T1598.004, Reconnaissance

Spearphishing Voice

Voice phishing (vishing) uses phone calls, AI-cloned voices, and spoofed caller IDs to manipulate victims into revealing sensitive information...

9:41 AM

Incoming Call

+1 (555) 000-1234 IT Helpdesk CEO Office IT Helpdesk

⚠ CALLER ID SPOOFED

👤

Unknown Caller

Number not recognized

🛠

IT Helpdesk

Internal Support • Ext. 4501

💼

Robert Chen, CEO

Executive Office • Confidential

🏦

Wells Fargo Security

Fraud Prevention Dept.

👥

Sarah, HR Manager

Human Resources • Payroll

🚨

IDENTITY FRAUDULENT

All identities were spoofed

"Hi, this is Mike from IT. We detected suspicious activity on your account."

"Oh, really? What kind of activity?"

"Someone tried to reset your password. I need to verify, what's your employee ID?"

"It's EMP-4827..."

"Thank you. For security, please read me the 6-digit code I just sent to your phone."

"OK... 8-4-2-9-1-6"

"Perfect. You're all set. Have a great day!"

[ Session hijacked. Credentials stolen. ]

"Wait... I didn't request any reset..."

🕵

Target Select

➜

🌐

OSINT Collect

➜

📞

Spoofed Call

➜

🤖

Social Eng.

➜

🔒

Data Harvest

🔐 Harvested Data

Employee IDEMP-4827

Full NameElena Vasquez

DepartmentFinance / Payroll

Email[email protected]

Password Reset Code842916

VPN CredentialsCAPTURED

Session TokenACTIVE

DATA EXFIL

😈 Attacker Profile

Caller ID UsedSpoofed: IT Ext. 4501

Voice MethodAI Deepfake Clone

PretextSecurity alert urgency

Real SourceUnknown VOIP relay

Call Duration2m 34s

Confidence Score94.7%

Target Compliance100% cooperative

🔬 Voice Pattern Analyzer, Signal Interception

SNR: -42dB Freq: 180-7800Hz Cloned: YES Confidence: 94.7%

⚠ Malicious vishing call detected, Caller ID spoofed • AI voice clone confirmed • Credential theft in progress

+442%

Vishing Surge 2024

$100M+

MGM Resorts Impact

3 sec

Voice Clone Time

Vishing Active

AI Deepfake

Caller ID Spoof

Data Exfil

⚠ Critical Threat Intelligence

Why Vishing Matters Now

+442%

Vishing attack surge in 2024

3 sec

Audio needed for AI voice clone

$55B

BEC scam losses 2013-2023 (FBI)

80%

BEC scams impersonate executives

The Evolving Vishing Landscape

Voice phishing has evolved from crude boiler-room operations to sophisticated, AI-powered attacks that can fool even trained security professionals. Modern vishing campaigns combine multiple techniques: caller ID spoofing via VoIP services, AI deepfake voice cloning to impersonate known individuals, and real-time OSINT gathered from social media, LinkedIn profiles, and corporate websites to craft highly convincing pretexts.

The MGM Resorts attack (2023) demonstrated the devastating impact of voice-based social engineering. Attackers used vishing to gain initial access, ultimately causing over $100 million in damages and a 10-day system outage. The Twitter/X breach (2020) similarly began with a phone call to a single employee, granting attackers access to high-profile accounts including Barack Obama, Elon Musk, and Apple.

Federal agencies are sounding the alarm. CISA has issued multiple advisories on voice-based social engineering, while the NIST Cybersecurity Framework now explicitly addresses voice channel security. Organizations that fail to train employees on vishing face exponentially greater risk of business email compromise, credential theft, and financial fraud.

🌐 CISA.gov, Cyber Threat Advisories 📚 NIST, Cybersecurity Framework 📰 CSO Online, Vishing Explained 🔎 Vectra.ai, Vishing Intelligence

🔗 T1591.002, Business Relationships 🔗 T1591.004, Identify Roles

📚 Knowledge Base

Key Terms & Concepts

Vishing (Voice Phishing)

A social engineering attack that uses phone calls or voice messages to deceive victims into revealing sensitive information such as passwords, bank details, or one-time authentication codes. Unlike email phishing, vishing exploits the inherent trust people place in voice communication and the urgency of a live conversation.

