Vishing
Vishing uses voice calls and social engineering to impersonate trusted entities, manipulating victims into revealing credentials or performing unauthorized actions, increasingly enhanced by AI voice cloning.
Vishing uses voice calls and social engineering to impersonate trusted entities, manipulating victims into revealing credentials or performing unauthorized actions, increasingly enhanced by AI voice cloning.
Continue your mission
Vishing (voice phishing) is a social engineering attack conducted over phone calls where the attacker impersonates a trusted entity to extract sensitive information from the victim. Attackers pose as bank representatives, IT support, government agencies, or executives to manipulate victims into revealing credentials, financial details, or performing unauthorized actions. Modern vishing attacks increasingly use AI-generated voice cloning to impersonate known individuals.
The attacker researches the target and crafts a convincing pretext for the phone call. They may spoof caller ID to display a legitimate phone number from a bank, government agency, or the victim's own organization. During the call, the attacker creates urgency, claiming the victim's account has been compromised, a payment is overdue, or IT requires immediate credential verification. They use authority, fear, and time pressure to override the victim's critical thinking. Advanced vishing campaigns use AI voice synthesis to clone the voice of a CEO or manager, instructing employees to transfer funds or share access credentials. Some attacks combine vishing with SMS messages or emails to appear more legitimate in multi-channel social engineering campaigns.
Vishing attacks have resulted in some of the largest financial fraud losses in corporate history. AI voice cloning has made these attacks dramatically more convincing, with attackers needing only seconds of audio to generate a realistic voice clone. Organizations must implement verbal authentication procedures, establish out-of-band verification for sensitive requests, train employees to recognize vishing tactics, and create clear escalation paths for suspicious calls. No sensitive action should be taken based solely on a phone call.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.