The call comes near the end of the workday.
It’s a normal Tuesday. An employee is finishing up a few loose ends when the phone rings. The caller says he is from IT. There is a problem with the employee’s account. Nothing dramatic, he explains, but it needs to be resolved before the system locks the account overnight.
The caller is calm. Professional. His name and voice are familiar, and he knows the employee’s name, department, and manager. He references a recent software update. Then he says the employee should see a verification prompt in a few seconds.
“Just approve that, and we’ll get this cleaned up.”
This is the moment that matters.
Not the malware. Not the spoofed caller ID. Not even the artificial intelligence that may have helped create the voice or script. The decisive moment is when a real employee, under mild pressure, must decide whether to comply or verify.
That is what makes modern vishing so dangerous. It doesn’t feel like an obvious scam. In many cases, it feels like a normal business interruption.
What Is Vishing, and Why Is It Becoming More Dangerous?
Vishing, or voice phishing, is a form of social engineering conducted through phone calls, voice messages, or other voice-based communication channels. The objective is usually familiar: steal credentials, obtain sensitive information, initiate a payment, bypass security controls, or persuade the target to take an action that benefits the attacker.
The method, however, is different from email phishing.
A suspicious email gives the recipient something to inspect. There may be a strange link, a mismatched domain, an unexpected attachment, or awkward phrasing. A phone call gives the target far less time. The employee hears a voice, processes a request, and responds in real time.
That is why vishing attacks are so effective. They collapse the distance between suspicion and action. The attacker does not need the victim to study a message. The attacker needs the victim to stay on the line, accept the premise, and act before the instinct to verify takes over.
Artificial intelligence is making this type of threat more effective. The FBI has warned that criminals are using generative AI to increase the believability and scale of fraud schemes, including by creating more convincing messages, images, and voices. Attackers can use AI-generated scripts, synthetic voices, automated calling workflows, and publicly available information to make voice-based attacks more scalable and convincing. The result is not just more calls. It is better-prepared calls.
AI Voice Cloning Changes the Psychology of the Attack
The danger of AI voice cloning is not simply that a fake voice can sound real. The greater danger is that a convincing voice can short-circuit caution.
People are conditioned to treat voice as a trust signal. A familiar voice carries authority. A confident voice creates momentum. A calm voice can lower suspicion. A hurried voice can create pressure.
That matters because vishing is rarely just about information. It is about emotion and timing.
The caller may claim to be from IT, HR, finance, legal, a vendor, a bank, or an executive office. The request may be framed as routine, urgent, confidential, or helpful. The employee may not feel frightened. In fact, the call may feel ordinary — and that can be exactly what makes it dangerous.
AI-generated voice technology also weakens one of the assumptions people have long relied on: “I would know if it didn’t sound right.”
That assumption is no longer safe. The better standard is not whether the voice sounds authentic. The better standard is whether the request requires verification.
In a 2025 public service announcement, the FBI warned that malicious actors were using text messages and AI-generated voice messages to impersonate senior U.S. officials. While that campaign targeted government officials, the same principle applies more broadly: when attackers can imitate authority and familiarity through voice, the burden shifts from recognition to verification.
Why Vishing Is Especially Dangerous for MFA
Multi-factor authentication remains one of the most important security controls an organization can deploy. CISA notes that MFA helps prevent unauthorized access by requiring an additional method of identity verification beyond a password. But vishing attacks often target the human workflow around MFA rather than the authentication technology itself.
The attacker does not need to break MFA cryptographically if they can persuade the employee to participate.
A caller posing as IT may ask the employee to approve a push notification. Another may claim that a one-time code is needed to complete a system migration. In other cases, the attacker may create repeated prompts and then call the employee to “help fix” the problem.
The employee may believe they are cooperating with the security team. In reality, they may be helping an attacker complete the login process.
This is why the vishing threat deserves attention from executives, security leaders, help desks, and ordinary employees. The attack sits at the intersection of identity, access, training, and trust. It exploits the fact that most employees want to be helpful, especially when the person on the phone appears to be solving a problem.
The Old Security Awareness Model Is Not Enough
Traditional security awareness training often tells employees what to watch for. That is useful, but it may not be enough for voice-based attacks.
A vishing call does not unfold like a training slide. It has pacing. Tone. Interruption. Social pressure. The employee may be multitasking. The caller may sound familiar and be polite. The request may sound routine. The decision may need to be made in seconds.
That means vishing defense is not only about knowledge. It is about practiced behavior.
Employees need to know how to pause without coming across as rude. They need permission to challenge a request, even when the caller sounds authoritative. They need a clear process for verifying sensitive requests through a separate trusted channel. They need to understand that refusing to share a code or approve a prompt is not being difficult — it is doing their job.
