Voice Phishing - A New Threat Surfaces in Cybersecurity
Basically, attackers are now calling people to trick them into giving away sensitive information.
Voice phishing is on the rise, now making up 11% of cyber attacks. Mandiant's report reveals a shift from email scams to voice-based tactics. This change poses significant risks, especially for tech companies. Organizations must adapt their defenses to combat this evolving threat.
What Happened
In a significant shift in tactics, voice-based phishing has surged, becoming a prominent method of attack in 2025. According to Mandiant's annual M-Trends report, this form of social engineering involves attackers calling employees or IT help desks, posing as legitimate personnel to gain unauthorized access to networks. This tactic accounted for 11% of all incidents Mandiant investigated last year, highlighting a concerning trend in cybercrime.
Mandiant's report indicates that while exploited vulnerabilities have remained the top initial access vector, the rise of voice phishing marks a notable change. This shift is particularly alarming, as it reflects a move away from the traditional email phishing methods that have dominated for years. Jurgen Kutscher, a vice president at Mandiant, emphasized the effectiveness of voice phishing, stating that it requires a unique set of skills and impersonation abilities, making it a powerful attack vector.
Who's Being Targeted
Voice phishing is not just a random attack; it has targeted specific industries and organizations. Mandiant noted that technology companies were the most frequently attacked sector in 2025, accounting for 17% of incidents. Other targeted industries included finance (14.6%), business and professional services (13.3%), and health care (11.9%). This indicates that attackers are focusing on sectors that handle sensitive data, making them lucrative targets.
The report also highlights campaigns aimed at Salesforce customers, attributed to threat groups tracked by Google Threat Intelligence Group, such as UNC6040 and UNC6240. The tactical shift towards voice phishing suggests that attackers are adapting their strategies to exploit vulnerabilities in human behavior, making it crucial for organizations to enhance their defenses against such tactics.
Signs of Infection
Detecting voice phishing attacks can be challenging, as they often exploit human instincts and bypass traditional security measures. Employees may receive phone calls from individuals posing as IT support or company executives, urging them to provide sensitive information or access to systems. Unlike email phishing, which often includes telltale signs of fraud, voice phishing relies on the trust that individuals place in verbal communication.
Organizations should be aware of the signs of potential voice phishing attempts, such as unsolicited calls requesting sensitive information or unusual requests from known contacts. Training employees to recognize these tactics and encouraging them to verify requests through established channels can significantly reduce the risk of falling victim to such attacks.
How to Protect Yourself
To safeguard against voice phishing, organizations must adopt a proactive approach. Here are some recommended actions:
- Employee Training: Regularly educate employees about the risks of voice phishing and how to recognize suspicious calls.
- Verification Protocols: Implement strict protocols for verifying requests for sensitive information, especially if they come via phone.
- Incident Reporting: Encourage employees to report any suspicious calls or attempts to gain access to sensitive data.
- Security Policies: Review and update security policies to include measures specifically addressing voice phishing.
By enhancing awareness and establishing robust verification processes, organizations can better defend against this evolving threat and protect their sensitive information from potential breaches.
CyberScoop