Rapid growth of vishing attacks
Vishing has increased by 550% over the past 3 years.
More sophisticated impersonation techniques
Artificial intelligence is being used to simulate human voices.
Vishing targeting internal staff
Primary targets include IT and finance employees across all industries.
Caso Google (agosto - 2025) y el riesgo
Google’s breach revealed how vulnerable SMB data can be. If a tech giant like Google can be tricked, are small and medium-sized businesses truly ready?
Vishing (voice phishing) is gaining prominence in the cybersecurity world. Unlike traditional phishing via email, vishing is carried out through phone calls, typically using social engineering tactics that exploit human trust. In 2025, even Google was a victim of such an attack, directly impacting its SMB customers and showing that no organization is immune.
This blog explores the current trends in vishing, how cybercriminal techniques are evolving, and what your company can do to stay protected.
Rapid growth of vishing attacks:
Vishing attacks have grown dramatically. According to IBM Security, these threats increased by 550% from 2020 to 2023. This is driven by remote work and the ease of using VoIP and spoofed numbers.
– 550% increase in vishing incidents (IBM X-Force).
– 40% of social engineering attacks involve voice calls.
– Only 18% of companies have dedicated vishing protocols.
– Lack of voice identity verification.
– Employees untrained in phone-based threats.
– Overreliance on email for request validation.
– Ongoing vishing awareness training.
– Real-time VoIP monitoring.
– Multi-channel validation: phone, email, and internal tickets.
More sophisticated impersonation techniques
Scammers are using generative AI and voice deepfakes to make calls sound like real executives. Often, the synthetic voice can closely mimic managers, successfully deceiving even experienced employees.
- Vishing: Voice phishing.
- Spoofing: Identity forgery technique.
- Deepvoice: AI-generated voice replication.
– Fake urgent calls requesting money transfers.
– Requests for internal system access.
– Impersonated calls from finance or legal teams.
– Enforce dual-validation for all phone-based requests.
– Use vocal pattern recognition as an added security layer.
– Record and audit all critical calls internally.
Vishing targeting internal staff
Not only top executives are at risk. Increasingly, cybercriminals target IT support, accounting, and HR staff, who handle critical data or privileged access.
A growing tactic is the impersonation of a WhatsApp group admin. The attacker calls members saying they’ll receive a code to “verify” something about the group. That code is actually the victim’s WhatsApp verification code. If shared, the attacker takes over the account and can use it to scam others within the company.
This attack blends vishing and account takeover, and it’s especially effective in companies where WhatsApp is used as an operational tool.
- Tech support.
- Finance and accounting.
- Human Resources
– Sharing credentials over the phone without validation.
– Failing to confirm the caller’s identity.
– Lack of awareness of internal incident protocols.
– Deliver targeted training to critical departments.
– Implement mandatory approval workflows for any unusual requests.
– Use real-time alerts from the SOC or cybersecurity team.
Google Case (August 2025) & SMB Risk
In August 2025, Google confirmed it had fallen victim to a vishing attack targeting its Salesforce CRM environment. The attack, linked to the ShinyHunters group, used voice-based social engineering to convince employees to install a malicious component. As a result, contact details and notes related to small and medium-sized business (SMB) clients were accessed.
Although the exposed data was publicly available (names, emails, phone numbers), the incident highlighted critical weaknesses in voice verification and access controls.
- Weak validation relying solely on voice recognition.
- Lack of multi-factor authentication in sensitive workflows.
– Immediately removed compromised access.
– Notified all affected customers on August 8.
– Reviewed and reinforced internal cybersecurity protocols.
– Review your internal voice authentication and validation processes.
– Implement active monitoring of access to critical systems.
– Secure business communications with reliable UCaaS solutions.
frequently
asked questions (FAQ)
Phishing uses email or text; vishing is done over phone calls.
Through call simulations and targeted social engineering training.
Yes. Many SMBs are targeted due to weaker cybersecurity frameworks.
An unusual sense of urgency.
Requests for access or transfers that bypass normal procedures.
Calls impersonating internal staff but lacking accurate context.
- Tech, healthcare, and financial services are among the top targets.
- However, any company with digital infrastructure and multiple users is at risk.
Act fast: disconnect any potentially compromised access points.
Immediately alert your cybersecurity team or IT provider.
Assess the scope of the breach and notify affected parties if needed.
Retrain staff and implement additional safeguards to prevent recurrence.
“Security is not a product, it’s a process.” – Bruce Schneier
A single call can jeopardize your entire operation. Vishing evolves faster than many traditional defenses. Don’t wait to become a victim to take action
At Conexpro, we help you build a comprehensive cybersecurity strategy, from risk assessments to defensive protocols against social engineering attacks.
Request your free business cybersecurity consultation today. We’ll show you how to reduce voice fraud exposure and protect your teams.
Subscription Form
Stay updated with the latest trends in technology and cybersecurity! Subscribe to our blog and receive exclusive content directly in your inbox.
