In February 2025, attackers used a cloned CFO’s voice to call a Canadian insurance company’s finance department and authorize nearly $12 million in fraudulent transfers. The voice was synthetic, generated from publicly available recordings. The call was convincing enough to bypass every internal control designed to prevent unauthorized payments. The company did not discover the fraud until the money was gone.

Around the same time, a cybersecurity veteran named Richard Werner, a professional with 20 years of experience teaching companies to resist exactly this kind of attack, received a call from someone claiming to be European law enforcement. Over several hours, a team of callers working in rotation convinced him to transfer €5,000 in Bitcoin. He later described the experience as a masterclass in emotional manipulation, one that worked precisely because the callers sounded authoritative, knowledgeable, and official.

These are vishing attacks: fraud conducted through voice communication. The term combines “voice” and “phishing,” and what started as a marginal scam technique has become one of the fastest-growing threats in cybersecurity. If you have ever received a suspicious call claiming to be from your bank or your company’s IT department, you have encountered the entry-level version. The cases above show what the professional version looks like...