A CISO’s Guide to Robocall Mitigation: Applying MITRE ATT&CK to Voice-Based Threats

Robocalls have evolved far beyond consumer annoyance. Today, they serve as a scalable social engineering channel for fraud, credential theft, account takeover, and operational disruption.
Voice-based attacks are increasingly targeting the operational workflows that organizations trust most: help desks, identity recovery workflows, payment approvals, and customer support escalation paths. For many organizations, these threats remain in a gray area among telecom operations, fraud prevention, and cybersecurity. That separation no longer reflects how attackers operate.
Most enterprises already treat email as a managed attack surface that requires layered controls, authentication, monitoring, and policy enforcement. Voice communication increasingly requires the same layered approach.
MITRE ATT&CK recognizes voice phishing through Spearphishing Voice (T1566.004), yet many organizations still rely primarily on awareness training to address the problem. Training remains important, but attackers routinely exploit urgency, authority, and procedural weaknesses to pressure employees into taking legitimate actions on behalf of an adversary.
The challenge for security leaders is no longer simply blocking unwanted calls. The larger issue is reducing successful attack conversion across the business processes that voice attacks are designed to exploit.
Why Voice Attacks Continue to Succeed
Robocalls remain effective because they combine scale, low cost, and credibility.
One FCC estimate found that the average U.S. consumer receives approximately 13 spam or fraud calls each month. FTC data cited by the FCC reports median losses of roughly $1,480 per victim through phone-based fraud.
The scale remains significant. YouMail reported 52.5 billion robocalls in 2025, including more than four billion in December alone. U.S. PIRG also reported that spam robocalls reached a six-year high in 2025, while many voice providers still had not fully implemented required caller authentication and mitigation measures.
Attackers continue to succeed because voice communications bypass many of the protections businesses have built around email, browsers, and endpoints. In most cases, the attack relies less on technical compromise and more on manipulation. Calls are designed to create urgency, establish authority, or trigger fear of account compromise to influence behavior.
The underlying weakness is often procedural. Help desk resets, payroll changes, MFA recovery workflows, and customer support escalations can all become entry points when identity verification relies too heavily on caller credibility rather than validated controls.
Emerging voice cloning and deepfake capabilities may further increase the effectiveness of impersonation-based attacks. PIRG has identified AI-generated voice impersonation as a growing concern.
Treating Voice as a Security Control Problem
Many organizations still approach robocalls primarily as an awareness issue. That approach leaves important gaps.
Awareness training is important, but it should not serve as the primary line of defense. Attackers consistently refine scripts, timing, and impersonation techniques specifically to overcome skepticism.
Voice threats should instead be treated as a systems and control problem.
Most successful attacks exploit operational weaknesses rather than telecom infrastructure itself. If a sensitive action can be completed because a caller sounds convincing, attackers will eventually target that process.
The same layered security principles used to protect email environments apply equally to voice communications. Organizations should apply authentication signals, strong identity proofing, workflow validation, escalation controls, and anomaly detection to voice-driven interactions just as they do in other parts of the enterprise.
Organizations that treat voice solely as a telecom issue often overlook the business processes targeted by voice attacks.
Applying MITRE ATT&CK to Voice-Based Threats
MITRE ATT&CK provides a useful framework for understanding how robocall and vishing campaigns align with broader adversary behavior.
Voice attacks commonly map to several ATT&CK tactics, including Initial Access, Credential Access, Defense Evasion, and Impact.
MITRE specifically identifies Spearphishing Voice (T1566.004) as a recognized phishing technique. ATT&CK also documents callback-driven phishing scenarios in which victims are persuaded to contact attacker-controlled phone numbers and are then instructed to disclose credentials, install remote access tools, or visit malicious websites.
Using ATT&CK helps security teams map where voice attacks establish trust, bypass verification, and create operational or financial impact.
That perspective shifts robocalls from a nuisance issue to a measurable enterprise risk.
Building a Layered Mitigation Strategy
Effective robocall mitigation requires multiple layers of defense. No individual control fully addresses the problem.
Caller authentication frameworks such as STIR/SHAKEN provide useful trust signals, but they should not be treated as definitive proof that a call is legitimate. The FCC has acknowledged that non-IP network segments continue to create authentication gaps that can be exploited.
Organizations should combine authentication signals with analytics, blocking controls, and Do-Not-Originate protections to improve visibility into suspicious activity.
