Scam (increasingly) likely: What’s behind the rise of vishing?

It’s not a cutting-edge piece of AI malware or an all-powerful remote code execution vulnerability.

It’s a simple phone call.

“We do social engineering campaigns for our clients where the objective is to call their help desk and see if we can impersonate an employee to reset their password,” Carruthers explains. “To date, we have been successful every single time we've done that.” 

As a member of IBM’s X-Force team, Carruthers uses her powers for good, launching mock attacks to help clients identify and address security flaws. 

But plenty of malicious hackers have also hopped on the vishing, or “voice phishing,” bandwagon in recent months. Vishing scams, which use fraudulent phone calls to trick people into sharing sensitive information, downloading malware or sending money to criminals, increased by 442% in 2024, according to a recent CrowdStrike report.

Carruthers and other cybersecurity experts expect vishing instances to continue soaring as threat actors look for ways to get around organizations’ tightening security controls.

As Carruthers puts it, “It’s a lot easier to filter out an email than it is to stop someone from answering the phone.” 

In the world of cybersecurity, attackers and defenders have long been locked in an arms race. Attackers identify a vulnerability and exploit it. Defenders patch the vulnerability and strengthen protections to prevent similar attacks in the future. Rinse and repeat.

But as security solutions become more advanced, and security practices grow more refined, hackers are having a harder time finding exploitable flaws in the first place. 

In response, many attackers have turned their attentions to less patchable targets: people.

According to the IBM X-Force Threat Intelligence Index, phishing and the abuse of valid user accounts are two of the three most common ways that cybercriminals break into company networks now. 

By hijacking legitimate accounts, attackers can pose as real users, bypassing many security measures as they move laterally and escalate privileges. 

And while emails and text messages were once the default modes of phishers everywhere, these methods bear much less fruit in the age of advanced spam filters. 

Phone calls are a different story. 

“If you look at a lot of major data breaches now, you'll see that it was actually a phone call that started the breach,” Carruthers says. “Someone impersonating an employee called the help desk to reset an account password. Now they have control of that account, and they can get into a lot of systems.” 

Service providers have rolled out spam call filters to help combat phone scams, but they’re not as reliable as email and text filters. 

Moreover, thanks to the popularity of bring your own device (BYOD) programs, employees often use personal smartphones for business tasks. Organizations often have much less control over the security of these devices than they do over corporate email accounts, for example.

But perhaps the most dangerous thing about vishing is that, when the victim answers a call, there’s little that anyone else can do to intervene. 

A phone conversation doesn’t offer the opportunities for unhurried scrutiny that an email might. Scammers use this fact to their advantage, ratcheting up the sense of urgency and bombarding the victim with asks and information. The victim has no room to stop and think about whether it all adds up.

All of these factors make vishing remarkably effective. Carruthers knows this fact firsthand, both from her time as a people hacker and as one of the facilitators of the Social Engineering Community Vishing Competition (SECVC) at DEF CON.

The competition pits 14 teams against one another to see who can complete the most objectives during a live vishing call placed from a soundproof booth in front of an audience. 

"The purpose is not to say, 'Look how great we are at this social engineering stuff,’” Carruthers explains. "It's to show how prevalent social engineering is, and how it really happens. A lot of people think it’s just email-based. They forget about the phone calls and how incredibly successful they are.”

At the most recent competition, Carruthers says, every team met at least some of its objectives, meaning it extracted some kind of information or got people to take risky actions.  

In other words: Vishing scams seem to always get something from their targets. No one’s countermeasures are perfect. 

As a member of X-Force, Carruthers has helped many organizations revamp their security awareness training. In her experience, most training programs don’t cover vishing scams at all. When they do, they stop at high-level advice such as “Don’t give out your password over the phone.”

“We have tricks to get around that,” Carruthers says. “I'm not going to ask for your password over the phone. I'm going to say, ‘Go to this website and enter your username and password. Don’t give it to me. That’s not secure.’”

Of course, it’s a website that Carruthers or worse, a real threat actor controls, and now they have your credentials.