Everyday Analogy

Imagine someone calls your home claiming to be from your bank. They know your name, mention a "suspicious transaction," and sound professional and urgent. They ask you to "verify" your account number "for security purposes." Vishing is the digital version of a con artist knocking on your door wearing a fake uniform, the technology has changed, but the human psychology behind trusting authority figures remains the same vulnerability.

Essential Vishing Vocabulary

Term	Definition	Analogy
Caller ID Spoofing	Manipulating the phone network to display a fake phone number on the recipient's caller ID screen, making the call appear to come from a trusted source.	Like putting a fake return address on a letter
AI Voice Cloning	Using deep learning to replicate a person's voice from a short audio sample, enabling realistic impersonation during phone calls.	Like a high-tech ventriloquist dummy
Pretexting	Creating a fabricated scenario or identity to establish trust and manipulate the target into complying with requests.	Like an actor wearing a convincing costume
BEC / VEC	Business Email Compromise / Vendor Email Compromise, fraud schemes that increasingly use vishing as the initial access vector.	Like a wolf in sheep's clothing at the corporate gate
VoIP	Voice over Internet Protocol, technology that transmits voice calls over the internet, easily exploitable for caller ID spoofing and call anonymization.	Like sending a postcard instead of a sealed letter
Callback Verification	A defensive technique where the recipient hangs up and calls the organization back using a known, trusted phone number.	Like checking someone's ID at the door
Urgency Tactics	Psychological manipulation using time pressure, fear, or authority to prevent the victim from thinking critically.	Like a car salesman saying "this deal ends in 5 minutes"

Related MITRE ATT&CK Techniques

Vishing rarely operates in isolation. Attackers typically combine voice phishing with extensive reconnaissance of their target. Understanding the broader attack chain is essential:

T1591.002, Business Relationships T1591.004, Identify Roles T1589.001, Credentials T1589.002, Email Addresses T1589.003, Employee Names

📜 Case Study

Real-World Scenario: Elena's Close Call

The Target: Elena Vasquez, Payroll Manager

Elena was a diligent payroll manager at a mid-size manufacturing firm with 340 employees. She had been with the company for 7 years and was known for her reliability. She managed bi-weekly payroll processing, maintained employee bank details, and had access to the corporate wire transfer system for vendor payments.

📅 Monday, 8:47 AM, The Call

Elena's desk phone rang. The caller ID displayed "Robert Chen, CEO Office", a number she recognized from previous legitimate calls. The voice on the other end sounded exactly like Mr. Chen: measured, authoritative, with the same slight Southern accent she'd heard in quarterly town halls. The caller said he was traveling overseas and needed an urgent wire transfer of $47,500 to a new vendor for a confidential acquisition. "Elena, I need this done before the board meeting at 10 AM. Don't mention this to anyone, it's M&A sensitive."

📅 Monday, 8:52 AM, The Manipulation

The caller referenced specific details: Elena's recent promotion, the upcoming Q3 audit, and the name of the CFO (David Park) who was "in on the deal." When Elena hesitated, the voice became slightly impatient, a tone she'd heard from Mr. Chen before. The caller provided wire transfer details for a bank account in Hong Kong and stressed that the vendor had been "vetted by legal." The AI-cloned voice had been trained on 47 seconds of audio from a public earnings call recording found on YouTube.

📅 Monday, 9:15 AM, Near Execution

Elena logged into the wire transfer portal and began entering the recipient details. The sense of urgency was overwhelming, she had 45 minutes. The caller stayed on the line, "helpfully" walking her through the process. She was about to click "Submit" when she noticed the receiving bank's SWIFT code pointed to a different country than Hong Kong. Something felt wrong.

📅 Monday, 9:18 AM, The Save

Elena remembered the security training she'd completed just two months prior. The instructor had specifically covered "CEO fraud via phone calls" and emphasized one rule: always verify through a separate channel. Elena told the caller she needed to step away briefly, hung up, and called Mr. Chen's personal cell, a number she had saved in her contacts, not the one displayed on caller ID. Mr. Chen was in his office, he had never called her and had no knowledge of any wire transfer.

📅 Monday, 9:25 AM, Incident Response

Elena immediately contacted the IT security team, who confirmed it was a sophisticated vishing attack using AI voice cloning. The security team traced the VoIP call through multiple relay servers across four countries. The attacker had gathered extensive OSINT: Elena's name from LinkedIn, her role from the company website, Mr. Chen's voice from a YouTube earnings call, and the CFO's name from a press release. The attack was thwarted with 25 minutes to spare.

