What is Vishing? Voice phishing increases – experts to recognize and stop tips

Cybercriminals and hackers set a variety of methods to steal sensitive information from individuals and organizations. Vishing or voice phishing is an increasingly popular approach. Here the attacker enters someone to share account registration information or other information about a simple call. According to the latest data from the security company Crowdstrike, these types of attacks have been raised.

Also: Hackers stole the 1password database of this engineer. Could it happen to you?

In his 11th annual Crowdstrike Global Threat report in 2025, the security provider admitted by 442% in the second half of 2024 compared to the first half. Crowdstrike Intelligence pursued at least six similar but different campaigns throughout the year, in which attackers specify that IT employees are called employees in various organizations.

Help Desk Social Engineering

In these special campaigns, the fraudsters tried to convince their intended victims to set up remote support sessions, whereby the Microsoft Quick Assist is usually used in Windows. In many of them, the attackers have used Microsoft teams to make the phone calls. At least four of the campaigns seen by crowdstrike send spam bomb attacks to send thousands of junk -e emails to the targeted users as an excuse for alleged support call.

Also: How you can protect yourself against phishing attacks in Chrom and Firefox

The type of visher that is used in these attacks is often referred to as Help Desk Social Engineering. Here the cybercriminals, which pretends to be a help desk or professionally, emphasize the urgency of the call in response to an invented threat. In some cases, the attacker calls the password of the person or other registration information. In other cases, such as B. those documented in the report, the fraudster tries to receive remote access to the victim's computer.

Callback Phishing

Another tactic that crowdstrike has seen is callback phishing. Here the criminal sends an e -mail to a person about a kind of urgent but incorrect matter. This could be a claim to an overdue bill, a message that you have subscribed to a service, or a warning that your account has been compromised. The E -Mail contains a phone number that the recipient can call. However, this number leads you directly to the fraudster who tries to take over to you to share your credit card data, account registration information or other information.

Since these attacks are usually aimed at organizations, ransomware is another key component. By accessing network resources, user or customer accounts as well as other sensitive data, attackers can keep the stolen information for ransom.

Also: The top 10 brands were exploited in phishing attacks – and how they can protect themselves

In his report, crowdstrike identified some different cyber criminal groups that use Vishing and Callback Phishing in their attacks. A group that is known as Chatty Spider focuses mainly on the legal and insurance industry and demanded Ransoms up to $ 8 million. Another group called Plump Spider Targeted Brazil in the entire 2024-in Brazil and uses Vishing calls to the management of employees to remove locations and tools.

“Similar to other social engineering techniques, Vishing is effective because it is more of human weakness or a mistake than an error in the software or in an operating system (OS),” said Crowdstrike in his report. “Malignant activities may only be determined later in an penetration, for example in the case of malicious binary execution or practical keyboard activity, which can delay an effective reaction. This gives the threat player an advantage and obliges users to identify potentially malicious behavior.”

Other security companies have recorded a dramatic increase in the Visher attacks.

Last October, the Zlabs research team from Zimperium uncovered malware as a fake call, which is known for the advanced use of Vishing. Here the fraudsters use telephone calls to make potential victims to share sensitive information such as credit card numbers and bank registration information. FakeCall itself works by kidnapping the Anruff functions on Android phones to install the malware.

Tips for protection against Vishing attacks

In order to protect yourself, your employees and your organization from attacks and similar threats, Crowdstrike offers the following tips:

• Require a video authentication and the state ID for employees who call the help desk to request the reset of the password.
• Train help desk employees to be careful when answering telephone calls with password or MFA (multi-factor authentication). You should be particularly careful if these calls occur outside of regular business hours or a high number of such inquiries in a short time.
• Use more advanced authentication methods such as FIDO2 to protect yourself from account recipients.
• Monitor attempts where more than one person tries to register the same device or telephone number for MFA.
• Offer regular security training for employees. Give them up how to recognize phishing attempts and social engineering attacks.
• Use regular security patches and other corrections to fix critical weaknesses.

Some security experts also informed their recommendations at ZDNet.

“If systems are offline as soon as a threat is recognized, it is an important first step in the containment, but is insufficient for itself,” said Patrick Tiquet, Vice President of Security and Architecture at Keeper Security.

“In order to counter secondary tactics such as Vishing, security teams should quickly inform customers and partners about the violation of official channels and give clear instructions on how to protect themselves from these threats,” added Tiquet. “Training meetings for employees and stakeholders to recognize these attempts and to review unwanted communication before they share confidential information are crucial.”

Individual users and consumers should also be careful before unexpected phone calls that sound legitimate.

“When I speak to colleagues, friends and family, I remind you that it is time to question everything when a call is unexpected and asks for personal or financial information,” said Akhil Mittal, Senior Manager at Security Provider Black Duck.

“I also emphasize how important it is to slow down, check who calls and never hesitate. “Just because a caller knows her address or part of your account number does not make her legitimate. Criminals often have this information beforehand. If the caller