Emerging spoof-protection technologies are also beginning to address one of the most persistent challenges in voice fraud: unauthorized use of legitimate enterprise phone numbers.
At the operational level, organizations should focus heavily on the workflows most frequently targeted by attackers. Password resets, MFA enrollment, vendor payment changes, payroll modifications, and account recovery procedures should require stronger verification controls, including step-up authentication and out-of-band confirmation where appropriate.
High-risk actions should not rely solely on voice or SMS-based verification.
Customer support and help desk teams also require specialized training around common vishing tactics, including authority impersonation, OTP harvesting, callback fraud, and escalation pressure. Incident response plans should explicitly account for voice-driven fraud scenarios, including financial containment and validation procedures.
Measuring Meaningful Outcomes
Many robocall mitigation programs still focus primarily on blocked call volume. That metric alone provides limited insight into actual risk reduction.
More meaningful measures include prevented account takeovers, blocked reset attempts, prevented payment reroutes, time to detection, and visibility into authentication quality across call paths.
The goal is not to eliminate every unwanted call. The objective is to reduce successful attacker conversion while preserving legitimate business communications.
CISO Voice Security Readiness Checklist
- Governance: Voice is treated as an attack surface with shared ownership (Security + Telecom/Unified Communications + Fraud/Finance + Contact Center).
- Identity/Access: High-risk actions avoid voice/SMS OTP when possible; step-up verification protects resets and enrollment
- Help Desk: Account recovery requires strong identity proofing (not just caller credibility)
- Finance: Vendor bank and payroll changes require dual approval and out-of-band verification
- Telecom Controls: Caller authentication signal gaps (including non-IP segments) are understood; call spoof protection, branding, analytics, and DNO lists are in place
- Training: High-risk roles get vishing-specific training and simulations (urgency, authority, OTP harvesting, call transfers)
- Metrics: Program tracks prevented conversions (stopped fraud attempts), not only blocked call volume
The Takeaway
Organizations that continue treating robocalls as someone else’s problem because they originate outside the traditional network perimeter will remain vulnerable to voice-driven fraud and social engineering.
Voice communications are now part of the enterprise attack surface.
Security leaders should model robocall and vishing activity using frameworks such as MITRE ATT&CK, strengthen the workflows attackers routinely target, and apply layered verification controls that reduce successful impersonation without disrupting legitimate communications.
Appendix: Robocall/Vishing ATT&CK Mapping
ATT&CK Tactic |
Technique(s) |
Robocall/Vishing Behaviors |
Defensive Focus |
Reconnaissance (TA0043) |
Victim Identity Information (e.g., T1592) |
Harvest phone numbers, roles, vendors; time attacks to payroll/IR cycles. |
Reduce exposed contact info; monitor leakage; limit public role details; train high-risk roles. |
Resource Development (TA0042) |
Acquire Infrastructure (e.g., T1583) |
Stand up VoIP/SIP trunks, lease numbers, rotate identities. |
Telecom account vetting; anomaly and velocity analytics; enforce supplier controls. |
Initial Access (TA0001) |
Phishing (T1566) / Spearphishing Voice (T1566.004) |
Impersonation, urgency; 'press 1'; callback numbers; transfer to live agent. |
Vishing training; verified callback paths; contact-center scripts; label/block using authentication + analytics. |
Defense Evasion (TA0005) |
Masquerading (e.g., T1036) |
Caller ID spoofing/laundering; exploit non-IP authentication gaps. |
Preserve and inspect authentication signals; address non-IP segments; apply DNO lists; gateway controls. |
Credential Access (TA0006) |
Credential/OTP harvesting (voice-driven) |
Collect OTPs/PINs; 'fraud alert' social engineering; push MFA approvals. |
Step-up auth; avoid voice OTP for high-risk actions; strong proofing for resets; fraud playbooks. |
Command and Control (TA0011) |
Interactive control (conceptual mapping) |
Bot-to-human handoff; repeated callbacks; persuasion loop. |
Detect repeated targeting; throttle suspicious patterns; rapid escalation and reporting paths. |
Impact (TA0040) |
Financial Fraud (e.g., T1657) |
Wire/payroll diversion, account takeover, call-center flooding, reputational harm. |
Dual approval; out-of-band verification; incident response for voice fraud; track prevented conversions. |
Note: Mapping is an applied security interpretation to guide enterprise controls; telecom implementations vary by provider and call path.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!