$47,500

Saved by security awareness training

47 sec

Audio needed for the AI voice clone

Countries the VoIP relay crossed

25 min

Time between call and incident report

🛡 Defense Playbook

Step-by-Step Protection Guide

Verify Every Caller Identity Independently

Never trust caller ID alone. Phone numbers are trivially spoofed using VoIP services. Always verify the caller's identity through a separate, known communication channel.

Hang up and call back using a number from the company directory, not from the caller or your caller ID display.
Use a known email or messaging platform to confirm unusual requests, especially those involving money or credentials.
Establish a company-wide verification protocol with code words or callback procedures.

🛡 Protection Word: CALLBACK, When in doubt, call back. See T1591.002 Business Relationships for how attackers gather trusted numbers.

Recognize Urgency and Pressure Tactics

Vishing attacks almost always use manufactured urgency to prevent you from thinking critically. Legitimate organizations rarely demand immediate action over the phone.

Watch for phrases like "immediate action required," "your account will be locked," "this is time-sensitive," or "don't tell anyone."
Be especially suspicious of requests that bypass normal approval chains or ask you to skip standard procedures.
Slow down. A legitimate caller will respect your need to verify. A criminal will pressure you to act now.

🛡 Protection Word: PAUSE, Take 30 seconds to think before responding to any urgent request.

Never Share Credentials or Authentication Codes Over the Phone

No legitimate IT department, bank, or service provider will ever ask for your password, PIN, or authentication code over an inbound phone call.

One-time passwords (OTPs), MFA codes, and password reset links should never be read aloud to anyone who calls you.
If a caller asks you to install remote access software (AnyDesk, TeamViewer) during a "support" call, this is almost certainly a scam.
Report any such request immediately to your security team, even if you didn't comply.

🛡 Protection Word: REFUSE, Legitimate entities never need your password. See T1589.001 Credentials for how attackers use harvested credentials.

Limit Personal Information Available Online (OSINT Hardening)

Attackers gather intelligence from LinkedIn, company websites, social media, and public recordings to craft convincing vishing pretexts. Reducing your digital footprint makes you a harder target.

Remove or limit publicly available phone numbers, direct extensions, and organizational charts from company websites.
Avoid posting voice recordings, conference presentations, or webinars that could be used for AI voice cloning.
Review your LinkedIn profile settings, limit visibility of your direct contact information and specific job responsibilities.

🛡 Protection Word: MINIMIZE, Less public data means fewer attack vectors. See T1591.004 Identify Roles for how attackers profile targets.

Implement Technical Call Security Controls

Organizations can deploy technical safeguards to detect and block vishing attempts before they reach employees.

Deploy STIR/SHAKEN protocol on enterprise phone systems to verify caller ID authenticity and flag spoofed numbers.
Use AI-powered voice analysis tools that can detect synthetic or cloned voices in real-time.
Implement callback verification systems and out-of-band authentication for financial transactions or credential changes.

🛡 Protection Word: VERIFY, Technology + policy creates defense in depth.

Conduct Regular Vishing Awareness Training and Simulations

Human awareness remains the most effective defense against vishing. Regular training transforms employees from potential victims into active defenders.

Schedule quarterly vishing awareness training that covers the latest AI-powered attack techniques and real-world case studies.
Run authorized vishing simulations (with employee consent) to test resilience in realistic scenarios and measure improvement.
Create a blameless reporting culture where employees feel safe reporting suspicious calls without fear of embarrassment.

🛡 Protection Word: TRAIN, Awareness training saved Elena's company $47,500. It can save yours too. See T1598 Phishing for Information for the broader threat landscape.

Establish and Enforce Financial Transaction Policies

Strong financial controls create multiple checkpoints that vishing attacks must bypass, dramatically reducing the chance of successful fraud.

Require dual authorization for all wire transfers above a defined threshold, with at least one approval through an in-person or video-verified channel.
Maintain a list of pre-approved vendors with verified banking details, and flag any changes that come through phone requests.
Implement a mandatory cooling-off period for all emergency financial requests, no transaction should be completed in under 1 hour.

🛡 Protection Word: APPROVE, Every dollar should require two pairs of eyes.

