What Is Vishing? Voice Phishing Meaning, Stats & Protection (2026)
Vishing (voice phishing) uses phone calls to steal credentials and authorize fraud. DBIR 2026: pretexting 6% of initial access; phone sim median ~2% vs email ~1.4%. Detection and exec verification playbook.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-05-30
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Vishing (voice phishing) is social engineering by phone: spoofed caller ID, cloned voices, or callback lures that push people to share credentials, approve wires, or reset accounts without a second-channel check.
The Verizon 2026 DBIR attributes pretexting (live voice, chat, or callback manipulation) to 6% of initial access in the breach sample. Median simulation failure rates run ~1.4% on email and ~2% on phone-centric scenarios (~40% higher, DBIR 2026, p. 50). If you only train email, you grade the easier test.
Gartner's 2025 Secure Behavior Strategies Survey (n=65) found 73% of leaders prioritize phishing reporting metrics, but only 10% prioritize deepfake recognition training (G00840741). The 2025 AI Risk Management Survey (n=302) reports 35% of organizations affected by deepfake incidents.
Source: Gartner, "6 Ways to Transform Your Cybersecurity Awareness Program" (G00840741, March 2026), based on the 2025 Secure Behavior Strategies Survey (n=65).
Keepnet's Extended Human Risk Management Platform (xHRM) pairs multi-channel simulations with Secure Behavior Management (SBM) outcomes. Identity is what you verify on a separate channel, not what caller ID displays.
For channel-wide numbers, see our 2026 phishing statistics hub and dedicated vishing statistics guide.
The honest read
Vishing wins when verification is vague. Help desks and executives are the highest-risk roles because attackers target workflow shortcuts, not ignorance of definitions.
What I'd do this quarter
Publish one rule: no payment, credential reset, or wire transfer on voice alone. Model callback verification in town halls. Run voice phishing simulations mapped to real approval workflows.
According to the Federal Trade Commission (FTC), vishing is defined as "a type of phishing that uses the telephone to steal personal information or money from unsuspecting victims by pretending to be a trusted entity."
Similarly, the Cybersecurity and Infrastructure Security Agency (CISA)'s vishing definition is "a social engineering attack where cybercriminals trick individuals into providing sensitive information over the phone, often by impersonating legitimate organizations."
For audio context on phone scams and verification habits, see the Keepnet podcast episode embedded below.
Vishing definition and purpose
Regulators align on the same idea: vishing uses the telephone to impersonate a trusted party. FTC and CISA both define it as phone-based social engineering to steal information or money.
| Objective | What attackers want |
|---|---|
| Credential harvest | Passwords, MFA codes, account recovery details |
| Payment fraud | Wire transfers, gift cards, invoice changes |
| Account takeover | Help-desk resets, vendor portal access |
| Urgency leverage | Fake fraud alerts, executive requests, IT lockouts |
Purpose of vishing attempts
Phishing vs vishing vs smishing
DBIR 2026 treats asynchronous messaging phishing (16% initial access) separately from pretexting (6%). Same human target, different channel mechanics.
| Channel | Delivery | Typical ask |
|---|---|---|
| Phishing (email) | Async message + link | Click, login, download |
| Vishing (voice) | Live or callback call | Verify identity, approve payment, reset MFA |
| Smishing (SMS) | Text + link or reply | Track package, bank alert, MFA code |
Phishing vs vishing vs smishing
Phishing simulations, vishing, and smishing exercises should cover all three, not email alone.
Why attackers use voice over email
Attackers optimize for speed and authority. A live voice creates social pressure that email cannot. Finance, IT help desk, and executive assistants see the highest-volume targeted scenarios.
“Most days, I pick up the phone and ask myself, who’s really on the other end? Today’s vishing attacks, which involve fake voice calls that sound like those from a trusted colleague, aim to steal passwords, trigger wire transfers, or obtain a quick ‘yes’ to reset an account. We’ve seen callers impersonate IT staff, vendors, and even CEOs to gain unauthorized access to our customers’ systems. Their purpose is simple: jump the digital fence by fooling a human. The fix is still in practice. Put your people through real-world vishing drills so they hear the tricks, challenge the caller, and hang up or verify every time. That everyday skepticism protects more data than any firewall.”
