The annual 2025 CrowdStrike Global Threat Report reveals that voice phishing (vishing) attacks have risen by 442% from H1 2024 to H2 2024. The report found that malicious actors leveraged vishing, callback phishing and help desk social engineering against target networks. By compromising credentials, malicious actors could move laterally through an organization, evading detection by operating as a legitimate user. 

Security leaders weigh in

Boris Cipot, Senior Security Engineer at Black Duck:

Vishing is a dangerous attack, especially if an organization is not prepared to counter it. It’s less about having technical gizmos and gadgets to help combat the attack, but more about preparing employees how to act when encountering a voice phishing attack.

Firstly, it’s essential for employees to be skeptical. This is not something new and can also be said when it comes to typical phishing attacks. If something seems off, it’s best to trust your instincts and not move forward. Passing on information, should only be done in official ways that comply with the processes in place within an organization.

It’s important for organizations to ensure their employees cannot be pressured into a corner. Organizations must have clear instructions on how information can be passed on and what information can and cannot be given over phone or in other forms of communication. Once this is established an understood within an organization, attackers are much less likely to pressure their target into giving them sensitive information based on a sense of urgency or the threat of being penalized.  

Lastly, always report suspicious activity! This applies to all sorts of malicious activity. Be it via an email, an app, or a phone call — you have to report it. Reporting suspicious activities to the appropriate teams within an organization allows them to warn others that such attacks are targeting employees. Organization must have someone appointed to respond and act on these reports in order to further protect their privacy.

J Stephen Kowski, Field CTO at SlashNext Email Security+:

To protect against vishing attacks, individuals should never share personal information during unexpected calls, even if the caller seems legitimate. Always verify the caller’s identity by hanging up and calling back through official numbers found on websites or statements. Use call blocking tools provided by your phone carrier to filter potential scam calls and consider letting unknown numbers go to voicemail. Remember that legitimate organizations won’t pressure you for immediate responses, so take your time to think critically about any urgent requests for information.