What's changed?
As organisations increasingly depend on digital channels for day-to-day operations, the way employees interact has shifted towards calls, chat platforms, and remote technologies, especially when it comes to IT support. While these tools boost efficiency and accessibility, they also widen the attack surface, making it easier for threat actors to exploit trust.
Voice phishing - also known as "Vishing" - is a form of social engineering where attackers use phone calls to manipulate targets into revealing sensitive information or performing actions that compromise security. The decline of face-to-face interactions combined with the rise of outsourced IT teams mean that staff are more accustomed to dealing with unfamiliar voices, which facilitates social engineering over a wider attack surface.
Groups like UNC3944 (also known as "Scattered Spider") have hit the headlines recently for their use of vishing to impersonate employees of large retail chains, convincing service desk personnel to reset user credentials and multi-factor authentication (MFA) methods in a "living-off-the-land" approach. This access is then used for further attacks, such as SIM swapping, ransomware, or data theft.
Another group, UNC6040, approaches from the opposite angle, instead posing as service desk staff to trick users into accessing a malicious Salesforce Data Loader app, which facilitates large-scale data exfiltration and subsequent extortion.
These cases highlight how vishing can be tailored for both broad network compromise and targeted data theft.
How could I be targeted?
Successful social engineering attacks often begin with Open-Source Intelligence (OSINT) gathering.
Attackers will search through publicly available sources to build a detailed picture of an organisation before looking to engage them directly. Company websites, marketing materials, social media and professional networking platforms are rich sources of contact details and naming conventions, and threat actors will look to gather everything from network ranges, domains, and cloud providers, to employee names, job titles, and office locations using a variety of different tools.
Armed with a convincing narrative and the name of a specific, high-value administrator or target, threat actors can impersonate the privileged user and request a password reset, allowing them to seize control of a privileged account.
With sufficient reconnaissance data, an attacker can formulate targeted campaigns reflecting plausible employee scenarios - a common pretext for contacting a service desk is a simple forgotten password request.
Many organisations verify employees using multiple factors - while initial reconnaissance might provide an attacker with answers for knowledge-based authentication methods, challenges arise if device-based verification is required. In these situations, an attacker might pivot to impersonating an employee who claims their phone is unavailable (e.g., damaged or lost during travel) and who needs urgent account access.
Another common practice is for actors to impersonate employees identified as being "out of office", leveraging a sense of urgency when attempting to coerce IT support into taking action. If the legitimate employee is genuinely unavailable, unauthorised account access can persist for an extended period of time.
In the event of a successful MFA reset, the attacker can then call back and try to get a different agent on the phone to further reset the impersonated user's password for a full account compromise.
This two-step process bypasses the need to use techniques such as "Kerberoasting" to gain the initial foothold - the core vulnerability is a help desk process that lacks robust identity verification for password resets.
What can I do to protect myself?
With vishing attacks on the rise, organisations must take proactive steps to reduce their exposure. Much like malware and "Adversary-in-the-Middle" attacks, vishing tactics are constantly evolving, targeting weaknesses in internal processes and user awareness. You should consider implementing the below to mitigate these risks:
Strengthen identity verification checks
Insist on robust checks for all account changes, particularly for accounts with privileged access. This may include on-camera verification, where staff present a corporate badge or government-issued ID, and referencing an up-to-date internal photo database. For high-risk actions, consider using an "out-of-band" verification method, such as a call-back to a registered number, or confirmation via a known corporate email address.
Harden multi-factor authentication processes
Implement and enforce phishing-resistant MFA solutions, such as FIDO2-compliant security keys or authenticator apps, and remove weaker options, such as SMS or email. Restrict MFA registration and changes to trusted devices or locations, and segregate service desk duties to prevent customer-facing teams from modifying internal accounts.
Enhance monitoring and oversight
Notify managers of password resets and require their approval for MFA changes. Equip staff with access to call and ticket logs to spot abnormal patterns, such as the same phone number being registered to multiple accounts, and use SIEM and SOAR tools to monitor for unusual activity, and investigate all flagged incidents with both the employee and their manager.
Build a culture of awareness and resilience
Run regular phishing exercises, and train employees to verify unexpected requests using official channels - organisations seeking tailored support should consider engaging specialist security providers for in-depth advice and simulation exercises.