The goal is not to turn every employee into a fraud investigator. The goal is to make verification normal.
Simulated Voice Attacks: Practicing Before the Real Call
This is where simulation becomes valuable.
Organizations have used simulated phishing emails for years to help employees recognize suspicious messages. Vishing requires a similar shift, but the training has to match the medium. Employees need to experience the pressure and pacing of a voice-based attack before they encounter the real thing.
To better understand how organizations can prepare employees for this threat, Brilliance Security Magazine’s Steven Bowcut spoke with Galina Kho, Chief Strategy Officer at Cyberbay, about SimuCall, a vishing threat-training solution designed to simulate realistic voice-based social-engineering scenarios.
The purpose of the conversation was not simply to review a product. It was to examine a larger question: how can organizations help employees respond correctly when a fraudulent call feels credible?
What a Good Vishing Simulation Should Teach
A good vishing simulation should not be designed merely to trick people. It should teach them how to behave under pressure.
The most important question is not, “Did the employee fall for it?” The more useful question is, “What decision did the employee make at the moment of risk?”
Did they share information? Did they approve a prompt? Did they ask clarifying questions? Did they end the call and verify through a known channel? Did they report the interaction? Did they recognize the request as sensitive?
Those answers give security teams a clearer view of organizational readiness.
Effective simulations can also reveal process gaps. If employees do not know how to verify a call from IT, that is not only a training problem. It may be a policy problem. If finance staff are unsure how to validate payment-change requests, that is a workflow problem. If employees are afraid of getting in trouble for challenging a caller, that is a culture problem.
The best vishing training should make employees more confident, not more anxious.
Practical Defenses Against AI-Driven Vishing
The strongest defense against vishing is not suspicion alone. It is a repeatable verification process.
Organizations should start by identifying the types of requests that require extra scrutiny. These include requests involving passwords, MFA prompts, one-time codes, account recovery, payroll changes, wire transfers, vendor banking information, remote access, and privileged system access.
Employees should be trained to treat those requests differently, regardless of who appears to be calling.
A simple rule can help: if the request is sensitive, verify it through a separate trusted channel. Do not rely on the number that called you. Do not rely on caller ID. Do not rely on the voice alone. End the call and contact the person or department using a known number, the internal directory, the ticketing system, or an approved communication channel.
Organizations should also make their MFA policy unmistakable. Employees should know that they must never approve an MFA prompt they did not initiate and must never share a one-time code over the phone.
High-risk teams may need additional training. Help desk personnel, finance teams, HR staff, executives, executive assistants, and managed service provider employees are all attractive targets because they often have access to, authority over, or the ability to influence sensitive workflows.
Finally, reporting needs to be easy and encouraged. An employee who reports a suspicious call has helped the organization, even if they were unsure what happened. The security culture should reward that instinct.
The Future of Vishing: From Human Callers to AI Agents
Vishing is likely to become more personalized, more automated, and more difficult to detect.
Attackers can already combine public information, breached data, synthetic voices, and convincing scripts. The next step is more interactive. AI systems may help attackers adapt in real time, respond to employee objections, and maintain a believable conversation longer than a simple robocall ever could.
The threat may also become more multi-channel. As Galina points out during the product demo, a target might receive an email, then a text, then a phone call. Each step reinforces the last. By the time the call arrives, the employee may already believe the issue is legitimate.
This does not mean organizations are helpless. It means they need to prepare for attacks that feel less like scams and more like business processes.
The defensive priority should be clear: make verification easier than compliance.
Conclusion: The Defense Is Not Distrust — It Is Verification
The lesson of AI-driven vishing is not that every phone call should be treated as fake. Organizations cannot operate that way. Employees still need to collaborate, solve problems, and respond to legitimate requests.
The lesson is that voice is no longer enough.
A familiar voice is not proof of identity. A professional tone is not proof of authority. Caller ID is not proof of origin. Urgency is not proof of legitimacy.
When a request involves access, money, credentials, account recovery, or MFA, the employee’s job is not to decide whether the caller sounds trustworthy. The employee’s job is to verify.
That is the moment modern security training has to prepare them for.
Because in the AI era, the most important vishing defense may be a workforce that has already practiced the call before the attacker makes it.
Steven Bowcut is the Editor-in-Chief of Brilliance Security Magazine and host of the BSM Podcast. He has spent years covering cybersecurity and physical security, focusing on the technologies, strategies, and leadership insights that matter most to security practitioners and decision-makers. Through the magazine and podcast, Steven brings readers and listeners practical content with industry leaders, innovators, and experts shaping the future of security. Follow and connect with Steve on Instagram and LinkedIn.
Additional Resources
Video Overview
Infographic
