What Is Vishing? Voice Phishing Meaning, Stats & Protection (2026)
Vishing (voice phishing) uses phone calls to steal credentials and authorize fraud. DBIR 2026: pretexting 6% of initial access; phone sim median ~2% vs email ~1.4%. Detection and exec verification playbook.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-02
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Vishing (voice phishing) is social engineering by phone: spoofed caller ID, cloned voices, or callback lures that push people to share credentials, approve wires, or reset accounts without a second-channel check.
The Verizon 2026 DBIR attributes pretexting (live voice, chat, or callback manipulation) to 6% of initial access in the breach sample. Median simulation failure rates run ~1.4% on email and ~2% on phone-centric scenarios (~40% higher, DBIR 2026, p. 50). If you only train email, you grade the easier test.
Gartner's 2025 Secure Behavior Strategies Survey (n=65) found 73% of leaders prioritize phishing reporting metrics, but only 10% prioritize deepfake recognition training (G00840741). The 2025 AI Risk Management Survey (n=302) reports 35% of organizations affected by deepfake incidents.
Source: Gartner, "6 Ways to Transform Your Cybersecurity Awareness Program" (G00840741, March 2026), based on the 2025 Secure Behavior Strategies Survey (n=65).
Keepnet's Extended Human Risk Management Platform (xHRM) pairs multi-channel simulations with Secure Behavior Management (SBM) outcomes. Identity is what you verify on a separate channel, not what caller ID displays.
For channel-wide numbers, see our 2026 phishing statistics hub and dedicated vishing statistics guide.
The honest read
Vishing wins when verification is vague. Help desks and executives are the highest-risk roles because attackers target workflow shortcuts, not ignorance of definitions.
What I'd do this quarter
Publish one rule: no payment, credential reset, or wire transfer on voice alone. Model callback verification in town halls. Run voice phishing simulations mapped to real approval workflows.
Voice phishing speed in the wild (CrowdStrike 2026)
CHATTY SPIDER targeted law firms with vishing and remote tooling in 2025. In one U.S. law firm intrusion, the adversary moved from Quick Assist access to an attempted WinSCP exfiltration within four minutes; when blocked, they pivoted to Google Drive (CrowdStrike 2026 Global Threat Report, p. 11). Average eCrime breakout time across CrowdStrike telemetry was 29 minutes in 2025.
Practical next step
Callback and live-voice playbooks need sub-hour escalation, not next-day ticket queues. DBIR pretexting at 6% of initial access is the breach benchmark; CrowdStrike timelines show why phone failures compress response windows.
Deepfake voice and vishing in 2026 (Gartner G00847786)
Vishing is no longer only a robocall problem. Gartner reports 41% of organizations faced deepfake plus social engineering on an audio call in its 2026 CISO survey (n=297, Gartner G00847786).
Employee playbook: before you act on a live call
- Pause if the caller pushes urgency for a wire transfer, MFA approval, or password reset.
- Verify identity on a second channel you initiate (known number, ticket system, in-person).
- Never share one-time codes or approve MFA prompts the caller triggered.
- Report suspicious voice calls through your phishing reporter workflow, not only email abuse.
- Run vishing and deepfake simulations so teams rehearse verification under pressure.
Operational stats: vishing statistics 2026.
Sources
- CrowdStrike, 2026 Global Threat Report (Year of the Evasive Adversary), p. cited in body.
- Gartner G00847786: Cybersecurity Threat: Deepfake Identity Impersonation (Akif Khan, 28 May 2026).
For audio context on phone scams and verification habits, see the Keepnet podcast episode embedded below.
Vishing definition and purpose
FTC and CISA frame vishing the same way: phone-based impersonation to steal information or money. The attacker sounds legitimate; the pressure is live. Full regulator wording is in Sources below. This page focuses on what security teams should measure and drill.
| Objective | What attackers want |
|---|---|
| Credential harvest | Passwords, MFA codes, account recovery details |
| Payment fraud | Wire transfers, gift cards, invoice changes |
| Account takeover | Help-desk resets, vendor portal access |
| Urgency leverage | Fake fraud alerts, executive requests, IT lockouts |
Purpose of vishing attempts
Phishing vs vishing vs smishing
DBIR 2026 treats asynchronous messaging phishing (16% initial access) separately from pretexting (6%). Same human target, different channel mechanics.
| Channel | Delivery | Typical ask |
|---|---|---|
| Phishing (email) | Async message + link | Click, login, download |
| Vishing (voice) | Live or callback call | Verify identity, approve payment, reset MFA |
| Smishing (SMS) | Text + link or reply | Track package, bank alert, MFA code |
Phishing vs vishing vs smishing
Phishing simulations, vishing, and smishing exercises should cover all three, not email alone.
