The Phone Call That Cost One Company $25 Million
In early 2024, a finance worker at engineering firm Arup was tricked into transferring $25 million after receiving a video call that appeared to include the company's CFO and other colleagues — all deepfake recreations. The attack started with a simple voice phishing call. That's vishing, and it's the fastest-growing social engineering vector I've tracked in the last three years.
Vishing scam awareness isn't a nice-to-have anymore. It's a survival skill for every employee who picks up a phone. If your organization hasn't specifically addressed voice-based attacks in your security awareness program, you're leaving a massive gap that threat actors are actively exploiting right now.
This post breaks down exactly how vishing attacks work in 2024, why they're surging, what real incidents look like, and the specific steps you can take to protect your people and your bottom line.
What Is a Vishing Attack?
Vishing — short for "voice phishing" — is a social engineering attack conducted over the phone. The attacker impersonates a trusted entity: your bank, the IRS, your IT help desk, a vendor, or even a colleague. The goal is the same as any phishing attack: steal credentials, extract sensitive data, or trick someone into transferring money.
But vishing has a critical advantage over email phishing. A live human voice creates urgency and emotional pressure that a written message simply can't match. When someone calls you claiming to be from your bank's fraud department and says your account has been compromised, your heart rate spikes. Critical thinking drops. That's by design.
How Vishing Differs From Smishing and Email Phishing
Email phishing uses malicious links and attachments. Smishing uses SMS text messages. Vishing uses voice calls — sometimes preceded by a text or email to establish a pretext. The convergence of all three is what makes modern social engineering so dangerous. An attacker might send a text saying "suspicious activity on your account" with a phone number to call. That number routes to the attacker.
Why Vishing Attacks Are Surging in 2024
The FBI's Internet Crime Complaint Center (IC3) has reported phishing and its variants — including vishing — as the most reported cybercrime type for years running. The 2023 IC3 Annual Report documented over 298,000 phishing complaints, with call-based scams representing a growing share.
Three factors are driving the vishing surge right now.
AI-Powered Voice Cloning Is Cheap and Accessible
Voice cloning tools can now replicate a person's voice from just a few seconds of audio. Threat actors pull clips from earnings calls, conference presentations, YouTube videos, and social media. The Arup deepfake incident I mentioned wasn't science fiction — it was a $25 million payday using commercially available technology.
Caller ID Spoofing Is Trivially Easy
Attackers spoof caller ID to display your bank's real number, your company's main line, or a government agency. The FTC has been fighting caller ID spoofing for years, but the technology to fake it remains widely available. When your phone shows "Internal IT Department," most employees answer without suspicion.
Remote Work Expanded the Attack Surface
When everyone worked in the same building, you could walk over and verify a suspicious request. Now, with distributed teams across time zones, a phone call from "the CFO" asking for an urgent wire transfer doesn't trigger the same alarm bells. Vishing thrives in environments where out-of-band verification is inconvenient.
Real-World Vishing Attacks You Should Know
Understanding actual incidents is the fastest path to vishing scam awareness. These aren't hypothetical scenarios.
The 2020 Twitter Hack Started With Vishing
In July 2020, attackers called Twitter employees posing as IT support. They convinced staff to hand over credentials to internal tools. The result: compromised accounts belonging to Barack Obama, Elon Musk, Bill Gates, and Apple, used to push a Bitcoin scam that netted over $100,000. The breach began with a phone call.
MGM Resorts: A 10-Minute Phone Call, $100M in Damages
In September 2023, the Scattered Spider group called MGM's IT help desk, impersonated an employee found on LinkedIn, and convinced the help desk to reset credentials. The resulting ransomware attack cost MGM an estimated $100 million. This is the textbook case I reference in every security awareness training I deliver. A single vishing call bypassed every technical control MGM had in place.
IRS Impersonation Scams: The Longest-Running Vishing Campaign
The IRS impersonation scam has been active for over a decade. Callers claim you owe back taxes and threaten arrest unless you pay immediately via gift cards or wire transfer. The Treasury Inspector General reported over $70 million in losses from these calls. It sounds obvious — until you're the one getting the call at 7 AM claiming a warrant has been issued.
How Vishing Attacks Actually Work: The Kill Chain
Every vishing attack follows a predictable pattern. Understanding this pattern is the foundation of vishing scam awareness.
Step 1: Reconnaissance
The attacker researches the target. LinkedIn profiles, company websites, press releases, and social media give them names, titles, reporting structures, and personal details. They build a believable pretext.
Step 2: Pretext Development
They craft a story. "This is James from IT. We've detected unusual login activity on your account and need to verify your identity." Or: "This is Sarah from the CFO's office. We need an emergency wire transfer to close an acquisition before market open."
Step 3: The Call
Using spoofed caller ID and sometimes AI-cloned voices, they make the call. They create urgency. They use authority. They exploit the target's desire to be helpful or fear of consequences.
Step 4: Exploitation
The target provides credentials, transfers funds, installs remote access software, or discloses sensitive information. The damage is done, often in minutes.
Step 5: Monetization
Stolen credentials are used for credential theft across multiple systems, sold on dark web markets, or leveraged for ransomware deployment. Wire transfers are laundered through mule accounts. Data is exfiltrated and sold.
