The mechanisms and dangers of email phishing are well known, as are the best practices for hardening organizations against it. Its spin-off, called vishing, is nothing new, but it’s both rapidly evolving, and unlike the more mainstream counterpart, too often overlooked by security professionals. According to the CrowdStrike 2025 Global Threat Report, these offbeat attacks saw a 442% increase in the second half of 2024 compared to the first half of the year. This dramatic spike should be interpreted as a call to action in terms of countermeasures, especially in enterprise environments.

Vishing is a portmanteau of “voice phishing” and refers to social engineering campaigns that rely on audio (typically voice calls and prerecorded messages) to either extract information from a target or get them to perform certain actions. From an organizational perspective, this foul play can be aimed at stealing proprietary business data, granting the attacker access to internal systems, or initiating fraudulent fund transfers.

An effective tactic when aimed at individuals (especially those most vulnerable, like the elderly), it can be all the more devastating when targeted against an organization. Arguably, the most prominent vector of vishing evolution so far has been voice-cloning technology, from deepfakes to the broad spectrum of AI models. As the tools for performing such attacks have improved, so have the strategies employed by the bad actors who wield them...