A phishing attack happens when an attacker impersonates a trusted person or company to trick you into sharing private information. Traditionally, phishing attacks relied on written messages. Nowadays, scammers blend email, text, and phone-based tactics to steal information any way they can, as we break down in our “Phishing in the Fast Lane” Tradecraft Tuesday recap. Aside from emails, two common phishing variants are voice-based attacks (vishing) and SMS-based attacks (smishing). 

Is vishing a form of phishing?

Vishing is a form of phishing carried out through voice-based communication.

In the early days of vishing attacks, scammers would read a templated script over the phone. Now, attackers now use AI-powered voice cloning to impersonate familiar voices, pushing past a victim’s natural distrust of strangers. Recent research shows vishing attacks have surged by more than 400% in the last few years as deepfake tools have become easier to use.

Example of a phishing scam

This is what a phishing scam could look like: 

• You get an email about a “suspicious login” on your bank account. 

• The email contains a link asking you to reset your password.

• You click it. To reset the password, you must first enter your old password. 

• You receive an email confirming the change. But when you go to log back into your bank app, the new password isn’t working. 

• What actually happened is scammers stole your login credentials and have access to your bank accounts.

Watch this video below to see one of our EMEA cybersecurity advisors Muhammad Yahya Patel rolling with a vishing call. 

Here's a quick overview of the main differences between the two attacks:

Here are a few ways phishing emails and smishing differ:

• Verification ability: In an email, you can hover over a link, check the sender’s address, and reread the message. But on a phone call, you’re relying on the caller ID and conversation context. Scammers take advantage of the limited verification options and use AI to mimic familiar voices or spoof caller IDs so phone numbers look legitimate.

• Urgency: Email is async and gives you time to reply. A phone call is live, pushing you to act faster.

• Believability: Phone calls feel like more secure, private channels than generic email inboxes. For attackers, it’s not uncommon to exploit this misplaced trust.

Here’s how attackers use vishing to pressure their victims into giving out sensitive information.

Why live calls change how victims respond

During a phone call, scammers adjust their approach based on your reactions. They might sound friendly or rushed, or they may try to create a sense of urgency and authority. In a real-time conversation, this leaves less room to pause or verify who you’re speaking with before responding.

Caller ID spoofing and trust exploitation

With identity masking software, an attacker can make their phone number look like someone you trust. For example, it may look like “Mike from IT” is calling and asking about your account information. When a call looks and sounds real, it’s hard to say no. The caller may talk fast or sound prepared, making it harder to question their motives.

AI voice cloning and real-time impersonation

Generative AI makes phishing faster and more believable. The core tactic—lying for information—hasn’t changed in years. What has changed is how well the attacker hides that lie. Here are a few red flags to watch out for.

Attackers mimicking executives or coworkers

Attackers often target roles that carry authority or trust since employees are less likely to question someone they know. As we showed in our AI Tradecraft Tuesday recap, attackers can feed roughly a minute of recorded audio into off-the-shelf tools and get a voice clone that sounds uncomfortably close to your manager, finance lead, or coworker. Even if the voice isn’t a perfect match, scammers may reference real projects or tasks that make the conversation just convincing enough.

MFA interception through voice phishing

One of the most common uses for vishing is stealing One-Time Passcodes (OTPs). 

Imagine an attacker already got your password, but they’re stuck at the Multi-Factor Authentication (MFA) screen. There’s a chance you’ll get a call from “ IT” or “support” asking for the code sent to your phone. Since it’s presented as a routine ask, why wouldn’t you say yes? And just like that: account compromised.

Phishing attacks still happen through email, but now they also include real-time conversations. Attackers are finding creative ways, like AI-generated voices and spoofed caller IDs, to manipulate victims through phone calls.

Understanding how these attacks shift between channels makes it easier to recognize them. If a request feels urgent or strange, it doesn’t matter if it’s in an email or a phone call: Stop, hang up, and verify.