The Phone Call That Cost One Company $23 Million

In early 2024, a finance worker at engineering firm Arup was tricked into wiring $25 million to threat actors after a deepfake video call that impersonated senior leadership. That incident made headlines worldwide. But for every deepfake video heist, there are thousands of lower-tech vishing and smishing attacks that quietly drain bank accounts, steal credentials, and compromise entire networks — and the FBI has been sounding the alarm louder than ever.

The latest FBI warning on vishing and smishing isn't theoretical. The Bureau's Internet Crime Complaint Center (IC3) reported over $12.5 billion in cybercrime losses in 2023 alone, with social engineering attacks — including voice phishing (vishing) and SMS phishing (smishing) — as primary vectors. In 2025, these attacks have only accelerated, fueled by AI-generated voice cloning and mass SMS spoofing platforms available for pennies on the dark web.

This post breaks down exactly what the FBI is warning about, how these attacks work in practice, and the specific steps your organization needs to take right now.

What Are Vishing and Smishing — And Why Is the FBI Flagging Them?

Vishing (voice phishing) is a social engineering attack conducted over phone calls. A threat actor impersonates a bank, government agency, IT department, or executive and pressures the target into revealing credentials, transferring funds, or installing remote access software.

Smishing (SMS phishing) uses text messages to accomplish the same goal — a malicious link, a fake urgency, a spoofed sender. The message might claim to be from the IRS, your bank, a delivery service, or your own CEO.

The FBI has issued multiple public service announcements and IC3 alerts specifically about these attack types. Their December 2024 joint advisory with CISA warned about threat actors using vishing to target employees with VPN credential theft — a direct callback to a 2020 campaign that compromised multiple large companies through voice calls to remote workers. You can review the FBI IC3's annual reporting at ic3.gov.

Why These Attacks Are Surging in 2025

Three factors have converged to make vishing and smishing explosively effective this year:

  • AI voice cloning: Threat actors can now clone a voice from as little as three seconds of audio. That earnings call your CFO did? It's training data now.
  • Mass SMS spoofing platforms: Services on underground forums let attackers send thousands of spoofed texts that appear to come from legitimate short codes — the same numbers your bank uses.
  • Remote and hybrid work: Employees scattered across home networks are more likely to trust a phone call claiming to be from IT support. There's no colleague next to them to gut-check the request.

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse. Vishing and smishing are squarely in that majority. You can read the full DBIR at Verizon's DBIR page.

How a Typical FBI-Warned Vishing Attack Unfolds

I've investigated dozens of these incidents over the years. Here's what actually happens — step by step.

Step 1: Reconnaissance

The attacker scrapes LinkedIn, your company website, and data broker sites. They identify your IT helpdesk number, the names of key employees, and your VPN provider. This takes about 15 minutes for a skilled threat actor.

Step 2: The Call

Your employee gets a phone call. Caller ID shows your company's main number or a number one digit off. The caller says they're from IT, there's been a security incident, and the employee needs to verify their VPN credentials immediately. The caller knows the employee's full name, department, and manager.

Step 3: Credential Theft

The employee is directed to a fake login page — or simply asked to read out their credentials and the six-digit code from their authenticator app. If the attacker captures a live MFA token, they're into your network within seconds.

Step 4: Lateral Movement

Once inside, the attacker moves fast. They access email, internal file shares, and financial systems. They may deploy ransomware, exfiltrate data, or set up persistent backdoor access. The average dwell time before detection is still measured in days, not minutes.

This isn't hypothetical. The FBI specifically warned about this exact playbook in advisories related to the 2020 vishing campaign targeting remote workers at major corporations, and updated their guidance through 2024 as the tactics evolved with AI augmentation.

The Smishing Playbook: Texts That Steal Everything

Smishing is vishing's quieter, more scalable sibling. Here's what I'm seeing in 2025:

  • Fake toll road notifications: The FBI issued a specific alert in early 2025 about smishing texts impersonating toll services like E-ZPass, directing victims to credential harvesting sites.
  • Package delivery scams: Texts claiming a USPS or UPS package can't be delivered. The link leads to a page that harvests personal information or installs malware.
  • Employee benefits and payroll: Texts spoofing HR platforms asking employees to "confirm" direct deposit details. The money goes to the attacker's account.
  • MFA push bombing via text: Attackers trigger repeated authentication requests, then text the target pretending to be IT support, asking them to approve the login.

The FTC has also tracked a massive increase in text-based scams, reporting that consumers lost over $390 million to text scams in 2024. You can check the FTC's data at ftc.gov.

What Does the FBI Actually Recommend?

