Vishing (Voice Phishing): How Attackers Use Phone Calls to Bypass Email Filters
Email filtering has improved substantially over the past several years. Organisations that have invested in layered email security controls see significantly lower volumes of malicious email reaching staff inboxes. Attackers notice when a channel becomes less reliable, and a portion of social engineering activity has shifted to the phone as a result. Vishing, or voice phishing, bypasses email controls entirely. There is no filter to block a phone call, and the human decision-making that happens in a real-time phone conversation is meaningfully different from the decision-making that happens when reading an email.
Vishing attacks follow a range of patterns. The most common involve an attacker impersonating a legitimate authority figure: a bank fraud team, a government agency, the organisation's IT help desk, or a senior internal leader. The caller creates urgency and credibility, asks for sensitive information or action, and exploits the social pressure of a real-time conversation to prevent the target from pausing to verify. People who would not act on a suspicious email often respond differently to a caller who sounds confident and authoritative and who is actively waiting for a response.
Why Phone Conversations Create Different Vulnerabilities
Email allows time for reflection. The email sits in the inbox. The recipient can re-read it, look up the sender, check with a colleague, or simply delay. Phone conversations do not offer the same natural pause. The caller is present. The social dynamics of conversation create pressure to respond in real time. Saying "let me check and call you back" requires assertiveness that many people find difficult when speaking with someone who sounds authoritative and legitimate. This is particularly pronounced when the caller claims to represent a powerful institution (a regulator, a bank, law enforcement) and frames any delay as a risk or problem for the target.
Cognitive load during a real-time conversation is also higher than when processing a written communication. A caller who provides a lot of information quickly, creates urgency about a problem that requires immediate action, and keeps the conversation moving does not give the target time to apply the analytical processes that might otherwise identify the approach as suspicious. This is not a failure of intelligence. It is the predictable result of how human decision-making works under the conditions a skilled social engineer deliberately creates. Training that explains these dynamics, rather than simply telling people to be sceptical of phone calls, produces better results.
Common Vishing Attack Patterns
IT help desk impersonation is one of the most consistently used vishing patterns. A caller claims to be from the IT team and needs the target's credentials or remote access to resolve an urgent security issue. The urgency framing, the apparent authority of an IT contact, and the plausibility of receiving an IT call combine to make this scenario effective. Finance and payment fraud is another major pattern: a caller impersonating a bank fraud team informs the target that their account has been compromised and guides them through "protective" steps that actually transfer money or provide account access to the attacker.
Internal impersonation is particularly effective when supported by prior research. A caller who identifies themselves as a specific named executive, references a genuine internal project or meeting, and asks for action that fits the target's normal workflow can be very convincing. With AI voice synthesis tools, the voice itself can approximate someone the target recognises, removing one of the more reliable signals that previously identified a vishing call. The intersection of open-source research and voice synthesis represents a meaningfully elevated threat compared to what was possible even a few years ago.
How to Train Against Vishing
Vishing training needs to do two things. First, it needs to create awareness of the specific patterns and techniques used in vishing attacks, so staff can recognise the shapes of these conversations even when they are well-crafted. Second, and more importantly, it needs to build and reinforce the habit of interrupting the conversation to verify through an independent channel, regardless of how authoritative or urgent the call seems.
The verification habit is the key defensive behaviour. Any call requesting credentials, payment action, or sensitive information should be treated as requiring verification before action is taken. The verification step is simple: end the conversation, look up the legitimate contact number for the organisation the caller claims to represent, and call that number to confirm the original call was genuine. This works because it removes the call from the social dynamics that the attacker has constructed. The target is no longer in a real-time conversation with an authority figure. They are independently checking a claim, with time to think.
Practising Saying No in the Moment
One of the most practically useful elements of vishing training is giving staff permission and practice saying words that feel difficult in a real-time call with an apparent authority figure. "I need to verify this before I can proceed" and "I will call you back on your official number" are simple phrases that interrupt a vishing attack effectively. Staff who have practised saying these phrases in a training context, and who have organisational permission to apply this habit without fear of seeming rude or unhelpful to a genuine caller, are significantly more likely to use them under pressure.
- Vishing bypasses email security controls entirely by using the phone as an attack channel.
- Real-time phone conversations create different and more exploitable decision-making dynamics than email.
- Common patterns include IT help desk impersonation, bank fraud team impersonation, and executive impersonation.
- AI voice synthesis is increasing the quality and believability of impersonation attacks.
- The core defensive habit is interrupting and verifying through an independent channel before acting.
- Staff need permission and practice using the phrases that interrupt vishing calls effectively.
Cyberlinx includes vishing scenarios in its role-based awareness training programmes. If you want to help your staff recognise and respond to phone-based social engineering, contact us at info@cyberlinx.com.au.
Related Articles