Why attackers use voice over email
Attackers optimize for speed and authority. A live voice creates social pressure that email cannot. Finance, IT help desk, and executive assistants see the highest-volume targeted scenarios.
"I ask who's on the other end of every unexpected call. Vishing wins when urgency beats verification. Train people to challenge the caller and confirm on a separate channel before they act."
How to detect vishing calls
- Caller refuses a callback to a published number on the company website
- Urgent payment or credential request with no ticket reference
- Caller ID looks internal but the script asks for secrets (passwords, MFA codes)
- Background noise or hold music designed to sound like a call center
- Executive or vendor voice that will not verify on a second channel
Where teams get this wrong
Detection is not about spotting robots anymore. Lisbon University research (2024) found more than half of test subjects believed they were speaking with a human during AI voice interactions. Label that as academic research, not a global rate.
Practical next step
Train a pause-and-verify reflex: get a name, ticket ID, and call back on a known number. Measure time-to-report, not quiz scores.
Vishing trends in 2026
Three shifts matter for program design:
- AI voice cloning: Deepfake and voice-synthesis tools lower the cost of credible executive impersonation (see deepfake statistics).
- Callback chains: Email lures that push victims to call an attacker-controlled number (callback phishing).
- Help-desk targeting: MFA reset and password recovery workflows remain the fastest path to enterprise access.
Keepnet's labeled 2024 Vishing Response Report found 70% of organizations exposed to simulated vishing and 6.5% of employees disclosed sensitive information in voice drills. Use alongside DBIR medians, not as a breach-rate substitute (full report).
Real-world vishing cases
MGM Resorts (September 2023): Industry reporting describes vishing to the IT help desk to reset MFA; SEC filings cite ~$100M impact. Control gap: help-desk verification before privilege changes.
Arup deepfake CFO (January 2024): Multi-person video call with synthetic executives; ~$25.6M loss (HK Police briefing). Control gap: out-of-band executive approval for wires.
Sony partner lure (Keepnet customer drill): See Ibrahim Ucar's field note below: a help-desk agent who had just completed a vishing drill demanded a ticket number and the call ended.
“That last lure almost worked on one of our fastest-growing tech customers. A caller claiming to be a Sony partner offered free game keys and asked employees to ‘verify’ their corporate email and ID, really a ploy to harvest credentials and pivot into the dev cloud. A help-desk agent who had just completed our vishing drill paused, demanded a ticket number, and the line went dead. The lesson is clear: vishing succeeds when curiosity or urgency overrides routine verification, so train people to slow the call, challenge, and confirm on a separate channel.”
Common vishing methods
| Method | How it works | Who is targeted |
|---|---|---|
| CEO / executive fraud | Urgent wire or purchase approval | Finance, assistants |
| IT help-desk impersonation | Fake lockout, MFA reset | All staff; help desk |
| Bank / fraud alert | Account compromise verification | General workforce |
| Vendor / supplier | Invoice or banking detail change | AP, procurement |
| Callback phishing | Email sends victim to attacker phone line | Mixed; often finance |
| Deepfake voice / video | Cloned executive on call or meeting | Finance, legal, C-suite |
Common vishing methods
How to prevent vishing attacks
- No secrets on inbound calls: passwords, MFA codes, and recovery links go through approved portals only
- Callback rule: hang up and dial the published number for IT, bank, or vendor
- Executive wire policy: second approver plus out-of-band confirmation for any voice-initiated payment
- Help-desk playbook: ticket required before MFA reset; vishing drills for privileged roles
- Report rate KPI: track suspicious call reports and time-to-report, not training completion alone
Run vishing simulations tied to the workflows above. Pair with 2026 phishing statistics for board-ready channel comparison (email ~1.4% vs phone ~2% DBIR medians).
Why vishing still works in 2026
Vishing succeeds because it shortcuts verification. A live voice adds urgency and false legitimacy faster than most email lures. The gap is usually operational: no calm path for help-desk staff under pressure.
We see failure rates drop when simulations mirror real workflows (payment approval, login recovery, vendor changes), not generic bank-fraud scripts. Completion rate is a comforting metric; reporting speed and repeat-failure cohorts are security outcomes.
Keepnet recommendation
- Require callback verification for payment, credential, and account recovery requests
- Train front-line teams on the vishing scenarios that match your business model
- Measure reporting speed and repeat failures, not LMS exports alone
- Pair awareness content with incident-response steps people can follow on a live call
Sources
- Verizon 2026 DBIR (Keepnet summary)
- Keepnet 2024 Voice Phishing Response Report
- Lisbon University AI voice study (arXiv, 2024)
- Gartner G00840741, G00840678, G00846628 (labeled in body)
- FTC consumer guidance
- CISA
Related reading
SHARE ON