How to detect vishing calls
- Caller refuses a callback to a published number on the company website
- Urgent payment or credential request with no ticket reference
- Caller ID looks internal but the script asks for secrets (passwords, MFA codes)
- Background noise or hold music designed to sound like a call center
- Executive or vendor voice that will not verify on a second channel
Where teams get this wrong
Detection is not about spotting robots anymore. Lisbon University research (2024) found more than half of test subjects believed they were speaking with a human during AI voice interactions. Label that as academic research, not a global rate.
Practical next step
Train a pause-and-verify reflex: get a name, ticket ID, and call back on a known number. Measure time-to-report, not quiz scores.
Vishing trends in 2026
Three shifts matter for program design:
- AI voice cloning: Deepfake and voice-synthesis tools lower the cost of credible executive impersonation (see deepfake statistics).
- Callback chains: Email lures that push victims to call an attacker-controlled number (callback phishing).
- Help-desk targeting: MFA reset and password recovery workflows remain the fastest path to enterprise access.
Keepnet's labeled 2024 Vishing Response Report found 70% of organizations exposed to simulated vishing and 6.5% of employees disclosed sensitive information in voice drills. Use alongside DBIR medians, not as a breach-rate substitute (full report).
Real-world vishing cases
MGM Resorts (September 2023): Industry reporting describes vishing to the IT help desk to reset MFA; SEC filings cite ~$100M impact. Control gap: help-desk verification before privilege changes.
Arup deepfake CFO (January 2024): Multi-person video call with synthetic executives; ~$25.6M loss (HK Police briefing). Control gap: out-of-band executive approval for wires.
Sony partner lure (Keepnet customer drill): See Ibrahim Ucar's field note below: a help-desk agent who had just completed a vishing drill demanded a ticket number and the call ended.
“That last lure almost worked on one of our fastest-growing tech customers. A caller claiming to be a Sony partner offered free game keys and asked employees to ‘verify’ their corporate email and ID, really a ploy to harvest credentials and pivot into the dev cloud. A help-desk agent who had just completed our vishing drill paused, demanded a ticket number, and the line went dead. The lesson is clear: vishing succeeds when curiosity or urgency overrides routine verification, so train people to slow the call, challenge, and confirm on a separate channel.”
Common vishing methods
| Method | How it works | Who is targeted |
|---|---|---|
| CEO / executive fraud | Urgent wire or purchase approval | Finance, assistants |
| IT help-desk impersonation | Fake lockout, MFA reset | All staff; help desk |
| Bank / fraud alert | Account compromise verification | General workforce |
| Vendor / supplier | Invoice or banking detail change | AP, procurement |
| Callback phishing | Email sends victim to attacker phone line | Mixed; often finance |
| Deepfake voice / video | Cloned executive on call or meeting | Finance, legal, C-suite |
Common vishing methods
How to prevent vishing attacks
- No secrets on inbound calls: passwords, MFA codes, and recovery links go through approved portals only
- Callback rule: hang up and dial the published number for IT, bank, or vendor
- Executive wire policy: second approver plus out-of-band confirmation for any voice-initiated payment
- Help-desk playbook: ticket required before MFA reset; vishing drills for privileged roles
- Report rate KPI: track suspicious call reports and time-to-report, not training completion alone
Run vishing simulations tied to the workflows above. Pair with 2026 phishing statistics for board-ready channel comparison (email ~1.4% vs phone ~2% DBIR medians).
Why vishing still works in 2026
Vishing succeeds because it shortcuts verification. A live voice adds urgency and false legitimacy faster than most email lures. The gap is usually operational: no calm path for help-desk staff under pressure.
We see failure rates drop when simulations mirror real workflows (payment approval, login recovery, vendor changes), not generic bank-fraud scripts. Completion rate is a comforting metric; reporting speed and repeat-failure cohorts are security outcomes.
Keepnet recommendation
- Require callback verification for payment, credential, and account recovery requests
- Train front-line teams on the vishing scenarios that match your business model
- Measure reporting speed and repeat failures, not LMS exports alone
- Pair awareness content with incident-response steps people can follow on a live call
Sources
- Verizon 2026 DBIR (Keepnet summary)
- Keepnet 2024 Voice Phishing Response Report
- Lisbon University AI voice study (arXiv, 2024)
- Gartner G00840741, G00840678, G00846628 (labeled in body)
- FTC consumer guidance
- CISA
Related reading
SHARE ON