Crime on the line: The rise of vishing in the UK 

Executive summary 

  • Voice phishing, also known as “vishing”, has hit the headlines recently, with big companies like Google and Cisco the target of this newer type of cyberattack.  
  • Vishing happens when a scammer rings an employee, pretends to be IT support, and gets them to approve a malicious connection. Once inside your systems, the attackers begin to siphon off your precious data. 
  • With technology like AI voices evolving every day, it’s essential for UK businesses to train staff to verify any unexpected calls, use code words, or employ second channels to confirm identity.  

Introduction 

“Hey, did you authorise a Microsoft login from the other side of the world?”  

If this is something you (or your IT support team) has heard recently, you might have had a brush with vishing.  

A not-so-distant cousin of phishing, voice phishing is a growing issue in the UK – with malicious actors swapping emails for phone calls as a means to gain entry to your systems.  

It’s not only a risk to small organisations, either – both Google and Cisco have reported breaches via voice phishing attacks in 2025.  

What is vishing? 

Vishing, or “video phishing”, is a sophisticated (and relatively new) version of the type of phishing scammers have been doing via email for decades now. 

Basically, a cybercriminal will pick up the phone (or leave a voicemail) and pretend to be someone trustworthy – maybe your organisation’s tech support team, a vendor, or even a bank employee.  

They might say something like, “We noticed unusual activity on your account and we’d like to help you fix it over the phone. It won’t take long.” This is pure social engineering – the goal is always to get you or your employees to reveal passwords, install a remote desktop application, or otherwise give them access to your internal systems. 

Why is vishing suddenly becoming a bigger problem? 

One of the most disconcerting things about vishing is just how realistic it’s becoming.  

Thanks to the rise in AI technologies, concepts like voice cloning are no longer the reserve of science fiction. That means they can now convincingly replicate the voice of almost anyone they have a sample for. Just imagine getting a phone call, ostensibly from your boss, asking you to change your password.  

Without measures in place to spring these traps, it’s easy to see why vishing is becoming a larger problem.  

Big names and bigger lessons 

As we mentioned earlier, it’s not just small companies feeling the sting of vishing campaigns. 

Google announced that in June that an attacker called up a Google employee, faked being tech support, and managed to extract CRM data from Google’s Salesforce instance. The stolen info was mostly business contact details (basic stuff, not passwords), but it showed how even titans of industry can slip up. 

A few days earlier, Cisco revealed a similar story: malicious actors got into its cloud-based CRM via a vishing call, exporting user account info (names, emails, phone numbers) in the process. Cisco was quick to flick the switch on the hacker’s access, but the damage showed up on customers’ credit profiles.  

Importantly, neither of these breaches hit core products – it was the auxiliary CRM system that was targeted. Still, the message is clear: if Google and Cisco can be victimised by voice phishing phone scam, any UK business can. 

The anatomy of a vishing attack 

To combat attacks like this, it helps to understand exactly how they usually play out. 

Here’s a clear, step-by-step breakdown of how modern vishing campaigns usually work: 

  1. Reconnaissance. Attackers gather names, job titles, helpdesk contacts and public-facing details (LinkedIn, company sites) to pick targets and build a credible pretext. 
  2. Prepare the script and tools. They craft believable dialogue, spoof caller IDs or register plausible phone numbers, and sometimes prepare voice clones or audio snippets to sound convincing. 
  3. Initial contact. An attacker calls the target, often posing as IT, a vendor or a partner. The opener is usually urgent-sounding: “We’ve detected suspicious activity, can you help confirm?”. 
  4. Build rapport and urgency. Using the gathered details and a calm, knowledgeable tone, the caller creates pressure so the victim wants to “fix this now” rather than pause to verify.  
  5. Elicit a specific action. The attacker asks the victim to click a link, approve a login prompt, install remote desktop software, or read out a one-time code – the exact type of move that hands the attacker access or a way in.  
  6. Exploit the access. Once inside, attackers search for valuable data (customer lists, contacts, exports) and may move laterally to other services using any credentials or session tokens they obtain.  
  7. Lay low, cover tracks, and time the payout. At this point, they may wait, delete obvious traces, or trigger further distractions so detection is delayed. Some groups later publish or extort stolen data once they’ve maximised leverage. 
  8. Monetise the breach. The final step is selling, publishing, or extorting the stolen information – or using it to scale further attacks against clients and partners. 

                How UK businesses can fight back 

                So, with the threat of vishing on the rise, how can your business take steps to mitigate the damage from these attacks or avoid them altogether?  

                A healthy dose of scepticism is your first line of defence. Couple that with clear, simple verification steps and the caller has a much harder job persuading someone to hand over access. Here are some additional measures you can put into place to keep yourself safe: 

                • Verify on a second channel. If someone calls asking for access or codes, hang up and call them back on the official number or message them on Teams/Slack to confirm the request. If they’re reluctant to let you hang up – that’s a big red flag.  
                • Use codewords or callback procedures. Agree with your team a simple verification phrase or a callback workflow for any urgent IT request so staff can authenticate callers without the awkwardness. 
                • Never share passwords or Multi-Factor Authentication (MFA) codes over the phone. It might sound extreme, but it’s safer to treat any request for credentials or one-time codes as suspicious and report it immediately. 
                • Require MFA for sensitive systems. This type of authentication stops many attacks in their tracks, even if a password has somehow become compromised. 
                • Run realistic vishing exercises. Test your team with simulated calls, review the outcomes, then turn lessons learned into practical guidance. Proper training reduces mistakes. 
                • Monitor, alert, and respond fast. Enable organisation-wide alerts for unusual logins, large data exports, or new external connections and have a clear incident process so your team can act quickly. 

                Get Support is here when you need us 

                To learn more about defending your business against vishing and other cybersecurity scams, just ask your Get Support Customer Success Manager or call us on 01865 594 000.  

                We’ll help you hang up on the cybercriminals and keep your business safe.