While phishing remains a common tactic, malicious actors have evolved beyond traditional methods. They now employ voice phishing (vishing) to impersonate IT support and help-desk personnel, exploiting the inherent trust in communication channels to gain unauthorised access to sensitive systems and data.
The Verizon Threat Research Advisory Center (VTRAC) has observed advanced criminal groups targeting companies across various sectors through productivity and communication platforms. Particularly if these platforms allow contact from non-federated accounts, unsuspecting users may be tricked via a voice call into installing Remote Monitoring and Management (RMM) tools like Quick Assist, giving attackers access to their devices. The goal is often to steal data for financial gain, identity theft, espionage, or cyberterrorism.
Across the APAC region, South Korea faces a significant vishing problem, with the National Police Agency reporting 1,000 daily cases last year. This particular threat vector is not just a fleeting trend. During Singapore's election earlier this year, the Cyber Security Agency of Singapore (CSA) highlighted vishing as a threat in its Advisory on Cybersecurity for General Election 2025 for Political Parties and Candidates.
Voice is all the more convincing
What makes vishing particularly dangerous is its exploitation of human psychology. Unlike traditional phishing emails that can be filtered by sophisticated software, vishing attacks prey on people’s instinctive trust in voice communication.
It frequently begins with a barrage of messages, referred to as an "email bomb", which urges the recipient to act swiftly to avert financial loss, reputational damage, or even legal repercussions. These messages are meticulously crafted to imitate legitimate communications from within the organisation or from a trusted third-party vendor, such as an IT service provider or financial institution.
- Vincent Goh, Distinguished Security Architect, Verizon Business Group
Subsequently, the targeted individual receives a phone call where the attacker impersonates a trusted entity (like IT support) to trick the victim into providing a multi-factor authenticating code, approving a login or installing malware on their own devices.
Verizon Business’ 2025 Data Breach Investigations Report (DBIR) revealed that approximately 60 percent of all confirmed breaches involved a human element, whether it was a "malicious click, a socially engineered phone call, or the misdelivery of sensitive data.
This increase in incidents is a major cybersecurity issue for many organisations, especially in Singapore. According to the Cyber Security Agency Singapore. 52 percent of reported ransomeware cases have impacted SMEs. These companies often lack the necessary resources or expertise and, therefore, have weaker cybersecurity measures, making them more vulnerable to threat attacks.
Among the tactics employed by the Black Basta ransomware group, vishing campaigns not only encrypted critical files but also exfiltrated sensitive data, thereby subjecting victims to the dual threat of data loss and extortion. In a sophisticated evolution of the classic tech-support scam, Black Basta ransomware affiliates have employed a novel vishing strategy, impersonating a target’s IT staff to offer assistance with fabricated issues. This tactic was utilised in a widespread campaign that has impacted over 500 organisations globally since its emergence in 2022.
Human element is cybersecurity’s weakest link
There is undeniable value in cybersecurity training, and organisations should prioritise comprehensive security awareness programs that address phishing threats and their evolving counterpart, vishing. The benefits far outweigh the costs, and the ability to mitigate these risks is crucial in today’s digital landscape.
The 2025 DBIR report found that phishing email reporting rates increased from 5 to 21 percent, a fourfold increase, after users received cybersecurity training. However, the impact of recent training on click rates was considerably less pronounced, showing only a 5 percent relative improvement.
This suggests that while users are becoming better at recognising phishing attempts, their tendency to click on potentially malicious links remains stubbornly high, possibly due to increasingly sophisticated phishing campaigns.
Strategies to mitigate against vishing attacks
To effectively mitigate and reduce risks associated with phishing and vishing attacks, organisations should adopt the following comprehensive measures:
- Restrict External Access: Limit external access to communication platforms by implementing robust technical controls. This includes enforcing strict access policies to prevent unauthorised use and securing external collaboration tools.
- Conduct Regular Security Awareness Training: Educate employees to identify and respond to vishing attempts on all communication platforms. Establish clear protocols for handling sensitive information, including verifying caller identities through official channels and avoiding the disclosure of passwords, financial data, or MFA codes during unsolicited calls.
- Strengthen Multi-Factor Authentication (MFA): Mandate MFA across all user accounts. Deploy advanced call monitoring systems to identify and block suspicious calls, incorporating encryption for communication channels and caller authentication mechanisms to enhance security against vishing attempts.
- Monitor Anomalous Activity: Implement real-time monitoring systems to detect unusual login attempts, privilege escalations, and suspicious external communications. Automated alerts enable IT teams to respond swiftly to potential threats before they escalate.
- Secure Critical Data with Backups: Regularly create encrypted backups of critical data and store them offline or in isolated, secure environments. Test backup procedures frequently to ensure reliable data recovery in case of ransomware or other cyberattacks.
- Enhance Email Security: Vishing often begins with a phishing email that tricks employees into downloading an application. Utilise sophisticated anti-spam and email filtering solutions to combat email bombing campaigns. These measures help prevent inbox congestion and ensure critical security alerts are not overlooked due to distraction.
By fostering a cybersecurity-focused culture, deploying layered technical defences, and maintaining vigilance against emerging threats, organisations of any size can significantly strengthen their resilience and reduce vulnerability to vishing, phishing, and other related cyber-attacks.
Vincent Goh is Distinguished Security Architect, Verizon Business Group
