Skip to content
Menu
menu

Illustration by iStock; Security Management

​Vishing is Calling. Don't Answer.

Who’s on the phone? It might be cybercriminals.

Cybersecurity firm CrowdStrike recently reported a 442 percent increase in vishing intrusions between the first and second halves of 2024. Vishing—also known as voice phishing—is a type of social engineering attack where scammers use phone calls to trick victims into revealing information.

As technological cybersecurity defenses get stronger, experts predict a rise in social engineering-centric attacks that target the weakest link: people. Vishing is particularly effective because it exploits human weakness rather than technology flaws, and it’s easier to obfuscate, delaying detection and response.

In the campaigns CrowdStrike tracked and reported in its 2025 Global Threat Report, threat actors largely impersonated IT support staff trying to resolve connectivity or security issues to gain access to or otherwise compromise users’ devices. Some attackers leveraged spam bombing—sending thousands of spam emails to the targeted person—as pretext for the vishing call.

Chatty Spider—a Russia-based eCrime group—used callback phishing as a tactic to launch data theft and extortion campaigns.

“In callback phishing, threat actors typically begin by sending a lure email to targeted users, often regarding an imminent charge or overdue payment,” the report said. “This prompts users to initiate a phone interaction.”

The victim is instructed to download a remote monitoring and management (RMM) tool, providing adversaries with an entry into their systems.

Online crime groups are also leveraging helpdesk social engineering tactics. Adversaries will mimic a legitimate employee—often using personal information gleaned from open-source data, social media, or underground data markets to overcome security questions—and try to persuade an IT helpdesk agent to reset passwords or multifactor authentication (MFA) for an account, enabling them to access it.

CrowdStrike warned that these attempts might grow in 2025, since online chatter around methods is getting louder.

“Over the past year, several eCrime actors have openly recruited callers on popular eCrime forums. The advertisements are usually for English-speaking callers with knowledge of RMM tooling and experience conducting remote sessions,” the report said. “Some eCrime actors have also sought effective methods for spoofing phone numbers or encrypting calls to ensure caller IDs can be edited and appear more legitimate. This activity suggests phone-oriented social engineering will be a credible threat in 2025 as demand for these capabilities increases.”

The report recommends that organizations require video authentication with government ID for employees requesting self-service password resets to help mitigate against vishing attempts.

Organizations can also “train help desk employees to exercise caution when taking password and MFA reset request phone calls made outside of business hours, particularly if an unusually high number of requests is made in a short time frame or if the caller purports to be calling on behalf of a colleague,” the report said.

What other social engineering trends are emerging? CrowdStrike found that emerging technology is making social engineering scams even more difficult to detect.

Cyber adversaries are leveraging generative artificial intelligence (AI) to create fictitious LinkedIn profiles, deepfake videos, and voice clones to make social engineering attempts more convincing, the report said. The ease of AI tools today makes them easy to use for malicious purposes without requiring any notable expertise. Cybercriminals and nation-states are also using generative AI tools to spread disinformation and coordinate inauthentic behavior on social media to confuse narratives.

The use of AI large language models (LLMs) has proven to be useful for cybercrime. A 2024 study found that phishing messages generated using LLMs had a clickthrough rate of 54 percent, compared to just 12 percent for those likely written by humans.

 

 

arrow_upward