Vishing Attacks Surge 442%: Here's How We're Simulating Them

Vishing attacks have surged by 442% over the past year. Attackers are moving fast to exploit the one channel that still feels trustworthy - voice communication.

While phishing emails get filtered and SMS scams are increasingly flagged, phone calls still carry a halo of legitimacy. That’s exactly what threat actors are leaning into. Using AI-generated voice clones, spoofed caller IDs, and scraped intel from social networks, they’re building pretexts that feel real enough to disarm even the most seasoned professionals.

The caller sounds like a real person. The tone carries a sense of urgency. The request (often tied to sensitive info like login credentials, bank account details, or confirmation of recent financial transactions) arrives just convincingly enough to override doubt.

This isn’t some fringe form of cyber attack anymore. These vishing calls are coming from what appear to be legitimate institutions - like financial institutions, government agencies, even internal IT teams. They reference plausible scenarios: suspicious activity on your account, a need for remote access to troubleshoot an issue, an "urgent" need for verification during a security incident. It’s a polished form of social engineering, with a psychological edge that your typical email phishing doesn’t always carry.

Most organizations still treat vishing as a novelty threat. Cybersecurity awareness training typically focuses on more traditional phishing methods: email messages, suspicious links, fake invoices. But this new wave of vishing attempts isn’t just a new type of scam under the phishing umbrella. It’s the evolution of social engineering itself - leveraging voice, urgency, and our instinct to comply with what sounds like a legitimate caller.

Which is why simulation - not explanation - is quickly becoming the only defense with real traction. Because you can’t teach people to defend against a fake phone call by showing them a PowerPoint. You have to make the phone ring.

Want to go deeper on how behavior change really happens - and how to measure it? Check out this episode of the All Things Human Risk Management Podcast.

‍

Why are attackers using phone calls again?

The rise in vishing isn’t random... it’s the predictable outcome of three intersecting shifts: how we work, how attackers operate, and how defensible our channels really are.

We’re getting better at traditional attack vectors, and so attackers are adapting - voice is simply the next evolution.

First, the obvious one: remote and hybrid work isn’t going away. That means more people relying on mobile phones and ad-hoc voice communication for everything from IT troubleshooting to approvals for financial transactions.

Second, we’ve hardened some vectors while leaving others wide open. Email phishing is still rampant, but filters are better, and most people are at least moderately skeptical of sketchy links. That’s forced threat actors to evolve. The result? Voice phishing. AI-enhanced, socially engineered, and built for speed.

Today’s vishing attacks rarely come in isolation. They’re part of a multi-channel play: an urgent-sounding email about suspicious activity followed by a voice call to “verify” login credentials. These aren’t robocalls or spammy scripts. They’re psychologically tuned social engineering tactics - mixing urgency, authority, and just enough personal detail to bypass rational doubt.

And because caller IDs can be spoofed and names dropped from LinkedIn or breach data, even seasoned professionals can be caught out.

The deeper issue? Many orgs still don’t treat voice phishing as a real form of phishing attack. The mental model is stuck on inboxes. So while people are trained to be suspicious of email messages, they're still wired to trust a human voice - especially one that sounds helpful, professional, and just hurried enough to feel real.

And now we’re entering a phase where even the creation of these scams is being automated. As part of an ongoing experiment here at Hoxhunt, we tested AI-generated spear phishing against human-crafted lures. We found that in many cases, the AI performed better. From 2023 to 2025, AI’s performance vs. humans improved by 55%. That doesn’t just raise the ceiling on attack quality. It lowers the barrier to entry for bad actors.

It’s not just a security gap. It’s a muscle we haven’t trained.

‍

What does a real vishing attack look like in 2025?

The modern vishing playbook isn’t built around a single tactic. It’s layered web of communication channels, psychological pressure, and personalization to slip past your filters. These aren’t cold calls asking for credit card details. They’re full-spectrum social engineering attacks, designed to feel like legitimate internal processes.

