Cybercriminals and hackers employ a variety of methods to access and steal sensitive information from individuals and organizations. One increasingly popular approach is vishing, or voice phishing. Here, the attacker tricks someone into sharing account credentials or other information through a simple phone call. According to the latest data from security firm CrowdStrike, these types of attacks have been skyrocketing.
Also: Hackers stole this engineer’s 1Password database. Could it happen to you?
In its 11th annual 2025 CrowdStrike Global Threat Report, the security provider revealed that vishing attacks jumped 442% in the second half of 2024 compared with the first half. Throughout the year, CrowdStrike Intelligence tracked at least six similar but distinct campaigns in which attackers pretending to be IT staffers called employees at different organizations.
Help desk social engineering
In these particular campaigns, the scammers tried to convince their intended victims to set up remote support sessions, typically using the Microsoft Quick Assist tool built into Windows. In many of these, the attackers used Microsoft Teams to make the phone calls. At least four of the campaigns seen by CrowdStrike used spam bombing to send thousands of junk emails to the targeted users as a pretext for the alleged support call.
Also: How to protect yourself from phishing attacks in Chrome and Firefox
The type of vishing used in these attacks is often known as help desk social engineering. Here, the cybercriminal posing as a help desk or IT professional stresses the urgency of the call as a response to some made-up threat. In some cases, the attacker requests the person’s password or other credentials. In other cases, such as the ones documented in the report, the scammer tries to gain remote access to the victim’s computer.
Callback phishing
Another tactic seen by CrowdStrike is callback phishing. Here, the criminal sends an email to an individual over some type of urgent but phony matter. This could be a claim for an overdue invoice, a notice that they’ve subscribed to some service, or an alert that their account has been compromised. The email contains a phone number for the recipient to call. But naturally, that number leads them directly to the scammer, who tries to con them into sharing their credit card details, account credentials, or other information.
Because these attacks are usually aimed at organizations, ransomware is another key component. By gaining access to network resources, user or customer accounts, and other sensitive data, the attackers can hold the stolen information for ransom.
Also: The top 10 brands exploited in phishing attacks – and how to protect yourself
In its report, CrowdStrike identified a few different cybercrime groups that use vishing and callback phishing in their attacks. One group known as Chatty Spider focuses mostly on the legal and insurance industries and has demanded ransoms as high as $8 million. Another group called Plump Spider targeted Brazil-based businesses throughout 2024 and uses vishing calls to direct employees to remote support sites and tools.
“Similar to other social engineering techniques, vishing is effective because it targets human weakness or error rather than a flaw in software or an operating system (OS),” CrowdStrike said in its report. “Malicious activity may not be detected until later in an intrusion, such as during malicious binary execution or hands-on-keyboard activity, which can delay an effective response. This gives the threat actor an advantage and puts the onus on users to recognize potentially malicious behavior.”
Tips to protect yourself against vishing attacks
To protect yourself, your employees, and your organization from vishing attacks and similar threats, CrowdStrike offers the following tips:
- Require video authentication and government ID for employees who call the help desk to request password resets.
- Train help desk employees to be cautious when answering phone calls requesting password or MFA (multi-factor authentication) resets. They should be especially wary if those calls come outside regular business hours or if a high number of such requests occur in a short period of time.
- Use more advanced authentication methods such as FIDO2 to guard against account compromise.
- Monitor for attempts in which more than one person tries to register the same device or phone number for MFA.
- Offer regular security training for employees. Teach them how to recognize phishing attempts and social engineering attacks.
- Regularly apply security patches and other fixes to resolve critical vulnerabilities.