📈 Do's and Don'ts

Common Mistakes & Best Practices

❌ Common Mistakes

Trusting caller ID blindly, Assuming the number displayed on your phone screen proves who is calling. Caller ID spoofing is trivial and costs less than $10 using VoIP services.
Complying under pressure, Providing information, passwords, or making transfers because the caller sounded authoritative and created artificial urgency.
Not reporting suspicious calls, Feeling embarrassed or thinking "it's probably nothing" and failing to alert the security team about a potential vishing attempt.
Sharing MFA codes over the phone, Reading out one-time passwords, PINs, or verification codes to callers, even those claiming to be from IT support or your bank.
Assuming AI voice cloning is rare, Believing deepfake voices are expensive or difficult to produce when the reality is that 3 seconds of audio is sufficient for convincing replication.

✔ Best Practices

Always verify through a separate channel, Hang up and call back using a known, trusted phone number from your company directory or the organization's official website.
Establish code word protocols, Create unique verification phrases or questions between executives, finance teams, and IT that only legitimate callers would know.
Implement dual-approval workflows, Require at least two authorized individuals to approve any financial transaction, credential reset, or sensitive data disclosure.
Reduce your public digital footprint, Limit publicly available phone numbers, voice recordings, and organizational details that attackers use to craft convincing pretexts.
Train, simulate, and measure, Conduct regular vishing awareness training, run controlled simulations, and track improvement metrics over time to build a resilient workforce.

The Cost of Complacency

Organizations that treat vishing as a low-priority threat pay a steep price. The average business email compromise (which increasingly begins with vishing) costs $4.67 million per incident (IBM, 2024). MGM Resorts lost over $100 million from an attack chain that started with a vishing call. These aren't theoretical risks, they are documented, measurable, and preventable.

Compare this to the cost of defense: a comprehensive vishing awareness program, including training materials and annual simulations, typically costs less than $15,000 per year for a mid-size organization. The ROI on awareness training is measured in the millions.

⚔ Tactical Perspectives

Red Team vs. Blue Team

Red Team, Attacker

😈 How Attackers Execute Vishing

Objective: Manipulate a human target into revealing credentials, making unauthorized financial transfers, or installing remote access tools, all through a phone call.

Phase 1: Reconnaissance & Target Selection

Attackers profile targets using OSINT: LinkedIn profiles reveal job titles and responsibilities, company websites provide phone extensions, press releases mention executive names, and publicly available recordings (earnings calls, conference talks, podcasts) supply the raw audio for AI voice cloning. They identify high-value targets such as finance managers, HR staff, IT helpdesk workers, and executive assistants.

Phase 2: Pretext Development & Weaponization

Using the gathered intelligence, attackers craft a convincing scenario: "This is IT support, we detected a security issue," or "I'm the CEO, I need an urgent wire transfer." AI voice cloning tools generate synthetic speech that matches the impersonated individual's tone, cadence, and accent. Caller ID is spoofed to display the organization's internal extension or a known executive number.

Phase 3: Engagement & Exploitation

The attacker places the call, establishing rapport and credibility using known details. They create urgency and isolation: "Don't tell anyone about this," "This is time-sensitive," "I need your help with a confidential matter." The target, under psychological pressure and trusting the fabricated identity, complies with the request.

Phase 4: Collection & Exfiltration

The attacker captures the target's response: passwords, OTP codes, financial transfer confirmations, or remote access credentials. They then pivot to secondary systems using the stolen information, covering their tracks by terminating the VoIP session and destroying call records.

Blue Team, Defender

🛡 How Defenders Counter Vishing

Objective: Detect, prevent, and respond to voice-based social engineering attacks through technology, policy, and human awareness.

Prevention: Technical Controls

Deploy STIR/SHAKEN protocols on enterprise phone systems to verify caller ID authenticity. Implement AI-powered voice analysis that can detect synthetic or cloned voices in real-time. Use call recording and monitoring on sensitive lines (finance, executive) with AI flagging of suspicious patterns. Establish multi-factor callback verification for all unusual requests.

Prevention: Policy & Process

Enforce dual-approval workflows for financial transactions above defined thresholds. Require out-of-band verification for any password reset, credential change, or access request. Create code word protocols between executives and finance teams. Implement a mandatory cooling-off period for emergency requests. Maintain a verified vendor database with pre-approved banking details.

Detection: Monitoring & Intelligence

Monitor for VoIP anomalies: high-volume calls to specific extensions, calls from unrecognized international prefixes, or patterns matching known vishing campaigns. Track employee reports of suspicious calls to identify targeted campaigns. Cross-reference phone activity with login events to detect credential harvesting in progress.

Response: Incident Handling

Establish a clear reporting channel for employees to report suspicious calls. Create an incident response playbook specific to vishing: lock affected accounts, revoke active sessions, reset credentials, notify affected parties, and preserve call metadata for forensic analysis. Conduct post-incident training to reinforce lessons learned.