Here’s how it often unfolds:

• Reconnaissance
  It starts with the data. Attackers scrape social networks like LinkedIn, mine past breach dumps for email patterns, or analyze press releases to spot real company initiatives. Sometimes they’ll even track conference attendance or vendor partnerships to build credibility. Attackers will use LinkedIn profiles to identify roles, team structure, even possible initiatives that a company might undertake.
• Pretexting
  Then comes the setup. Posing as internal IT, a finance director, a government department, or even law enforcement - anything that evokes authority and urgency. The script is tight, the details plausible: "We need to verify a suspicious login," "The CFO asked me to route this payment," or "We're investigating fraudulent activity tied to your organization." Impersonating internal IT or security is still highly relevant... the helpdesk overload, password resets - that kind of stuff still really lands.
• Multi-channel sequencing
  Rarely is it just a voice message. Vishing attempts now arrive in tandem with phishing emails or SMS text messages. A follow-up phone call may confirm an "invoice" just sent. Or the call precedes an email link, framed as a verification step from a reputable organization. The goal is to blur lines and make it feel like a cohesive experience, not a scam.
• The call itself
  On the call,the audio is clean and the tone professional. The caller references real names and uses persuasive language calibrated to the target’s context. If it’s IT, maybe they’ll ask for remote access to resolve an “urgent ticket.” If it’s finance, they’ll nudge for confirmation of bank details or credentials - "just to resolve a block on your account."
• The breach
  The goal isn’t always a click. It might be extracting sensitive info, getting access to a shared system, or initiating a wire transfer based on a falsified approval. Some attackers rely on business email compromise follow-throughs - using what they learn during the call to escalate in other systems or impersonate the victim. with vishing, a fraudulent transfer can all happened legitimately - the only part that isn’t legitimate is the bank account.

These types of attacks work because they short-circuit our usual defenses. A phone call - especially one that sounds human, helpful, and urgent - creates a false sense of familiarity. People want to comply. They don’t want to escalate unnecessarily or appear unhelpful. That’s the psychology attackers exploit.

Caller ID is still easily spoofed - and it’s still extremely effective in 2025... it already primes us to think we know who we’re talking to.

‍

Why are so few security teams preparing for vishing attacks?

Most awareness programs treat vishing the same way they treat tailgating: a footnote in a long list of possible threats. Something to mention, not something to train for.

That’s a problem. Because you can’t build reflexes by reading slides.

A lot of security awareness training is still stuck in "sceptical of links, not voices" mode. Voice still feels human. Phone calls still carry perceived legitimacy. And most employees aren’t trained to push back when that voice belongs to their supposed CEO.

Even when programs do mention vishing, it’s often framed as “this could happen, but probably won’t.” That leaves people exposed... and worse, it gives them no pattern recognition for what a real vishing call sounds like. If your users haven't practiced resisting a convincing call, your program might look good on paper but still be vulnerable in practice.

This is where phishing simulations come in. At Hoxhunt, the mantra is simple: it has to be real, but responsible. The point isn't to scare people, it's to surface the moment where they realize they could’ve been fooled. You don't train soldiers in real firefights. You do drills and war games. That’s the same philosophy we apply to simulation.

The goal isn’t just awareness - it’s reflex-building. When someone gets a deepfaked voice message from their own CISO, the takeaway isn’t just “Wow, that was clever.” It’s “That could actually happen. I need a plan.”

Simulation also sidesteps the fatigue problem. Traditional training too often treats users like checkboxes. A few PowerPoint slides about not clicking links. And then we wonder why nobody remembers anything when the real person (or AI clone) calls their mobile.

Vishing simulation flips that. It catches people in the moment and shows them what these forms of phishing attacks actually feel like - voice, tone, urgency, pretext, pressure. It forces a reaction. And that reaction is what builds real security resilience.

‍

How to prevent vishing in your organization

There’s no silver bullet for stopping vishing attacks... but there is a repeatable pattern that resilient orgs follow. It’s less about blocking the call, and more about making sure your people know what to do when the phone rings.

1. Build verification into your culture

If your users aren't practised resisting a convincing call... your programs probably secure on paper, but vulnerable in practice.

The simplest prevention measure? Normalize verification. Even if you did send that payment to a criminal - as long as you report it quickly, you don’t try to cover your tracks, it can usually be fixed.

