COMMENTARY: Enterprises have been improving their email defenses, but attackers have shifted to a more effective and less controllable channel: the phone. In fact, in 2025, 31% of adults reported they received at least one scam call a day.Today’s scam calls are sharper, smarter, and harder to spot. Bad actors now pivot toward voice-based social engineering because phone calls offer direct access to employees without technical barriers. Voice conversations bypass many existing cybersecurity controls and monitoring systems. Phone calls also create a live, adaptive interaction that static phishing emails simply can’t match.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Attackers go where the defenses are weakest, and email no longer serves up as easy a target. Vast improvements in enterprise email security are creating more friction for bad actors. Improved filtering, detection and user awareness are reducing phishing success rates. For bad actors, traditional phishing campaigns can now require more effort for less reliable results.This shift represents a broader evolution in social engineering, moving from exploiting technical weaknesses to exploiting human workflows. Identity and trust workflows, therefore, are becoming the primary attack surfaces. Voice attacks fit into a larger pattern of human-centric intrusion methods.Why vishing appeal to bad actorsThere are three strategic advantages of vishing for attackers. First, the ability to adapt messaging dynamically during live interactions. Second, attackers use conversational pressure to overcome hesitation or skepticism. Third, the bad guys exploit trust in internal support processes and authority figures.An understanding of psychology underpins successful voice-based attacks. Urgency, authority and fear influence decision-making under pressure. For the reasons noted above, employees are more likely to comply during live conversations.Another reason vishing appeals to bad actors: the difficulty of identifying manipulation in real time. In a phone conversation, attackers can react immediately to skepticism or resistance. Real-time social cues help attackers refine their approach mid-call.In vishing, certain roles are disproportionately targeted. Help desks and IT support teams are high-value entry points. Customer service comprises employees trained to prioritize responsiveness and problem-solving; there’s operational pressure to resolve requests quickly.Lessons from real-world incidentsThe 2023 MGM Resorts cyberattack demonstrated the effectiveness of help-desk targeting. An outsized business impact can result from a single successful phone call. In the MGM breach, the personal information of 37 million people was compromised. It affected 30 properties and caused disruption that lasted over a week, including locking guests out of their rooms and preventing their use of slot machines, ATMs, and check-in systems.The impact of AIAI has given bad actors the upper hand when it comes to voice-based social engineering. Deepfake audio and synthetic impersonation has become easier, and more sophisticated, thanks to generative AI. Generative AI enables realistic executive voice cloning, and low-sophistication attackers now have access to deepfake tools. “Good enough” impersonation can succeed in many cases.Deloitte’s Center for Financial Services forecasts that by 2027, GenAI could lead to fraud losses of $40 billion in the U.S. alone. That’s up from $12.3 billion in 2023 and constitutes a compound annual growth rate of 32%.AI has improved an attacker's operational efficiency. It allows for automation of reconnaissance and target profiling, and it can generate tailored scripts based on organizational context. This empowers the scaling of personalized attacks across large employee populations.Why do employees still comply even when something feels suspicious? There’s a tendency to rationalize inconsistencies during high-pressure interactions. It involves the influence of perceived hierarchy and authority. In these instances, uncertainty often results in compliance rather than escalation.The implications for enterprise security teamsFaced with this modern threat, traditional indicators of awareness may no longer work for security teams. Most organizations still defend the wrong threat model. There’s an imbalance between phishing preparedness and vishing preparedness. Most awareness programs still focus heavily on email indicators. Voice-based attack training sessions are often superficial or outdated, and employees rarely experience realistic vishing simulations. In addition, weak identity verification practices remain widespread.Unfortunately, operational culture can unintentionally assist attacks. Help desk workflows can unintentionally prioritize convenience over security. Speed and customer satisfaction metrics create pressure to comply quickly. Employees may fear appearing obstructive or unhelpful, and there is sometimes a lack of organizational support for slowing interactions down.There’s also a visibility gap regarding voice-based threats. Unlike email, phone conversations leave limited forensic evidence. Security teams often lack visibility into monitoring or escalation for suspicious calls. That’s why many organizations underestimate the scale of attempted vishing activity.Build a modern defense against vishingThere are four best practices that organizations can implement to protect against vishing:Rethink identity verification processes.Expand training beyond phishing awareness.Redesign workflows to support secure decision-making.Treat vishing as an inevitable threat to the enterprise.Vishing has rapidly emerged as a preferred entry point, allowing attackers to bypass technical controls and exploit human trust directly. High-profile incidents, including the MGM Resorts cyberattack 2023, demonstrate how a single, well-crafted call to a help desk can lead to enterprise-wide compromise. The risk has accelerated further with the rise of AI and deepfake audio, which enables highly convincing impersonation at scale. As attackers use publicly available data to increase credibility and success rates, many organizations remain underprepared for voice-based social engineering threats.Organizations that act now can get ahead of the curve: strengthen identity checks, close help desk gaps, and prepare employees before voice-based attacks become business-as-usual.Stephanie “Snow” Carruthers, managing principal, human threats, CoalfireSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Implement layered verification requirements for sensitive requests.
- Eliminate reliance on publicly accessible personal information.
- Create secure callback and secondary confirmation procedures.
- Teach employees what modern vishing attacks actually sound like.
- Prepare frontline teams to recognize conversational manipulation tactics.
- Use realistic simulations to reinforce behavioral responses under pressure.
- Empower employees to pause, verify, and escalate requests.
- Remove cultural pressure to resolve every issue immediately.
- Embed verification checkpoints into help desk and support operations.
- Build response playbooks for suspected voice-based social engineering attempts.
- Practice vishing scenarios through realistic simulations and tabletop exercises.
- Review suspicious activity and incidents to identify workflow gaps, training needs, and verification failures.
