You receive a phone call. The caller introduces themselves as an employee of your bank, the tax authority, or the IT department of your own organisation. The voice sounds professional, the story is credible, and there is a sense of urgency. Within three minutes, you have shared information that you would normally never give to a stranger. Welcome to the world of voice phishing.
Definition: voice phishing (vishing)
Voice phishing, abbreviated as vishing, is a form of social engineering in which an attacker tries to extract sensitive information over the phone. Unlike email phishing, where a victim has to click a link themselves, vishing is a direct and personal interaction. The attacker adapts their story in real time based on the victim’s responses.
How does a vishing attack work?
A typical vishing attack unfolds in four stages: preparation, contact, manipulation, and exploitation. The attacker gathers information about the target in advance, makes contact while pretending to be a trusted party, applies psychological pressure, and exploits the information obtained.
Why is vishing so effective?
Its effectiveness rests on three pillars: human interaction, because a voice creates trust; the speed of the conversation, leaving little time to think; and the difficulty of technical detection, because there is no spam filter for phone calls.
What can you do?
Implement a verification protocol, train employees regularly with realistic scenarios, test resilience through mystery calls, and create a culture in which suspicious calls are reported.