Give people permission to pause and double check. Encourage them to say: “Hey, let me call you back on your internal number.” Or to shoot a message on Slack: “Were you just on a call with me?” The point isn’t to catch every fake in the moment, it’s to slow the flow, disrupt the narrative, and give space for reflection.

2. Use pre-agreed signals or codewords

For teams that work across locations or shifts, try using simple shared passphrases. It’s not about creating an unbreakable defense. It’s about giving people an anchor - something real they can use to spot a deepfake or spoofed number.

And if codewords feel unnatural in your context, lean into rituals. In more social cultures (like the US, UK, Australia) small talk matters. If a caller skips your dog’s name or your weekend plans, that’s a subtle flag. In tighter corporate hierarchies, build verification into your workflows instead.

3. Tighten digital footprints

Attackers don’t need spyware to build a believable pretext. They need LinkedIn, press releases, and the occasional conference post. It is absolutely worth controlling our digital footprints as much as we can... even delaying posts about events until after they’ve happened can trip up unsophisticated attackers

For high-profile or high-access roles, you could even seed misinformation your team knows about, but an attacker wouldn’t. A kind of defensive breadcrumbing - small details you can trace if they show up in an attacker’s story.

4. Train for what can’t be blocked

We don’t expect users to tell a real call from a fake one... what we want is for people to verify through trusted channels.

Technical defenses like spam filters and call blockers aren’t useless. But they’re also not going to stop a convincing social engineering attack using a cloned voice and spoofed number. That’s where simulation comes in.

Real prevention comes from behavior - people pausing, questioning, verifying. And that only happens when they’ve seen the tactics firsthand. Just because you're not seeing it now doesn’t mean it’s not around the corner. Real resilience comes from experience.

‍

How do we simulate vishing attacks inside Hoxhunt?

You can't learn to spot threats by just reading about them… simulations give people real practice in a safe environment. It’s like book learning versus real world experience. If you only do one, you miss something fundamental. At Hoxhunt we don’t measure if someone finished the training. We measure what actually changed in the organization.

When people don’t just know what to do, but actually start behaving that way - that’s when you know the training is working.

Most training programs tell people what to look out for. At Hoxhunt, we show them - by making the phone ring and the voice sound real.

It starts with the basics: our standard vishing modules simulate common pretexts like internal IT, finance, or helpdesk requests. These aren’t generic call scripts. They’re role-aware, contextually timed, and designed to feel embedded in the day-to-day of the recipient. We test what matters: Do they verify? Do they escalate? Do they comply?

But where it gets interesting - and where Hoxhunt leads - is in deepfake simulation.

Our deepfake training modules

For every Hoxhunt customer, we now offer three modules designed to walk people through the deepfake threat landscape:

• A practical guide to voice-based impersonation and how to respond
• A real-world case study showing how attackers executed a successful deepfake scam
• A simulated deepfake call that clones a real voice and asks the user to take action

We make it real but responsible. The goal isn’t to trick people unfairly. It’s to help them recognize the pressure points before a real attacker finds them. We don’t mimic the worst attacks we see out there. We want to be respectful of people’s time and their psychological safety.

It’s about challenging users but not overwhelming them… personalization keeps training relevant, and adaptive difficulty evolves with the user. Even resistant users - like repeat clickers - start changing behavior when the training meets them where they are.

Fully custom deepfake campaigns

Want to go further? We’ll build it with you.

We can produce custom deepfakes using cloned audio from executives, managers, or other recognizable internal voices. These voices are then used in high-fidelity training scenarios - not just to “educate,” but to pressure-test real response behavior in a safe, ethical environment.

One example we run: a simulated Microsoft Teams phishing scenario. The target receives a phishing email asking them to join a call via link. On the other end? A deepfaked voice, cloned from a real person at the company, asking them to open a document or click a link. It’s safe. It’s controlled. And it replicates the exact kind of multi-step deepfake attack that’s increasingly common across hybrid and remote organizations.

It’s the same tech attackers use - deployed by defenders, with empathy and ethics built in. We tune for psychological safety: ending simulations quickly, tailoring difficulty by role, and avoiding real names where it could create distress. This isn’t a trap. It’s a fire drill.

And it scales. Multilingual, multi-region, across any structure - because social engineering doesn’t stop at the language barrier.

