What is vishing?

Social engineering is one of the most effective ways cybercriminals gain unauthorized access, often targeting people rather than technical vulnerabilities. Researchers estimate over 300,000 yearly victims in the US alone fall victim to these attacks each year, according to the ScienceDirect vishing survey. One growing tactic is vishing, or voice phishing, where attackers use phone calls instead of emails or malicious software to manipulate victims in real time. Unlike phishing emails that can be filtered or reviewed before action is taken, phone conversations allow attackers to adjust their story instantly based on a victim’s reactions, making it harder for targets to pause and recognize the fraud. As organizations improve defenses such as email filtering, endpoint security, and multifactor authentication, attackers are exploiting trust and human behavior, turning voice phishing into a common entry point for credential theft, financial scams, and broader cyber incidents.

How vishing attacks work

Vishing is a social engineering attack in which cybercriminals use phone calls or voice messages to persuade victims to reveal confidential information or perform actions that compromise security. The U.S. Department of Health and Human Services defines vishing as “the practice of eliciting information or attempting to influence action via the telephone.” Unlike technical cyberattacks that exploit system vulnerabilities, vishing targets human psychology, with attackers impersonating trusted organizations such as banks, healthcare providers, government agencies, or internal IT departments to create believable scenarios that encourage immediate cooperation during live conversations.

Read also: What is social engineering?

Why voice phishing is becoming more dangerous

Voice communication gives attackers advantages that traditional phishing does not. Research cited in the ScienceDirect vishing survey shows that vishing allows criminals to adjust their tactics in real time during a phone call, reacting immediately to hesitation or skepticism. Phone conversations also create psychological pressure, limiting the victim’s time to assess risk while attackers use urgency, authority, or fear to push fast decisions. The same study found that the immediacy of live voice interaction can make requests feel more urgent than email scams. At the same time, many organizations have strong technical defenses for email and network traffic but far fewer protections for voice communication, leaving phone channels a comparatively exposed target for social engineering attacks.

How modern vishing attacks work

Modern vishing campaigns typically begin with attackers collecting background information from public sources, social media, or past data breaches to make phone calls sound convincing. Posing as IT support, banks, healthcare billing teams, or software vendors, callers create urgency around account or security problems and guide victims through login or verification steps instead of directly asking for sensitive data. These scams rely on psychological pressure such as authority and urgency while simultaneously using phishing infrastructure that lets attackers watch authentication attempts in real time and capture single sign on (SSO) credentials or approved multifactor authentication sessions without installing malware. Recent incidents show attackers combining live phone calls with fake login websites that imitate legitimate portals, allowing them to control what victims see during the call and dramatically increase success rates. Confirmed cases include breaches affecting SoundCloud and Betterment, with activity resembling tactics linked to ShinyHunters, a group known for exploiting trusted vendor access and SSO environments across hundreds of organizations.

Hybrid and cross-channel vishing campaigns

Vishing is more often being used as part of coordinated multi channel phishing campaigns rather than standalone attacks. Healthcare cybersecurity analysts from HHS Health Sector Cybersecurity Coordination Center report an increase in attacks that combine email, SMS messages, and phone calls to appear more legitimate and bypass traditional security controls. A common tactic involves sending an email that asks the victim to call a support number, which increases trust because the victim believes they initiated the contact.

Research titled Digital deception: generative artificial intelligence in social engineering and phishing shows attackers are also using automation and AI generated voice cloning, sometimes called deepfake voice phishing, to scale these scams across large groups of targets, demonstrating how social engineering tactics continue adapting alongside new technology.

Why healthcare organizations are prime targets

Healthcare organizations face more exposure to vishing attacks because phone communication remains central to daily clinical and operational coordination. According to the Health Sector Cybersecurity Coordination Center (HC3), healthcare staff frequently communicate by phone with providers, insurers, pharmacies, and vendors, creating opportunities for social engineering through trusted channels. HC3 analysts note that “vishing attacks leverage the trust placed in voice communications” and continue to succeed because social engineering remains “one of the most effective initial access techniques” targeting the Healthcare and Public Health sector. Attackers often impersonate hospital staff, IT help desks, or insurance representatives while using caller ID spoofing to display legitimate healthcare numbers, which HC3 warns can “increase the perceived legitimacy of the caller.” Because healthcare environments operate with urgency and rapid decision making, personnel may bypass normal verification procedures, allowing attackers to exploit human trust rather than technical vulnerabilities to obtain credentials or sensitive operational information.

Read more: Why healthcare is a major target for cyberattacks

Recognizing a vishing attempt

Modern cybersecurity strategies focus more on protecting user identities than traditional network defenses, but the Health Sector Cybersecurity Coordination Center (HC3) notes that security tools alone are not enough and must be supported by strong verification procedures and user awareness. Common warning signs include unexpected calls requesting sensitive information, pressure to act quickly, requests for passwords or authentication codes, instructions to install software or grant remote access, and callers discouraging independent verification. Because vishing relies on psychological manipulation, organizations are advised to combine clear verification policies, employee training, and reporting processes so suspicious calls can be identified and stopped early.

Artificial intelligence and the future of vishing

Generative AI is accelerating the growth of voice phishing, or “vishing,” by allowing attackers to automate realistic scam calls instead of relying on human callers. Advances in voice cloning, text to speech technology, and large language models enable threat actors to convincingly imitate executives, coworkers, or service providers and hold natural conversations that adapt in real time, removing many traditional social engineering warning signs. Security researchers say AI driven conversational systems can persuade victims to share sensitive information even when they have been warned about scams. Industry data supports the shift, with the ThreatLabz 2024 Phishing Report recording a 58.2% increase in phishing attacks during 2023, partly linked to generative AI enabled impersonation. Real world incidents already include attackers using cloned voices and deepfake video to authorize fraudulent payments, while the UK Government 2024 Cyber Security Breaches Survey found phishing affected 84% of businesses and 83% of charities, reinforcing analyst warnings that AI powered vishing is becoming a scalable threat.

FAQs

What is vishing in the context of healthcare?

Vishing in healthcare refers to fraudulent attempts to obtain sensitive information or access to healthcare systems through phone calls or voice messages. Attackers manipulate victims into revealing personal data or credentials.

How does vishing impact healthcare organizations?

Vishing can lead to unauthorized access to patient records, financial fraud, or disruption of healthcare services. Successful attacks compromise patient confidentiality and may result in legal and financial repercussions for organizations.

How can healthcare professionals identify and prevent vishing attacks?

Professionals should verify caller identities through known contact information, refrain from sharing sensitive information over the phone unless certain of the recipient's identity, and report suspicious calls to security personnel.

What should healthcare organizations do to enhance defenses against vishing?

Organizations should educate staff about vishing threats, implement procedures for verifying caller identities and handling requests for sensitive information, and regularly update security protocols to include voice-based phishing prevention measures.