Vishing attacks impersonating IT helpdesk, banks, and government agencies are rising rapidly in India. Here's how vishing works and how to build employee defenses against it.
Voice phishing — vishing — is the oldest social engineering attack in the book. And in 2025, it's making a comeback with AI-generated deepfake voices that can impersonate your CEO with near-perfect accuracy.
How Vishing Attacks Work
- 1Attacker calls the target, spoofing a legitimate number
- 2Establishes urgency and authority: "This is the fraud department — your account shows suspicious activity"
- 3Uses fear to bypass critical thinking: "You have 10 minutes before your account is frozen"
- 4Requests sensitive information: OTP, password, or remote access via AnyDesk/TeamViewer
The AI voice threat
In 2024, a Hong Kong company lost HK$200 million after an employee was convinced by a deepfake video call impersonating the CFO. AI voice cloning requires as little as 3 seconds of audio.
Common Vishing Scripts in India
- "I'm calling from TRAI — your number will be disconnected in 2 hours"
- "This is the SBI fraud team — please share your OTP to reverse suspicious transactions"
- "I'm calling from your IT department — we need your VPN credentials for a security patch"
What Employees Should Always Do
- Never share OTPs, passwords, or sensitive information over any incoming call
- Hang up and call back using the official number from the organization's website
- Report all suspicious calls to IT security immediately
68%Employees who comply with vishing on first contact
12%Who report the call to IT
85%Improvement after one vishing simulation + training
vishingvoice phishingphone scamssocial engineering
P
Written by
Priya Sharma
Threat Intelligence Analyst at PhishShield
