TL;DR: Vishing uses voice, caller ID spoofing, and urgency to extract passwords, PINs, and financial or personal data, making it harder to spot than email phishing, according to 1Kosmos. The real failure is not awareness alone but identity verification that can withstand a persuasive live call.
NHIMG editorial — based on content published by 1Kosmos: an analysis of vishing, voice-based phishing, and protection steps
Questions worth separating out
Q: How should organisations reduce the risk of vishing in identity workflows?
A: Use voice only as a contact channel, not as a trust channel.
Q: Why do vishing attacks still work against trained employees?
A: Training helps, but vishing succeeds because it exploits real-time pressure, authority cues, and the human tendency to help.
Q: What do security teams get wrong about phone-based phishing?
A: They often treat phone calls as a low-tech nuisance instead of an identity risk.
Practitioner guidance
- Harden phone-based identity verification Require out-of-band confirmation for any sensitive request made by phone, especially password resets, banking changes, account recovery, and payment instructions.
- Treat account recovery as privileged access Apply stronger identity proofing to recovery flows than to routine support interactions.
- Train staff on live-call manipulation patterns Teach teams to recognise urgency cues, authority impersonation, and scripted prompts for passwords or PINs.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- Practical vishing red flags and call-script patterns that help frontline staff recognise manipulation in real time.
- Identity verification guidance for phone-based interactions, including the safeguards that reduce account takeover risk.
- Examples of how companies are targeted through employee, vendor, and stakeholder impersonation.
- A closer look at AI-assisted voice deception and the next wave of social engineering tactics.
👉 Read 1Kosmos's analysis of vishing, identity theft, and voice-based phishing →
Vishing and the human identity gap teams are missing?
Explore further
Vishing is a human identity failure disguised as a communications scam. The attacker is not trying to break encryption or exploit a software flaw. They are trying to persuade a person to bypass the controls that were supposed to separate identity proof from conversational confidence. That makes the weak point a human IAM control path, especially account recovery and verification. The practitioner conclusion is simple: if voice can override your trust model, the trust model is already broken.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves many identity controls incomplete even before social engineering begins.
A question worth separating out:
Q: How can help desks stop becoming the weak link in vishing attacks?
A: Make the help desk verify the request through a separate, pre-bound identity method before changing access or disclosing information. Limit what staff can reveal over voice, log every sensitive request, and require escalation for high-risk actions. That makes the support process harder to manipulate and reduces the payoff from a successful social engineering call.
👉 Read our full editorial: Vishing is still a human identity problem, not just a scam