2 July 2026 • Cyber security
Most people have been trained, or at least warned, to be suspicious of emails asking for passwords, bank details or urgent action. Attackers know this. That is partly why vishing has grown in prevalence: it uses the phone rather than email to manipulate victims, exploiting the trust and real-time pressure that a live conversation creates. Understanding what vishing is, how it works and why it is effective is the first step to making your employees resistant to it.
Vishing meaning: what does the term mean?
Vishing is a portmanteau of “voice” and “phishing.” It refers to social engineering attacks carried out over the phone, either via a traditional call, a VoIP call or increasingly through AI-generated voice messages, with the goal of tricking the target into revealing sensitive information, transferring money or granting access to systems.
The vishing meaning is essentially the same as phishing: deceive someone into doing something they would not do if they understood what was really happening. The difference is the channel. Where phishing uses email and smishing uses SMS, vishing uses voice, and voice carries a layer of perceived legitimacy that text does not.
A caller who sounds confident, uses the right terminology and creates a plausible scenario, a bank security check, an IT helpdesk call, a supplier confirming payment details, can convince employees who would have spotted the same request in an email in seconds.
How a vishing attack works
Vishing attacks are rarely random. Attackers typically research their target before calling, using LinkedIn, company websites, data from previous breaches or information gathered through earlier phishing attempts. The more an attacker knows about the target and their organisation, the more convincing the call can be.
A typical vishing scenario follows a recognisable pattern:
- Impersonation. The caller pretends to be someone the target has reason to trust: a bank employee, an IT support technician, a tax authority, a senior colleague or a supplier.
- Urgency or authority. The caller creates pressure, there is a problem that needs to be solved right now, or they invoke authority (“your manager asked me to call”). This short-circuits the target’s instinct to pause and verify.
- Request. The caller asks for something: a password, a one-time code, confirmation of bank details, access to a system, or a payment transfer.
- Exit. Once the information or action is obtained, the call ends quickly. By the time the target realises something was wrong, the damage is done.
Vishing works because it is hard to apply the same critical filters in a live phone conversation that you would use when reading a suspicious email. The social pressure of a real-time interaction overrides caution, and attackers count on exactly that.
Vishing, phishing and smishing: what is the difference?
Vishing is one of several voice- and message-based social engineering techniques. Understanding how they differ helps organisations train employees to recognise each one.
| Technique | Channel | Common scenario | Why it works |
|---|---|---|---|
| Phishing | Fake login page, urgent account warning | Volume and visual deception | |
| Vishing | Phone / voice | Fake bank call, IT helpdesk impersonation | Real-time pressure, voice authority |
| Smishing | SMS / messaging app | Fake delivery notice, payment link | Mobile context, brief format, links feel natural |
| Spear phishing | Email (targeted) | Personalised email using known details | Specificity, feels legitimate because it knows you |
In practice, these techniques are often combined. An attacker may send a phishing email first, then follow up with a vishing call claiming to be from IT support about the email the target just received. Each channel reinforces the credibility of the other.
Vishing in practice: recognisable scenarios
Vishing attacks are not abstract threats. These are scenarios that organisations, including Dutch businesses, encounter regularly:
- The IT helpdesk call. A caller claims to be from internal IT support, says there is suspicious activity on the employee’s account and asks them to confirm their password or install a remote access tool “to fix the issue.”
- The bank security call. A caller impersonating a fraud department warns that the company’s bank account has been compromised and asks the target to confirm account details or authorise a “test transfer.”
- The CEO or CFO call. Known as CEO fraud or BEC (Business Email Compromise), this involves a caller impersonating a senior executive and pressuring a finance employee to make an urgent wire transfer, often on a Friday afternoon.
- The supplier confirmation call. A caller claims to be from a known supplier and asks to update bank account details for future payments, redirecting payments to an attacker-controlled account.
- The AI deepfake call. Using AI-cloned voice technology, attackers can now impersonate actual colleagues or executives with startling accuracy. Employees receive a call that sounds exactly like their manager, asking for login credentials or urgent payment approval.
How security awareness training protects against vishing
Technical controls do not stop vishing. Spam filters, firewalls and endpoint security tools are irrelevant when an attacker picks up the phone. The only effective defence is a workforce that recognises manipulation tactics and knows what to do when something feels off.
That is built through training, not a one-time presentation, but recurring practice that builds habits. Effective security awareness training for vishing covers several things:
- Recognising the triggers. Urgency, authority, unusual requests, requests to bypass normal procedures. Employees who can name these patterns are slower to comply with them.
- The right to verify. Employees need to know it is always acceptable to say “I’ll call you back on the number I have on file”, even if the caller is the CEO. Building that habit requires explicit permission from management and reinforcement through training.
- What to do after. If an employee suspects they have been targeted by a vishing call, or worse, complied with one, they need a clear escalation path. Reporting should be normalised, not stigmatised.
- Keeping up with evolving tactics. AI voice cloning, deepfakes and increasingly personalised attacks mean the threat landscape changes fast. Training needs to keep pace, which is why short, frequent sessions beat annual refreshers.