What is vishing and how does it work?

Vishing (voice phishing) uses phone calls to manipulate targets into revealing sensitive information or authorizing transactions. Attackers spoof caller IDs to appear as banks, IT support, or executives. They use urgency, authority, and fear to prevent victims from verifying the request. The FBI's Internet Crime Complaint Center reported over $10 billion in losses from phone-based fraud in 2022.

How can you verify if a phone call is legitimate?

Never trust caller ID alone, as it can be spoofed. Tell the caller you will call back through the official number listed on the company's website or your internal directory. Legitimate callers will not object to this. Never provide passwords, one-time codes, or financial details over an inbound call, regardless of who the caller claims to be. If they pressure you to stay on the line, that itself is a red flag.

Vishing

Handle a realistic voice phishing call.

What Is Vishing?

Vishing, or voice phishing, uses phone calls to manipulate employees into revealing sensitive information, transferring funds, or granting system access. The FBI's Internet Crime Complaint Center reported over $10 billion in losses from social engineering schemes in 2022, with phone-based attacks accounting for a growing share. Unlike email phishing, vishing exploits real-time conversation dynamics where targets have less time to think critically and feel social pressure to be helpful. In this simulation, your phone rings. The caller ID shows a number that appears to belong to your company's IT department or a trusted vendor. The person on the other end is calm, professional, and uses industry-specific terminology that sounds legitimate. They explain a security incident or system update that requires your immediate cooperation, including confirming your login credentials, authorizing remote access, or reading back a multi-factor authentication code. You will practice pausing the conversation, asking verification questions, and using callback procedures through official phone numbers rather than ones the caller provides. The exercise covers the specific vocal cues and conversational patterns that distinguish social engineers from legitimate callers: the subtle redirection when you ask probing questions, the escalating urgency when you suggest calling back, and the strategic use of technical jargon to create a false sense of shared expertise.

What You'll Learn in Vishing

Recognize caller ID spoofing and understand why displayed phone numbers cannot be trusted as identity verification
Apply callback verification using official company directories rather than phone numbers provided by the caller
Identify the conversational pressure tactics vishers use, including escalating urgency, authority claims, and technical jargon
Refuse to share credentials, MFA codes, or authorize remote access during inbound calls, regardless of the stated justification
Distinguish between assertive identity verification and confrontational behavior to maintain professionalism during suspicious calls

Vishing — Training Steps

Introduction

This training simulates a real-world vishing attack where an attacker uses an AI-generated voice filter to impersonate a trusted colleague. It's a busy Tuesday afternoon when Alice's phone rings. The caller ID shows 'Mike Stevens - Ext. 4247'. Alice knows Mike; he's a really friendly guy from the Infrastructure team. She recognizes this as Mike's usual number and answers the call promptly.
The Unexpected Call

Unbeknownst to Alice, Bob has been researching Nexlify Solutions and their client SecureTech for weeks. He gathered information about the company structure, employee names, and internal systems through social media profiles, LinkedIn, and the company website. Bob has also obtained recordings of Mike's voice from publicly available conference presentations and company webinars. Using advanced AI voice cloning software, he has created a convincing replica of Mike's voice and spoofed the caller ID to display Mike's internal extension.
The Convincing Introduction

The voice on the phone sounds exactly like Mike - same tone, speech patterns, and even his characteristic slight Boston accent. All thanks to GenAI technologies and a big dataset of Mike's public talk recordings.
Creating Urgency

Bob establishes urgency and authority by mentioning a sick colleague and an important client meeting.
The Information Request

Alice begins to feel the pressure of the urgent situation and wants to help a colleague in need.
Opening the Files

Alice opens up the company portal and tries to access sensitive data.
Sharing Sensitive Information

Alice begins reading the sensitive information over the phone. This is strictly prohibited by company rules, but the request seems urgent and Mike does not have access to company resources due to a VPN issue.
A Huge Mistake

Alice has now shared highly confidential NDA-protected information including proprietary encryption details, disaster recovery locations, and internal security protocols.
The Suspicious Email

Bob sees that his attack is successful and tries to escalate by sending Alice a phishing email.
Shady Email Arrives

Alice receives an email that appears to be from Mike Stevens.

What Is Vishing?

What You'll Learn in Vishing

Vishing — Training Steps

Introduction

The Unexpected Call

The Convincing Introduction

Creating Urgency

The Information Request

Opening the Files

Sharing Sensitive Information

A Huge Mistake

The Suspicious Email

Shady Email Arrives