While phone calls might be a low-tech method for hackers, some of the ways they use phone calls are decidedly futuristic. 

With the birth of artificial intelligence (AI) tools that can generate videos and human voices, scammers can create convincing deepfakes of real people, leading to highly targeted attacks.

“Maybe you're used to seeing a weekly video message from your CEO,” Carruthers says. “Now, hackers can make their own version of that weekly message, asking you to do something specific. Would you recognize it?”

Last summer, fraudsters tried to fool a security researcher at Palo Alto Networks by using AI to mimic his daughter’s voice. 

As generative AI evolves, some worry it might, in the worst-case scenario, lead to autonomous, massively scalable vishing operations. 

It’s speculation, but it’s grounded in fact. Carruthers herself has squared off against an AI-powered scammer and won, but barely.

At last year’s DEF CON, Carruthers and her partner represented the humans in the inaugural John Henry Competition, named after the American folk hero who bested a steam-powered rock drill in a steel-driving contest. Their opponent: an AI chatbot with voice-synthesizing capabilities purpose-built for vishing schemes.

The goal of the competition was to see who could score the most points in a series of live vishing calls. 

“I went into it really cocky,” Carruthers recalls. “I thought, ‘We're going to win, hands down. The voice from the AI is probably going to start fumbling, or start asking weird questions. Something's going to go wrong.’”

And something did go wrong, for Carruthers, not the bot.

“When I heard it start making calls, I was like, ‘Oh no,’” she says. 

The chatbot, in her words, did “fantastic,” using different tactics and voices for different calls. It was able to gather information about people's systems and even convince them to take actions such as visiting certain websites.

“Think about it from a human operator standpoint,” Carruthers says. “If you're able to step back and let the computer do all this stuff for you, it's pretty terrifying,” 

As in the tale of John Henry, the humans did win, although not by much. (And where the mythical Henry died of exertion after besting the automatic drill, Carruthers and her partner are still very much alive.)

But they might not keep winning forever.

“I would guess if we were to continue this year after year, there's definitely going to be a point that the AI is going to outpace the humans,” Carruthers says.

With the number of vishing incidents projected to keep climbing, organizations need to shore up their defenses. Given the nature of vishing, the focus should be on equipping individual employees to better notice and respond to scam calls.

“Attackers rely on you acting fast,” Carruthers says. “So really slow down and evaluate as much as possible any type of communication that you get.”

Vishing calls often present as urgent matters that the victim must address quickly, or else. As Carruthers points out, legitimate business, even pressing legitimate business can usually wait to be verified. 

No vendor is going to terminate your account if you don’t pay in the next five minutes. The CEO will never need Amazon gift cards so badly that you can’t ask for more details. 

Speaking of verification: The advent of AI cloning has made voice-based verification practically useless. 

“Say that I get a phone call from someone who says it’s my grandma,” Carruthers explains. “The number is right. It even sounds like her. But something’s not adding up. She says she needs help and wants me to wire her money. What do I do?”

Carruthers recommends establishing code words with people, including friends or relatives. It doesn’t have to be a formal passcode. It can be some personal information that only the real person would know, such as a book they recently recommended to you. (An executive at Ferrari thwarted an AI vishing scam last year by using exactly this tactic .)

Enterprise security teams can’t rely on every single employee having a close enough personal relationship for verification-by-book-recommendation to work at scale. But organizations can build multilayered verification processes that use multiple points of proof to verify callers’ identities for any request, from resetting a password to paying an invoice.

“The more layers we can use to verify someone, the better,” Carruthers says. “And don’t use things that can be easily found or faked, such as a voice or birthdate or the street someone grew up on.”

Unique and hard to fabricate factors that Carruthers has seen include rotating company code words, having people’s managers vouch for them and sending one-time passwords to preregistered devices.

(Preregistration is important. Otherwise, scammers can just supply a number they control.)

Whatever factors an organization uses, it must use more than one.

“With one client that used a rotating company code word, we were able to social engineer the word out of someone, so it didn’t end up stopping us,” Carruthers says. “That's why I'm such a big fan of having multiple things in place.”