If you have the power to ask someone to do something in your organization, there’s a chance you could be deepfaked. Our job is to make sure people are ready for that.

Hoxhunt isn’t just phishing simulation - it’s a full-stack behavior change engine

• Realistic, role-based vishing and phishing simulations that adapt to each user’s behavior over time.
• Deepfake voice cloning modules that safely replicate emerging attack vectors - available both off-the-shelf and custom-built using your own execs’ voices.
• Adaptive difficulty tuned to keep training useful without being overwhelming.
• Localized, context-aware content, from currency formats to cultural tone, because nuance drives relevance.
• Feedback loops and data visibility for admins - not just “who passed” but “what changed.”
• Psychological safety by design, with short simulations, non-exploitative pressure points, and clear paths to remediation.
• Scalable for global orgs — multilingual, multi-region, and deployable across function and hierarchy.

‍

Vishing attack FAQ

Can AI really fake a voice well enough to trick someone?

This is absolutely one of the best things you can do for training right now because it really does work. Attackers are already using AI to clone voices that sound shockingly real. These aren’t robotic imitations - they’re smooth, context-aware, and emotionally believable.

A CEO of a major energy company was called by the CEO of the parent company. He trusted it because he heard the subtle German accent of his boss. The energy firm was scammed out of $243,000.

In Hoxhunt’s own demos, we've even deepfaked someone switching languages mid-sentence - with the cloned voice maintaining a Finnish accent in Swedish. It wasn’t just switching to Swedish... it was switching to Swedish with a Finnish accent still.

How are attackers combining phone calls with other channels like email or SMS?

Rather than just cold calling, attackers will follow up an urgent-sounding e-mail with a spoofed voice call, or vice versa... just to add that authenticity.

Multi-channel attacks are now the norm. A common flow involves an email warning about suspicious activity, followed by a vishing call to “confirm your details.” Or it starts with a convincing voice message and is backed up by a phishing link or SMS.

They’re leveraging deepfake audio and even detailed reconnaissance via LinkedIn, social media, or breach data to make impersonations terrifyingly believable.

How do we train employees to recognize vishing if it’s just a phone call?

First, don’t rely on awareness slides. You need muscle memory. Just because you're not seeing it now doesn’t mean that it's not around the corner. Hoxhunt’s approach uses simulated voice calls to help people recognize the pressure cues in a vishing attempt: urgency, authority, tone, and narrative fluency. That means giving people live experience with realistic (but safe) threats - so they’re ready when it’s not a drill.

What’s the right way to verify a suspicious call without slowing the business down?

The best thing you can do is give people a clear idea of what they should do when they suspect a vishing call.

Verification doesn’t have to be awkward - it just has to be normal. Let people hang up, call back on an internal number, or check in via Slack. Give them language to use. Create psychological permission to pause.

Particularly if you're working from home, it's really easy to fabricate - you just say, "Hey, something’s come up, I’ll call you back in a few minutes." It’s not about perfect verification. It’s about disruption and breaking the momentum of the attack.

How do you simulate vishing attacks whilst maintaining psychological safety?

This was one of the biggest design considerations for Hoxhunt’s simulation program.

It needs to be real, but responsible. We don’t want something to be so real that it creates problems or potentially even trauma.

Simulations are short, tailored to roles, and often use familiar voices - but not direct managers. That distance creates safety while keeping it realistic. We don’t want someone to feel like they’ve been unfairly tricked. It needs to be believable but followed up with reflection and reinforcement.

For high-pressure roles like sales, simulations are cut off early to avoid wasted time. We don’t want that to continue for so long that they’ve actually wasted some of their really, really precious time. That balance - real but respectful - is what makes the learning stick.

_Sources

^{Deepfake Scams and AI Fraud – IBM Security, 2023
The Rise of Deepfake Technology – CSO Online, February 2024
Preventing AI-Driven Fraud in Businesses – Cybersecurity Today, December 2023
Impact of Deepfakes on Corporate Security – Trend Micro, 2023
2025 Global Threat Report – CrowdStrike, February 2025
2024 Voice Phishing Response Report – Keepnet Labs, October 2024}