Vishing: When a Phone Call Becomes a Cyber Attack

12th February, 2026

Email isn’t the only way criminals target businesses.

Sometimes, it’s just a phone call.

That’s vishing — short for voice phishing. It’s when a fraudster phones you pretending to be someone you trust: IT support, your bank, HMRC, a supplier… even your own colleague.

And it works.

What Vishing Looks Like in Real Life

It often sounds urgent and professional:

  • “We’ve detected suspicious activity on your Microsoft account.”

  • “Your CEO has authorised an urgent payment.”

  • “We need your MFA code to stop a breach.”

  • “Your bank transfer needs verification right now.”

Modern criminal groups operate like organised call centres. Some even use AI voice cloning to impersonate senior staff.

They rely on one thing: pressure.

Urgency overrides caution.

Why It’s So Dangerous for SMEs

Unlike phishing emails, there’s no suspicious link to inspect.

It’s a conversation.

A confident voice.
A sense of authority.
A request that feels plausible.

One call can lead to:

  • Stolen login credentials

  • MFA codes being handed over

  • Remote access granted

  • Fraudulent payments approved

  • Data breaches

Once attackers gain access to Microsoft 365 or your email system, they can quietly monitor conversations and escalate their attack.

How to Spot a Vishing Attempt

Watch for:

  • Urgency or pressure to act immediately

  • Requests for passwords or MFA codes (legitimate IT will never ask)

  • Requests to bypass normal payment processes

  • Caller ID spoofing (it may look genuine)

  • Slight inconsistencies in tone or information

If something feels rushed or unusual – pause.

What To Do If You Think You’ve Been Caught Out

  1. Report it immediately to your IT provider or internal IT lead.

  2. Do not feel embarrassed – speed matters more than pride.

  3. Change passwords from a secure device.

  4. Review recent account activity.

  5. Contact your bank immediately if money was involved.

Early reporting can stop escalation.

Silence gives attackers time.

Simple Business Controls That Reduce Risk

  • Clear policy: never share passwords or MFA codes

  • Two-person approval for payment changes

  • Staff awareness training (short, regular refreshers work best)

  • 24/7 monitoring for suspicious login activity

  • A tested incident response plan

Vishing works because it targets people, not systems.

The strongest defence isn’t just technology. It’s awareness, verification, and the confidence to say:

“I’m going to call you back on the official number.”

That one sentence can stop a breach in its tracks.

Vishing is only one part of today’s threat landscape. Visit our cyber security page to see how AMP InfoSys can safeguard your business with a complete, layered approach to security.

    AMP Featured in the Assurix Trusted MSP Directory | Security-First IT Support Latest

    AMP Featured in the Assurix Trusted MSP Directory | Security-First IT Support

    Read more AI-Powered Cyber Threats Are Here: What UK Businesses Need to Do Now Latest

    AI-Powered Cyber Threats Are Here: What UK Businesses Need to Do Now

    Read more Quishing, Vishing, Smishing & Phishing – What’s the Difference (and Why It Matters to Your Business)? Latest

    Quishing, Vishing, Smishing & Phishing – What’s the Difference (and Why It Matters to Your Business)?

    Read more
Contact Us

Book Your Free IT & Security Review

    If you need responsive and reliable IT solutions that are tailored to your business, then contact the experts at AMP.