Vishing: Why Is the Human Voice More Effective Than Malware?

Vishing – Phishing by Phone – Is Becoming One of the Most Sophisticated Forms of Cyberattack. It doesn’t require any malicious files or complex hacking—just a convincing voice and a well-crafted script. In this article, we’ll explore why vishing is so effective, who its targets are, what techniques attackers use—and most importantly, how to protect yourself against it.

18 Jun 2025 Threats

Let’s start with some statistics [1] to understand why vishing is so dangerous:

In the second half of 2024, vishing incidents increased by 442% compared to the first half of the year.
Around 20% of vishing victims are people over 60, but the problem affects all age groups.
Up to 70% of organizations have been targeted by vishing, with an average annual loss of $14 million per company.
Skilled criminal groups achieve a success rate of up to 77% with vishing attacks.

Ilustrace znázorňující smartphon s ikonami očí a osoby na obrazovce a mluvící bublinu s ikonou upozornění.

However, these statistics are only indicative. The reality may be worse, as victims often choose not to report the attack—up to one-third of those deceived—due to feelings of shame.

A convincing phone call!

Attackers are well aware that people have become somewhat used to fraudulent emails and text messages. These forms of communication are also easy to ignore. In contrast, a phone call feels much more personal and urgent—and that’s exactly what attackers take advantage of. What also helps them is a technique called spoofing. This is when an attacker deliberately alters the information shown on the recipient’s screen to impersonate someone else. So, if your phone displays a call from a saved contact or shows "Police" or "T-Mobile," it doesn’t necessarily mean the call is actually from those institutions. However, it instantly adds a layer of credibility.

Source of phone numbers?

You may have already asked yourself: how did the attackers even get my number? Unfortunately, there are several ways—and none of them are particularly complicated. The most common source is data breaches—phone numbers often end up in databases that have been compromised in the past (e.g., from online shops, services, or customer accounts). Attackers also frequently buy contact details on the black market, where entire bundles of user data are sold. Another source is publicly available information, such as websites of clubs or associations. Sometimes, a phone number can even be found through reverse lookup based on a name, especially when combined with other information like an email address or social media profile.

Sophistication and Use of AI

Various phishing tactics are often combined in these attacks. You might first receive a fake SMS or email meant to create a sense of risk. Shortly after, a phone call comes in from an alleged representative of a bank or another institution, who "warns" you about the threat and pretends to help. In reality, however, they push you to act quickly — for example, to log into your online banking, share your login details, or transfer money to a "safe account." The result is usually the loss of sensitive data and financial assets. You can see a step-by-step example of how such a hybrid scam works here. And as if the level of sophistication weren’t enough, AI is also entering the game in favor of the attackers. They can use it to imitate the voices of familiar people. And if the victim hears their boss’s or child’s voice on the other end of the line, it significantly increases the attacker’s chances of success.

However, AI can also be used for defense. The British telecommunications company Virgin Media O2 has introduced an innovative solution in the fight against phone scammers - an AI grandmother named Daisy. This artificial intelligence is designed to mimic an elderly lady who engages scammers in seemingly innocent but deliberately long-winded conversations. Her goal is to keep scammers on the line for as long as possible, preventing them from reaching real victims. You can see how this grandmother works here.

Starší žena mluví po telefonu, zatímco vedle ní sedí pruhovaná kočka.

Fraudulent Call Centers!

Vishing can be highly profitable for criminals, which is why they quickly scale their "business." In many countries, entire call centers are established—sometimes with dozens of operators - scammers who make calls to potential victims. These call center workers are often well-trained and know how to psychologically manipulate their targets into fully trusting them. It’s true that banks usually block suspicious transactions and contact the account holder to verify whether fraud is taking place. However, attackers anticipate this and prepare their victims for these conversations with bank security staff. It often turns into a battle of persuasion - who earns the victim’s trust first. You can see how a bank handles a client being scammed in real time here. In this battle of manipulation, it is ultimately the awareness and preparedness of the victim that makes all the difference.

How to Protect Yourself?

Attackers know very well how to manipulate their victims. That’s why in the case of a suspicious phone call—such as a request for a transfer, a threat, a demand to verify a code, pressure to install an app, an investment offer, etc.
It’s crucial to stay calm and not let emotions take over. Don’t be misled by a familiar number or the name of an institution showing on your phone screen
- that can also be spoofed. If someone calls you, you can never be 100% sure who is really on the other end. If you feel something is off, hang up immediately and verify the situation directly with your bank or the relevant institution - either by visiting in person or calling their official customer support line. This applies even if the call seems to come from a known or saved number - always verify the situation through a different communication channel or in person.

Final word

Vishing is no longer just about a random call from a strange number. It has become a sophisticated tool of modern scammers, who use psychology, technology, and artificial intelligence to gain the most valuable thing we have - our trust. And trust is the key in this game. Attackers exploit it to make us act quickly, under pressure, and against our own judgment. As statistics show, it’s not just the less tech-savvy senior citizen who’s at risk, but also experienced employees, entrepreneurs, and even IT professionals. Vishing is an attack on emotions, not on software. And that’s exactly why the best defense is education, awareness, and a healthy dose of caution. Answering the phone isn’t dangerous. But blindly trusting the caller is. And if you want to deepen your knowledge about phishing - including specific scenarios, modern trends, and practical defense tips - be sure to check out our PhisProof course, which will guide you through the topic from A to Z.