Cybercriminals and hackers employ a variety of methods to access and steal sensitive information from individuals and organizations. One increasingly popular approach is vishing, or voice phishing. Here, the attacker tricks someone into sharing account credentials or other information through a simple phone call. According to the latest data from security firm CrowdStrike, these types of attacks have been skyrocketing.
Also: Hackers stole this engineer’s 1Password database. Could it happen to you?
In its 11th annual 2025 CrowdStrike Global Threat Report, the security provider revealed that vishing attacks jumped 442% in the second half of 2024 compared with the first half. Throughout the year, CrowdStrike Intelligence tracked at least six similar but distinct campaigns in which attackers pretending to be IT staffers called employees at different organizations.
Help desk social engineering
In these particular campaigns, the scammers tried to convince their intended victims to set up remote support sessions, typically using the Microsoft Quick Assist tool built into Windows. In many of these, the attackers used Microsoft Teams to make the phone calls. At least four of the campaigns seen by CrowdStrike used spam bombing to send thousands of junk emails to the targeted users as a pretext for the alleged support call.
Also: How to protect yourself from phishing attacks in Chrome and Firefox
The type of vishing used in these attacks is often known as help desk social engineering. Here, the cybercriminal posing as a help desk or IT professional stresses the urgency of the call as a response to some made-up threat. In some cases, the attacker requests the person’s password or other credentials. In other cases, such as the ones documented in the report, the scammer tries to gain remote access to the victim’s computer.
Callback phishing
Another tactic seen by CrowdStrike is callback phishing. Here, the criminal sends an email to an individual over some type of urgent but phony matter. This could be a claim for an overdue invoice, a notice that they’ve subscribed to some service, or an alert that their account has been compromised. The email contains a phone number for the recipient to call. But naturally, that number leads them directly to the scammer, who tries to con them into sharing their credit card details, account credentials, or other information.
Because these attacks are usually aimed at organizations, ransomware is another key component. By gaining access to network resources, user or customer accounts, and other sensitive data, the attackers can hold the stolen information for ransom.
Also: The top 10 brands exploited in phishing attacks – and how to protect yourself
In its report, CrowdStrike identified a few different cybercrime groups that use vishing and callback phishing in their attacks. One group known as Chatty Spider focuses mostly on the legal and insurance industries and has demanded ransoms as high as $8 million. Another group called Plump Spider targeted Brazil-based businesses throughout 2024 and uses vishing calls to direct employees to remote support sites and tools.
“Similar to other social engineering techniques, vishing is effective because it targets human weakness or error rather than a flaw in software or an operating system (OS),” CrowdStrike said in its report. “Malicious activity may not be detected until later in an intrusion, such as during malicious binary execution or hands-on-keyboard activity, which can delay an effective response. This gives the threat actor an advantage and puts the onus on users to recognize potentially malicious behavior.”
Other security firms have seen a dramatic rise in vishing attacks.
Last October, Zimperium’s zLabs research team uncovered a malware known as FakeCall, notable for its advanced use of vishing. Here, the scammers use phone calls to try to trick potential victims into sharing sensitive information such as credit card numbers and banking credentials. FakeCall itself works by hijacking the call functions on Android phones to install the malware.
Tips to protect against vishing attacks
To protect yourself, your employees, and your organization from vishing attacks and similar threats, CrowdStrike offers the following tips:
- Require video authentication and government ID for employees who call the help desk to request password resets.
- Train help desk employees to be cautious when answering phone calls requesting password or MFA (multi-factor authentication) resets. They should be especially wary if those calls come outside regular business hours or if a high number of such requests occur in a short period of time.
- Use more advanced authentication methods such as FIDO2 to guard against account compromise.
- Monitor for attempts in which more than one person tries to register the same device or phone number for MFA.
- Offer regular security training for employees. Teach them how to recognize phishing attempts and social engineering attacks.
- Regularly apply security patches and other fixes to resolve critical vulnerabilities.
A couple of security experts also shared their recommendations with ZDNET.
“Taking systems offline as soon as a threat is detected is a vital first step in containment, but it is inadequate on its own,” said Patrick Tiquet, vice president of security and architecture at Keeper Security.
“To counteract secondary tactics, such as vishing, security teams should swiftly inform customers and partners about the breach through official channels, providing clear guidance on how to protect themselves against these threats,” Tiquet added. “Training sessions for employees and stakeholders on recognizing these attempts and verifying any unsolicited communications before sharing sensitive information are crucial.”
Individual users and consumers should also be cautious about unexpected phone calls that sound legitimate.
“When I talk to colleagues, friends, and family, I remind them that if a call is unexpected and asks for personal or financial information, it’s time to question everything,” said Akhil Mittal, senior manager at security provider Black Duck.
“I also stress the importance of slowing down, verifying who’s calling, and never hesitating to hang up. Use the official number from a bank’s website or statement to call back and confirm,” Mittal added. “Finally, just because a caller knows your address or part of your account number doesn’t make them legit; criminals often have that info beforehand. If the caller pressures you to act fast, it’s a sign you should stop and verify.”
Source: Robotics - zdnet.com