Who Gets Targeted? Everyone — But Some More Than Others
I've seen vishing campaigns target C-suite executives, finance teams, HR departments, IT help desks, and front-desk staff. The MGM attack targeted the help desk. The Twitter attack targeted general employees. Nobody is too junior or too senior to be a target.
Help desks are particularly vulnerable because their entire job is to be helpful over the phone. Threat actors exploit this instinct ruthlessly. If your help desk doesn't have strict identity verification procedures — procedures they follow every time, without exception — you have a critical vulnerability.
7 Concrete Steps to Build Vishing Scam Awareness
Awareness without action is useless. Here's what actually works.
1. Train Specifically on Voice-Based Attacks
Most security awareness programs focus heavily on email phishing. That's necessary but insufficient. Your training must include realistic vishing scenarios. Enroll your team in cybersecurity awareness training that covers social engineering tactics beyond just email.
2. Run Vishing Simulations
Just like phishing simulations test email awareness, vishing simulations test phone awareness. Call employees posing as IT support, a vendor, or a bank. Measure who complies with suspicious requests. Use results to guide targeted training — not punishment.
3. Implement Strict Callback Verification Procedures
Any request for credentials, wire transfers, password resets, or sensitive data received by phone must be verified through an independent callback to a known number. Not the number the caller provides. The number in your internal directory. This one control would have stopped the MGM breach.
4. Deploy Multi-Factor Authentication Everywhere
Even if an attacker obtains a password through vishing, multi-factor authentication adds a critical barrier. MFA won't stop every attack — SIM-swapping and MFA fatigue attacks exist — but it stops the majority. Pair MFA with a zero trust architecture that verifies every access request regardless of source.
5. Create a "No Penalty" Reporting Culture
Employees who fall for vishing calls often don't report them out of embarrassment. That silence gives attackers time to exploit stolen credentials. Make reporting fast, easy, and consequence-neutral. The faster you learn about an incident, the faster you contain it.
6. Limit Public Exposure of Employee Information
Every detail on LinkedIn, your company website, or social media is reconnaissance material. I'm not saying remove all public profiles. But consider what an attacker could do with the org chart you published, the employee directory on your intranet, or the conference speaker bio that includes your CFO's direct line.
7. Conduct Targeted Phishing Awareness Training
Your finance team, help desk, and executive assistants need specialized training that addresses the specific vishing scenarios they'll encounter. A one-size-fits-all annual video isn't enough. Consider phishing awareness training designed for organizations that includes voice-based social engineering modules.
What Should You Do If You Receive a Suspicious Call?
This is the question I get asked most, and it deserves a direct answer.
- Hang up. It's not rude. It's security. A legitimate caller will understand.
- Don't provide any information. No passwords, no employee IDs, no account numbers, no verification codes. Ever.
- Verify independently. Look up the organization's real number yourself. Call them back directly.
- Report it immediately. Tell your IT security team or manager. Forward the details — caller ID, what was said, what was requested.
- Document everything. Write down the time, phone number displayed, what the caller said, and any details about their voice or background noise.
If you provided information before realizing it was a scam, change compromised credentials immediately and notify your security team. Speed matters.
The Technology Layer: What Your Security Team Should Deploy
Training is essential, but layering in technical controls creates defense in depth.
Call Filtering and Spoofing Detection
STIR/SHAKEN protocols, mandated by the FCC, help verify that caller ID information hasn't been spoofed. Ensure your telephony provider supports these standards. Enterprise call filtering solutions can flag or block known scam numbers.
Zero Trust for Voice Channels
Apply zero trust principles to phone-based requests the same way you would for network access. Never trust a caller's identity based solely on their claim or caller ID. Verify through a separate channel every time. The NIST Zero Trust Architecture framework (SP 800-207) provides a solid foundation for extending this mindset across all communication channels.
Endpoint Detection and Response (EDR)
If a vishing attack convinces an employee to install remote access software, your EDR solution is the last line of defense. Make sure it's deployed on every endpoint and monitored 24/7.
The $4.88M Lesson Most Organizations Learn Too Late
The CISA Stop Ransomware initiative exists because the average cost of a data breach hit $4.88 million in 2024, according to IBM's Cost of a Data Breach Report. Many of those breaches started with social engineering — including vishing calls that gave attackers their initial foothold.
Vishing scam awareness isn't just an IT initiative. It's a business continuity imperative. When a 10-minute phone call can lead to $100 million in damages — as it did at MGM — every executive should be asking: "How prepared are our people for this specific attack?"
Start Building Your Defenses Today
Vishing attacks will keep growing in sophistication. AI voice cloning is getting better. Deepfakes are getting cheaper. The social engineering playbook is getting more refined. But the fundamentals of defense remain the same: train your people, verify every request, layer your technical controls, and build a culture where reporting suspicious calls is expected and rewarded.
Your employees are your first line of defense — and your most targeted attack surface. Give them the specific skills they need to recognize and shut down vishing attempts before damage is done. That starts with training that goes beyond generic advice and addresses the real-world tactics threat actors are using right now.