Blog Main Image
March 5, 2026

Vishing: How One Phone Call to the Help Desk Bypasses Your Security

Not every attack arrives in your inbox. A growing share now comes down the phone line. Vishing (voice phishing) swaps the malicious link for a persuasive human voice, and it has become one of the most effective ways into an organisation precisely because it targets trust rather than technology. Google’s Threat Intelligence Group has warned that attackers impersonating IT staff over the phone are now behind some of the most damaging intrusions of the year.

The short version: a vishing attacker phones an employee, poses as IT support or a senior colleague, manufactures a moment of urgency, and talks them into handing over a password, an MFA code or an account reset. There is no malware and no link for a filter to catch, just a plausible story. The defences are procedural as much as technical: verify who is calling, and make a shared code worthless with phishing-resistant MFA.

Why voice is suddenly the attacker’s channel of choice

As email filtering has improved, criminals have looked for a route with fewer technical guardrails, and the telephone offers exactly that. A call carries no attachment to sandbox and no link to reputation-check; it lands directly on a human being. Incident responders tracked a steep rise in voice-based social engineering through 2025 and into 2026, with some teams reporting that vishing featured in a large share of the intrusions they handled. Verizon’s 2025 Data Breach Investigations Report is the backdrop to all of it: roughly 60% of breaches still involve a person being manipulated or making a mistake.

Artificial intelligence has poured fuel on the fire. Voice-cloning tools can reproduce a recognisable voice from only a few seconds of audio, such as a snippet from an earnings call, a conference talk or even a voicemail greeting, so the “senior executive” on the line can sound convincingly real.

How a vishing attack unfolds

The mechanics are simple, which is part of what makes them so effective.

  1. Impersonate. The caller poses as IT support, a service desk or a senior manager, often using a name and a few real details gathered beforehand.
  2. Add urgency. A locked account, a failed payment or a security “incident” pushes the victim to act before they think.
  3. Extract a secret. The caller talks them into reading out a one-time code, resetting a password, or approving a login.
  4. Take over. Those live details unlock the account in seconds, with no malware required.
Diagram showing how a vishing attack unfolds: the attacker impersonates IT or an executive, adds urgency, extracts a password or MFA code, and takes over the account
A vishing attack, step by step: no exploit and no malware, just trust and a good story.

The help desk is the front line

Some of the most serious cases target the IT help desk itself. An attacker phones pretending to be a locked-out employee, sometimes a real one whose details have been harvested from social media, and asks for a password or multi-factor reset. If the agent obliges without robust identity checks, the attacker inherits a genuine, fully verified account. Several major 2026 breaches began with exactly this move, and it is why help-desk verification procedures deserve as much attention as any technical control.

The warning signs worth training staff to notice

  • Unsolicited “IT support” calls that ask you to confirm a code, install software or reset credentials.
  • Manufactured urgency: a threat that your account will be suspended, or a payment reversed, unless you act now.
  • Requests to read out a one-time code. No legitimate IT team will ever ask for it.
  • A number or caller you cannot verify. Caller ID is trivially spoofed and proves nothing.

How to shut vishing down

Verify the caller, every time

Introduce call-back verification: hang up and dial the person or team back on a known internal number before acting on any sensitive request. Agreed code-words for inbound IT or executive calls give staff a simple, deniable way to test authenticity.

Make shared codes worthless

Phishing-resistant MFA, in the form of FIDO2 security keys and passkeys, removes the very thing a vishing caller is trying to extract, because there is no code to read out. Prioritise administrators, finance and other high-value accounts.

Harden the help desk

Require strong identity proofing before any password or MFA reset, and add a call-back or manager approval step for high-risk changes. Treat the reset process as a security control, not a convenience.

Train with the phone in mind

Awareness programmes often stop at email. Extend them: run realistic simulations that include voice scenarios, and give staff a simple, blame-free way to report a suspicious contact so your security team sees the pattern early.

The bottom line

Vishing works because it bypasses the technology entirely and goes straight for human trust. That also points to the fix: pair clear verification habits, such as calling back, using code-words and proving identity before any reset, with phishing-resistant authentication so a shared code no longer opens the door. A confident “let me call you back” is one of the most powerful security controls your people own.

Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.

Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Scroll To Top Arrow