Voice phishing – or vishing – overtook email-based phishing a top initial intrusion vector in 2025, according to a new report from cybersecurity consulting firm Mandiant.
Vishing is live and interactive, giving the attacker more control over the social engineering tactics.
“While email phishing often relies on volume and opportunistic delivery, interactive methods involve a live person steering the conversation in real-time,” Mandiant says.
“This distinction is critical for defenders: interactive attacks are significantly more resilient against automated technical controls and require different detection strategies.”
Vishing was responsible for a high-profile extortion campaign that compromised dozens of organizations throughout 2025. Attackers called employees and tricked them into granting access.
“One of the more pervasive examples of this activity was a campaign that spanned the first half of 2025, in which the attackers used voice phishing to convince targets to provide credentials and authorize an attacker-controlled version of a legitimate software-as-a-service (SaaS) application to access organizations’ data,” the researchers write. “These organizations later received extortion notes demanding payment for the non-release of stolen data.
“Another example of a long-term vishing campaign came from a financially motivated threat cluster active since at least early 2022. These attackers targeted help desk staff by impersonating employees requesting password resets and changes to multi-factor authentication (MFA) settings.”
Protect Yourself from Vishing Attacks
Follow these tips from Stay Safe Online to protect yourself from vishing attacks.
- When in doubt, hang up. You're never obligated to stay on the line. If something feels off, end the call.
- Don't engage with robocalls. Pressing buttons or speaking confirms your number is active and invites more scams.
- Never share personal information by phone – no account numbers, passwords, or Social Security numbers.
- Verify independently. If a call seems legitimate, hang up, and call back using an official number from the company's website or your account statement. Don't redial the same number – scammers can spoof it.
- Let unknown numbers go to voicemail. Anyone with a genuine reason to reach you will leave a message.
- Don't trust caller ID. Scammers can fake real numbers, including local area codes and your bank's line.
- Set up account PINs or passphrases with your bank, phone carrier, and other services to block unauthorized access.
- Establish a family safe word to verify identity in urgent situations – especially important for guarding against AI voice scams, grandparent scams, and fake job offer calls.
This article is reproduced with permission from KnowBe4.