same as email phishing and fraudulent websites, but delivered through a channel that is harder to monitor and faster to exploit.