👁 Threat Intelligence

Threat Hunter's Eye

🔎 How Attackers Exploit the Human Voice Channel

Understanding the mechanics of vishing attacks helps defenders recognize the signs and build effective countermeasures. Here is a safe, legal, and non-technical explanation of how attackers abuse the fundamental weaknesses in voice communication.

Vulnerability 1: Inherent Trust in Voice Communication

Human beings are evolutionarily wired to trust voice communication. When we hear a voice, especially one that sounds familiar, professional, or authoritative, our brains automatically assign credibility. This trust bypasses the skepticism we might apply to an email or text message. Attackers exploit this biological vulnerability by presenting themselves as figures of authority: IT support, bank officials, CEO, HR managers, or law enforcement.

The defense isn't to stop trusting voices entirely (which is impractical), but to always verify through an independent channel. Think of it like a security checkpoint: the voice gets you to the gate, but verification gets you through.

Vulnerability 2: Caller ID Is a Display-Only Feature

The phone system's caller ID feature was designed for convenience, not security. It relies on the calling party to honestly identify themselves, a concept called "trust the sender." This is analogous to the envelope sender field in email, which anyone can forge. VoIP technology makes spoofing trivially easy: a $10 VoIP service can display any phone number, including internal company extensions.

Newer protocols like STIR/SHAKEN attempt to add cryptographic verification to caller ID, but adoption is incomplete, especially for international calls. Until universal verification is achieved, caller ID must always be treated as unverified information.

Vulnerability 3: AI Lowers the Cost of Impersonation to Near Zero

Historically, impersonating a specific person over the phone required a skilled social engineer who could mimic voices convincingly. Today, AI voice cloning services can replicate any voice from just 3 seconds of sample audio. Publicly available recordings, earnings calls, conference talks, YouTube interviews, podcast appearances, provide ample raw material for attackers to clone executive voices.

This democratization of impersonation means that every executive, manager, or employee who has ever recorded a video, given a presentation, or appeared in a podcast is a potential voice clone target. The defense is to minimize public audio exposure and implement code word verification protocols for sensitive requests.

Vulnerability 4: Urgency Creates Cognitive Overload

Vishing attacks succeed because they create a state of cognitive overload: the combination of an authoritative voice, a perceived crisis, and time pressure prevents the target from engaging their critical thinking. This is a well-documented psychological phenomenon called "urgency bias", under time pressure, humans default to heuristics (mental shortcuts) rather than careful analysis.

The most effective defense is to institutionalize a pause. When employees are trained to automatically slow down, verify, and report, regardless of who seems to be calling, the urgency weapon is neutralized. Organizations should make it culturally acceptable (even expected) to question unusual requests, no matter how senior the apparent caller.

Vulnerability 5: OSINT Provides the Blueprint for Convincing Pretexts

Before a vishing call is placed, attackers conduct extensive open-source intelligence gathering. LinkedIn reveals job titles, departments, and reporting structures. Company websites provide phone directories and organizational charts. Press releases name executives and announce new initiatives. Social media posts reveal personal details, travel schedules, and workplace frustrations. Every piece of publicly available information becomes ammunition for the attacker's pretext.

Defensive countermeasures include conducting regular OSINT audits of your organization, limiting public exposure of sensitive details, and understanding the reconnaissance techniques documented in related MITRE techniques like T1591.002 and T1591.004.

🌐 MITRE ATT&CK, T1598.004 Official 📰 FBI IC3, BEC/Vishing PSA 🌐 CISA Emergency Directive 22-01

💬 Join the Conversation

Share Your Experience

Have You Encountered a Vishing Attack?

Vishing is one of the most underreported attack vectors because victims often feel embarrassed or don't realize they've been targeted until it's too late. By sharing your experience, you help others recognize the warning signs and strengthen the collective defense.

Whether you've received a suspicious call, successfully identified a vishing attempt, or want to share insights from your organization's defense program, your perspective matters. Leave a comment below with your thoughts, questions, or lessons learned.

💬 Comments section below, All questions and experiences welcome

🔗 T1598, Phishing for Information 🔗 T1598.001, Spearphishing Service 🔗 T1598.002, Spearphishing Attachment 🔗 T1598.003, Spearphishing Link 🔗 T1591.002, Business Relationships 🔗 T1591.004, Identify Roles