The IT Support Call: Voice Phishing (Vishing)
You get a phone call from someone claiming to be IT support. They sound professional and know your name. But something feels off. Learn to spot voice-based social engineering.
The scenario
At 2:15 PM on a Wednesday, your desk phone rings:
📞 "Hello, this is Kevin from the IT Security Department. We've detected unusual login activity on your account from a foreign IP address. I need to verify your identity to prevent unauthorized access."
He knows your full name, your department, and even your manager's name. He sounds calm and professional.
📞 "I'm going to send you a verification code via text message. Can you read it back to me so I can confirm your identity?"
🚨 This is a Vishing Attack!
"Kevin" is not from IT. He's a social engineer who scraped your details from LinkedIn and your company website. The "verification code" is actually the MFA code for your account — by reading it back, you're giving him the key to bypass your security.
"Kevin" is not from IT. He's a social engineer who scraped your details from LinkedIn and your company website. The "verification code" is actually the MFA code for your account — by reading it back, you're giving him the key to bypass your security.
Why Vishing Works So Well
Vishing attacks have surged 442% in recent years. Unlike email phishing, a phone call creates:
- Real-time pressure — you can't pause to think like you can with an email
- False authority — a confident voice feels trustworthy
- Personal connection — hearing a human voice lowers your guard
- AI voice cloning — attackers can now clone anyone's voice from just 3 seconds of audio
What to learn
🛡️ How to Handle Suspicious Calls
✅ The Golden Rule: Hang Up and Call Back
Never verify your identity to someone who called you. Instead:
1. Say: "I'll call the IT help desk directly to verify this."
2. Hang up.
3. Call your IT department using the official number from your company directory — never use a number the caller gives you.
Never verify your identity to someone who called you. Instead:
1. Say: "I'll call the IT help desk directly to verify this."
2. Hang up.
3. Call your IT department using the official number from your company directory — never use a number the caller gives you.
Red Flags in Phone Calls
| Red Flag | Example |
|---|---|
| Asking for passwords or codes | "Read me your verification code" |
| Creating urgency | "We need to act now before the hacker gets in" |
| Requesting remote access | "Install this tool so I can fix your computer" |
| Pressuring you not to verify | "Don't call IT — I'm handling it directly" |
📺 Watch: How to Protect Yourself
🧠 Remember
Legitimate IT staff will never ask for your password or MFA code over the phone. If it feels wrong, trust your instinct and verify independently.
Legitimate IT staff will never ask for your password or MFA code over the phone. If it feels wrong, trust your instinct and verify independently.