Vishing: When a Phone Call Becomes a Cyber Attack

12th February, 2026

Email isn’t the only way criminals target businesses.

Sometimes, it’s just a phone call.

That’s vishing — short for voice phishing. It’s when a fraudster phones you pretending to be someone you trust: IT support, your bank, HMRC, a supplier… even your own colleague.

And it works.

What Vishing Looks Like in Real Life

It often sounds urgent and professional:

  • “We’ve detected suspicious activity on your Microsoft account.”

  • “Your CEO has authorised an urgent payment.”

  • “We need your MFA code to stop a breach.”

  • “Your bank transfer needs verification right now.”

Modern criminal groups operate like organised call centres. Some even use AI voice cloning to impersonate senior staff.

They rely on one thing: pressure.

Urgency overrides caution.

Why It’s So Dangerous for SMEs

Unlike phishing emails, there’s no suspicious link to inspect.

It’s a conversation.

A confident voice.
A sense of authority.
A request that feels plausible.

One call can lead to:

  • Stolen login credentials

  • MFA codes being handed over

  • Remote access granted

  • Fraudulent payments approved

  • Data breaches

Once attackers gain access to Microsoft 365 or your email system, they can quietly monitor conversations and escalate their attack.

How to Spot a Vishing Attempt

Watch for:

  • Urgency or pressure to act immediately

  • Requests for passwords or MFA codes (legitimate IT will never ask)

  • Requests to bypass normal payment processes

  • Caller ID spoofing (it may look genuine)

  • Slight inconsistencies in tone or information

If something feels rushed or unusual - pause.

What To Do If You Think You’ve Been Caught Out

  1. Report it immediately to your IT provider or internal IT lead.

  2. Do not feel embarrassed - speed matters more than pride.

  3. Change passwords from a secure device.

  4. Review recent account activity.

  5. Contact your bank immediately if money was involved.

Early reporting can stop escalation.

Silence gives attackers time.

Simple Business Controls That Reduce Risk

  • Clear policy: never share passwords or MFA codes

  • Two-person approval for payment changes

  • Staff awareness training (short, regular refreshers work best)

  • 24/7 monitoring for suspicious login activity

  • A tested incident response plan

Vishing works because it targets people, not systems.

The strongest defence isn’t just technology. It’s awareness, verification, and the confidence to say:

“I’m going to call you back on the official number.”

That one sentence can stop a breach in its tracks.

    Password Managers For Business (& Why “Password25” Just Won’t Cut It) Latest

    Password Managers For Business (& Why “Password25” Just Won’t Cut It)

    Read more The Dark Side of AI: Educating 50 Business Leaders on the Real Cyber Risks Latest

    The Dark Side of AI: Educating 50 Business Leaders on the Real Cyber Risks

    Read more Where Strong Teams Begin – On the Pitch and In Business Latest

    Where Strong Teams Begin – On the Pitch and In Business

    Read more
Contact Us

For more information contact us...

    If you need responsive and reliable IT solutions that are tailored to your business, then contact the experts at AMP. Our skilled engineers provide outstanding IT support and technical expertise you can depend on.