Phishing is an established and frequent scam in the digital world. However, vishing, which applies some of the same tactics of phishing to voice calls, is increasingly taking up space in both targeted attacks and mass fraud occurring worldwide.

These attacks represent a considerable risk for various businesses, whether due to risks to corporate networks or financial data and credit cards used in online purchases. In parallel, vishing is also used as a tool in medium and long-term frauds to manipulate investors.

Let's take a closer look at how each of these attacks has been occurring.

Targeted Attacks

The potential of vishing became very evident throughout 2025 in attacks carried out by Scattered Spider and related threat actors (such as "Scattered Lapsus$ Hunters").

In several incidents, such as those that hit retailers in the United Kingdom, reports indicate that hackers maintained voice call contact with support analysts to request credential changes on behalf of employees of the attacked companies.

This contact with support analysts can serve various purposes. In some situations, hackers may have already obtained the account password, but were blocked by multi-factor authentication (MFA), and in that case, they only need to convince the analyst to remove the MFA from the account or add some factor that is under the hacker's control.

However, depending on the company's policies, it is also possible for attackers to convince the help desk team to reset the password, completely undermining identity management in the company.

In another campaign targeting data stored in companies' Salesforce instances, hackers contacted employees impersonating the IT department. With this pretext, they were able to convince victims to make changes in Salesforce instances to grant the attackers access.

Looking at these scenarios, we can see that the IT department can be the target of vishing attacks or be used in attacks against employees.

Plump Spider also used this same narrative, as documented by the Axur Research Team. The attackers contact company employees claiming that it is necessary to perform an update or adjustment to software installed on the computer.

After an initial phone contact, the attackers may continue communication through text messages, making it easier to send more complex instructions. If the contact is successful, the attackers can execute malicious code that collects data about the corporate network, including information about Wi-Fi network passwords and IP addresses of domain controllers.

This set of examples highlights the versatility of vishing in targeted attacks. That is:

• Reset credentials through the IT help desk
• Weaken account security through changes in MFA usage
• Modify settings in corporate platforms to grant access to integrations controlled by attackers
• Guide employees to install software on workstations
• Initiate contact that can be continued through other communication channels more appropriate to the type of fraud the attackers seek to carry out

It is important that companies are aware of the scope of fraud and its implications. Cyber Threat Intelligence is one of the main allies for this purpose, and can be used to direct changes in corporate policies and internal training.

Mass Attacks

In addition to being used in targeted attacks, vishing is a relevant component of several frauds carried out en masse against the general population.

Let's look at some examples:

Technical Support Fraud: This fraud is more common in English-speaking countries. Scammers contact the victim offering some type of technical assistance with the computer, but the contact normally ends up requiring that the victim pay for the "repair" that will be performed or even sign up for some type of service. For the victim to fall for the scam, it is quite common for the scammer to suggest a false diagnosis.

Pig Butchering: In Pig Butchering, the scammer gains the victim's trust gradually, requesting money or favors that are of interest to the criminal. Voice call contact can contribute to this process, making the victim believe the scammer. Pig Butchering mixes elements from various other frauds to achieve its objective.

Romance Scam: Very similar to Pig Butchering, the romance scam can last for weeks or months. The criminal assumes a false romantic interest in the victim to convince them to send money. Voice calls help increase the level of involvement, but some scammers also meet their victims in person.

Investment and Cryptocurrency Scams: There are various scams that use investments as bait. The investment opportunity offered by criminals typically forms part of some other type of scheme, such as "pump-and-dump" (in which stocks are inflated through false information and subsequently sold), "ramp-and-dump" (a variation in which the scammers themselves conduct the transactions that inflate the asset price), and "rug pull" (a common fraud method in crypto in which scammers promote a project or cryptoasset and abandon it after obtaining investors' money).

There are reports that some people working in "contact centers" conducting these frauds are victims of human trafficking. They follow the guidelines and a script developed by the scheme's mentors.

In July 2025, more than one hundred people were arrested in Pakistan and two others in India following police actions at these criminal facilities. In August, nine more were arrested in the Dominican Republic. Similar actions have occurred in various countries over the past decade.

In Brazil, the scenario is somewhat different. Previously, some rudimentary voice call frauds were recurring. One of the main examples is the false kidnapping, in which the scammer calls the victim claiming that a family member has been kidnapped to try to collect a ransom.

However, a series of automated frauds completely changed this scenario. These scams use an IVR (Interactive Voice Response), imitating a legitimate customer service process.

Generally, the scam is initiated by the criminal himself, with mass calls to victims. However, cases have also been observed where the criminal distributes a phone number via SMS.

One of the most common narratives in this type of scam is that the victim needs to confirm or deny a suspicious purchase on their credit card. The purchase in question never happened, but if the victim is frightened by the relatively high amount reported at the beginning of the call, they may end up falling for the scam and providing their card details to criminals.

The fraud has a high degree of automation. The scam script is programmed as a call flow, and everything can be monitored and configured in a system dashboard.

Dashboard for monitoring a fraudulent IVR.

Programmed IVR call flow designed to carry out fraud autonomously.

To make calls or send SMS messages, criminals can use equipment such as chip writers, in which dozens of SIM cards can be installed to improvise a telecommunications infrastructure.

Fraud in the Russia-Ukraine War

According to Russian authorities, there is a considerable volume of fraud originating from call centers located in Ukraine.

These frauds were already happening before the conflict escalated in 2022. However, Russia now claims that these phone calls have also been used to convince a more vulnerable segment of the population (mainly the elderly) to commit arson crimes in the country, especially at military recruitment centers.

Following these incidents in 2023, Russia began to consider these call centers as military targets.

The Vishing Threat to Businesses

Being a broad category of fraud, vishing is associated with various risks. While targeted attacks represent a direct threat to corporate networks, mass frauds are a challenge for financial institutions and retailers, since data stolen through these frauds is almost always used in e-commerce purchases.

Axur's Threat Hunting allows companies to identify stolen cards and data, enabling fraud prevention before an order is even completed with merchandise shipment.

Since vishing attacks can weaken the protection offered by multi-factor authentication (MFA), monitoring leaked credentials helps prevent the escalation of incidents that begin with leaked usernames and passwords or authentication tokens stolen by stealers.

For financial institutions, monitoring mentions of brands associated with the business in forums where criminals communicate is one of the ways to stay ahead of this fraud, especially for financial institutions.

Contact one of our specialists to learn about all the features of the Axur Platform and how they can mitigate various threats.