Voice phishing is a social engineering technique that uses phone calls or voice channels to persuade a target to reveal information or approve access. It succeeds by exploiting trust, urgency, and procedural shortcuts, often bypassing technical controls that would have stopped a direct login attack.
Expanded Definition
Vishing is voice-based phishing, but in NHI security it matters because the target is often not just a human employee. Attackers use calls, voicemails, callback scams, and help-desk impersonation to persuade someone to reveal a secret, approve an MFA prompt, reset access, or disclose workflow details that protect service accounts and API keys.
Unlike email phishing, vishing removes many visual cues and can create stronger social pressure in real time. Definitions vary across vendors on whether voicemail drop, callback fraud, and live social engineering are all treated as vishing, but the core pattern is the same: voice is used to bypass normal verification steps. The operational control question is not whether the caller sounds credible, but whether the process requires independent verification before credentials or access are touched. NIST Cybersecurity Framework 2.0 frames this as a governance and protective function issue, especially where identity proofing and access approval are part of a business process. The most common misapplication is treating a phone call as a trusted exception, which occurs when staff approve resets or disclose secrets because the caller knows internal terminology.
For a broader NHI context, the Ultimate Guide to NHIs explains why voice scams become dangerous when service accounts, tokens, and credentials are managed through informal human approval paths.
Examples and Use Cases
Implementing vishing defenses rigorously often introduces friction in support and recovery workflows, requiring organisations to weigh faster user assistance against stronger identity verification.
- A fake help-desk caller asks an employee to read back a one-time code, then uses it to approve access to an admin portal.
- An attacker leaves a voicemail claiming a service account is locked and pressures a staff member to reset the account without ticket validation.
- A finance employee receives a live callback impersonating a vendor and is pushed to approve a payment workflow that depends on a privileged bot account.
- A security team reviews callback logs after a suspicious access event and finds the caller used internal jargon gathered from public sources and prior breaches.
- An organisation ties callback verification to an out-of-band control in line with NIST Cybersecurity Framework 2.0, then limits any password or token reset until a second channel confirms the request.
The Ultimate Guide to NHIs is especially relevant where human approvals are used to unlock machine access, because voice scams often exploit exactly that handoff.
Why It Matters in NHI Security
Vishing is a governance problem as much as a user-awareness problem. When a phone-based impersonation campaign succeeds, it often exposes secrets, authorises unauthorised access, or triggers the reset of credentials that protect NHIs. That creates outsized blast radius because service accounts, API keys, and automation tokens are frequently reused across systems. NHIMG data shows that 79% of organisations have experienced secrets leaks, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes social engineering against the approval process especially dangerous. The same guide notes that 97% of NHIs carry excessive privileges, so a single successful call can unlock far more than the victim expects. The Ultimate Guide to NHIs also shows why this matters operationally: weak visibility and delayed rotation make the effects of a voice scam persist long after the call ends.
Organisations typically encounter the real impact only after a fraudulent reset, unauthorised token use, or lateral movement event, at which point vishing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Voice scams often lead to exposed secrets and unsafe reset handling. |
| NIST CSF 2.0 | PR.AT | Awareness and training reduce success rates for voice-based social engineering. |
| NIST CSF 2.0 | PR.AC | Access approval by voice bypasses least-privilege and verification controls. |
Require verified, logged processes before any secret, token, or credential reset is approved.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
