Voice phishing, or vishing, is social engineering delivered by phone, voicemail, or voice chat. Instead of sending a malicious link, the attacker uses urgency, authority, or trust to persuade a target to reveal credentials, one-time passcodes, account recovery details, or internal information. Call spoofing and impersonation make these scams look legitimate, so the victim may believe they are speaking to a help desk, bank, vendor, or executive.
Vishing matters because it targets people and business processes, not just software. In real attacks, it is often used to reset passwords, enroll new MFA devices, bypass support workflows, or gain a foothold before broader intrusion and extortion. Defenders reduce risk by training staff to verify callers through known numbers, requiring out-of-band approval for sensitive requests, limiting what support teams can change, and logging account recovery and privilege changes for review.