Here's a direct summary of the FBI's guidance, drawn from their IC3 alerts and public advisories:

  • Never provide credentials or MFA codes to an unsolicited caller or text. Your bank and your IT department will never ask for your password over the phone.
  • Verify independently. If someone calls claiming to be from your company, hang up and call back using a known number — not the number they provide.
  • Report smishing texts. Forward suspicious texts to 7726 (SPAM) and file a report with the FBI at ic3.gov.
  • Enable multi-factor authentication — but prefer phishing-resistant methods like hardware security keys (FIDO2/WebAuthn) over SMS-based codes, which can be intercepted.
  • Train your workforce. The FBI repeatedly emphasizes that security awareness training is a critical defense against social engineering.

The $4.88M Lesson: Why Training Is the Only Scalable Defense

IBM's Cost of a Data Breach Report 2024 pegged the global average cost of a data breach at $4.88 million. Social engineering was among the most common initial attack vectors. And the single most effective cost reducer? Employee training and security awareness programs — organizations with mature training programs saved an average of $258,629 per breach.

You can deploy the best email filters in the world, but vishing bypasses your email stack entirely. Smishing bypasses your corporate network. These attacks target people, not systems. That means your defense has to target people too.

This is why I built the cybersecurity awareness training program at computersecurity.us — to give organizations practical, scenario-based training that covers exactly these threats. Your employees need to hear a simulated vishing call and practice hanging up. They need to see a realistic smishing text and practice not clicking.

Phishing Simulations: Testing Before Attackers Do

The FBI's recommendations align perfectly with what I've seen work in practice: regular phishing simulations combined with immediate feedback. When an employee clicks a simulated smishing link and immediately sees what they should have caught, the lesson sticks.

If your organization hasn't started running phishing simulations, the phishing awareness training platform at phishing.computersecurity.us is designed specifically for this. It covers email phishing, smishing, and vishing scenarios with actionable metrics so you can see where your team is vulnerable before a real threat actor finds out.

How to Spot a Vishing or Smishing Attack: A Quick Reference

This section is designed to answer the question people are actually searching: How do I recognize a vishing or smishing scam?

Vishing red flags:

  • Unsolicited call creating extreme urgency — "Your account will be locked in 10 minutes."
  • Caller asks for passwords, PINs, MFA codes, or remote access.
  • Caller ID shows a known number but the person sounds unfamiliar.
  • They discourage you from verifying through another channel. "Don't call the main line — I'm the only one who can help."
  • Background noise that sounds like a legitimate call center (attackers use audio loops).

Smishing red flags:

  • Text from an unknown number with a shortened or unfamiliar URL.
  • Unexpected messages about deliveries, tolls, or account issues you didn't initiate.
  • Texts asking you to "confirm" personal or financial information via a link.
  • Messages that threaten account suspension, legal action, or financial penalties.
  • Any text that asks you to reply with a code you just received.

Building a Zero Trust Mindset Against Voice and Text Attacks

Zero trust isn't just a network architecture — it's a philosophy. And it applies directly to phone calls and text messages. Here's how I frame it for organizations:

Never trust a communication channel you didn't initiate. If you didn't start the call or the text thread, treat every request for credentials, money, or access as hostile until proven otherwise.

Practical Steps for Your Organization This Week

  • Update your security awareness training to include vishing and smishing scenarios — not just email phishing. Most training programs still over-index on email.
  • Implement a verbal verification protocol. Any request for credential resets, wire transfers, or access changes made via phone must be verified through a secondary channel (e.g., Slack message to a known account, in-person confirmation).
  • Deploy phishing-resistant MFA. NIST's guidance at nist.gov specifically recommends FIDO2 hardware tokens over SMS-based MFA, which is vulnerable to SIM swapping and smishing interception.
  • Create a reporting channel. Make it trivially easy for employees to report suspicious calls or texts. If reporting requires filling out a form with 15 fields, nobody will do it. A dedicated Slack channel or email alias works.
  • Run tabletop exercises. Walk your finance and HR teams through a scenario where an attacker calls pretending to be the CEO and requests an urgent wire transfer. Practice the response before it happens for real.

The FBI Warning Is the Wake-Up Call. Your Response Is What Matters.

The FBI doesn't issue warnings to fill news cycles. When the Bureau flags vishing and smishing as escalating threats — as they've done repeatedly through 2024 and 2025 — it means they're seeing a surge in reported losses and compromised organizations.

I've seen companies that thought they were too small to be targeted get hit with a $200,000 wire fraud through a single vishing call. I've seen hospitals, school districts, and law firms compromised through smishing texts that took 30 seconds to craft.

The common thread in every case? No training. No simulation program. No verification protocol. Just an employee who trusted a phone call they shouldn't have.

Your technical controls matter. Your firewalls, your endpoint detection, your email gateways — they all play a role. But vishing and smishing deliberately route around all of them. They target the one system you can't patch with software: human judgment.

Start building that judgment today. Enroll your team in structured cybersecurity awareness training and run regular phishing simulations that include voice and text scenarios. The FBI has told you what's coming. The only question is whether you'll be ready.