Voice phishing is social engineering conducted by phone, usually by impersonating support, IT, or another trusted function to extract credentials or approvals. In identity governance, it is dangerous because it targets the human decision step that can create valid access without technical exploitation.
Expanded Definition
Voice phishing, often shortened to vishing, is social engineering delivered by telephone or voice channels to manipulate a person into revealing credentials, approving an action, or bypassing normal verification. In NHI and identity governance, the key risk is not the call itself, but the resulting human authorization that can create legitimate access for an attacker.
Definitions vary across vendors when voice phishing is grouped with broader social engineering, but the practical boundary is clear: vishing uses real-time conversation to pressure a target into trusting an impersonated support desk, executive, bank, or security function. That makes it different from email phishing, because the attacker can adapt instantly to objections and steer the target toward an approval path that looks procedurally valid. NIST’s NIST Cybersecurity Framework 2.0 frames this kind of event as a governance and awareness problem as much as a technical one.
For NHI security teams, the concern is that a single phone call can lead to password resets, MFA enrollment changes, token issuance, or help desk overrides that later appear legitimate in audit logs. The most common misapplication is treating vishing as a user-awareness issue alone, which occurs when organisations ignore the approval workflows and identity recovery steps the attacker is actually trying to exploit.
Examples and Use Cases
Implementing anti-vishing controls rigorously often introduces friction in support and recovery flows, requiring organisations to balance faster user service against stronger identity verification and approval discipline.
- A caller impersonates IT support and convinces an employee to approve an MFA reset, creating a fresh path into a privileged account.
- An attacker poses as a cloud administrator and asks a help desk agent to issue a new API key, turning a verbal request into valid access.
- A finance or procurement employee receives a call claiming to be from a trusted vendor and is guided into approving a payment or portal login.
- An executive impersonation call triggers an urgent exception, causing a service account or secret rotation request to be bypassed without proper validation.
- Security teams review a suspected incident against patterns documented in Ultimate Guide to NHIs and compare them with identity assurance expectations in NIST Cybersecurity Framework 2.0.
In practice, vishing often succeeds when the victim is pressured to act quickly, especially if the caller references a believable ticket number, executive name, or outage that feels operationally urgent.
Why It Matters in NHI Security
Voice phishing matters in NHI security because it can be the first step in compromising the identities that actually run infrastructure, automation, and third-party integrations. NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys in its Ultimate Guide to NHIs, which shows how often a human deception event becomes a machine-access event.
Once a caller convinces someone to approve a reset, reveal a code, or bypass a check, the attacker may gain durable access through secrets, tokens, or delegated permissions. That is why vishing must be governed alongside help desk procedure, privileged access controls, and secret lifecycle management, not only phishing training. Organisations should align response playbooks with NIST Cybersecurity Framework 2.0 so verification steps are consistent and auditable across recovery paths.
Organisations typically encounter the true cost only after a fraudulent reset or approval has been used to reach a service account, at which point voice phishing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Social engineering often leads to unauthorized access through weak identity verification and recovery. |
| NIST CSF 2.0 | PR.AT | Awareness and training address impersonation and verification failures tied to vishing. |
| NIST CSF 2.0 | PR.AC-1 | Access control governance limits who can approve changes after social engineering pressure. |
Harden recovery flows so phone-based requests cannot bypass verification for NHI credentials or approvals.
Related resources from NHI Mgmt Group
- How should security teams respond to voice phishing that targets Okta accounts?
- How should security teams evaluate phishing-resistant authentication across web and voice channels?
- What is phishing-resistant authentication and how does it relate to NHI security?
- Why do MFA and password resets fail to stop consent phishing?
