Protect Your Business From VoIP Phishing and Vishing in 2026

It’s 4:47 on a Friday. An AP clerk at a Florida accounting firm gets a call. The caller ID shows the CFO’s direct line. The voice on the line is the CFO’s voice. It’s asking her to push a wire to a new vendor account before the 5 PM cutoff. She pushes the wire. The CFO is in a board meeting two states away with his phone off. The voice was a thirty-second clone built from a recorded conference panel on YouTube.

Vishing is a process problem

Voice phishing (or “vishing”) got worse for a few reasons at once. AI voice cloning went from research lab to a $5-a-month subscription. Remote work normalized “I’ve never actually met this person but the voicemail says they’re our CFO.” Caller ID spoofing is still trivial. Large language models write convincing scripts in any dialect, on demand. Technical defenses on email and endpoints keep improving, which is a tailwind, not the cause. Attackers picked up the new voice tooling because it was cheap and it worked.

Calling a finance employee and sounding urgent costs almost nothing. The FBI tracked $3 billion in business email compromise losses in 2025, with 86% of that money moving by wire or ACH: the exact transaction vishing is designed to push.¹ CrowdStrike measured a 442% jump in vishing activity between the first and second halves of 2024 alone.²

None of this means traditional attacks have gone away. 2024 and 2025 were brutal for anyone running Fortinet, Ivanti, or Palo Alto edge devices, and ransomware groups had a record year. But when the target is your accounting team, the cheaper play is to call them, voice-message them, or man-in-the-middle an MFA prompt and steal the session mid-login. Most of the fraud aimed at a mid-sized business will come through the people on your payroll, because that’s the surface area that scales.

Three plays you should recognize

Voice-cloned executive wire fraud

Thirty seconds of audio is enough to clone a voice. A LinkedIn video, an earnings call, a panel at an industry event. Plenty of material. The attacker calls or voice-messages a finance employee, poses as the CEO or CFO, and pushes for a wire to a new account. The engineering firm Arup lost $25 million to a deepfake video call in Hong Kong in early 2024. The attackers combined cloned voices of multiple executives on the call and walked a finance employee through fifteen transactions.³

Help-desk MFA reset

The attacker calls your IT help desk, or your provider’s, claiming to be an employee locked out of their account. They know the employee’s name, their title, their manager, and enough personal details to sound convincing. They ask for a password reset and an MFA re-enrollment. If the help desk doesn’t have a hard process for verifying the caller, the attacker walks out with the account. This is the playbook behind several high-profile 2025 retail breaches.

Callback phishing

An email arrives: an invoice, a subscription renewal, a suspicious charge notification. No link to click, so the filter passes it clean. The instructions say to call a number to dispute the charge. The number connects to an attacker who talks the employee through installing remote access software or reading off credentials. Law firms and accounting firms are prime targets. The workflow looks like normal vendor communication until it isn’t.

What actually works is process, not product

The highest-leverage controls for a mid-market business are procedural. Real technical controls exist (STIR/SHAKEN caller ID authentication, FIDO2 security keys, enterprise deepfake detection platforms like Pindrop), but most of them either live upstream at the carrier, require enterprise-scale budgets, or are still rolling out unevenly. The rules below are the ones you can write down and deploy this week.

Never call the number on the invoice or in the email. Open your accounting system. Pull the vendor contact from the record you already have. If you know the person on the other end, call that person, not the generic AP line. The same rule applies to any request to change payment details or bank account information. Always verify on a channel you initiated.

No password or MFA resets over the phone without real identity proof. If your help desk can reset an account based on a confident-sounding caller naming the right manager, you don’t have a help desk — you have an account-takeover vending machine. The strongest control is a phishing-resistant check: the real user taps a FIDO2 security key or approves a passkey challenge, both of which require the physical device and can’t be defeated by urgency on a call. If you’re still on push notifications, turn on number-matching so the user has to type a code the help desk reads off. Plain “tap to approve” push is what attackers defeat with fatigue bombing. A video call with a known coworker plus a photo ID works as a fallback when neither is available.

Require a second signer on any wire over a threshold, and for every new payee. The callback rule above stops most voice-clone attacks; dual-signer on wires stops the ones that get past it. Pick the threshold your CFO is comfortable with. New vendor accounts always get a callback and a second signer, no exceptions.

Lock down phone system basics. If your business doesn’t make international calls, disable international dialing by default on your VoIP platform. Audit who has admin rights to reassign numbers. Your IT provider can do this in an afternoon if it isn’t already done.

A challenge phrase can help, but don’t count on it alone. Some teams keep a rotating phrase that execs and finance ask for on urgent voice requests. It’s cheap and occasionally saves someone. But urgency is exactly what vishing exploits, and under pressure people forget the phrase or say it anyway. Treat it as a backstop to the callback rule, not a replacement.

Depending on people to be your defense can suck. Humans get tired, get distracted, pick up the phone at 4:47 on a Friday and want to be helpful. That’s why attackers are calling instead of coding. The rules above don’t turn people into firewalls. They give the person on the call something to fall back on when the voice sounds familiar and the request sounds urgent.

Wrap

Think Technologies Group runs managed IT and cybersecurity for businesses across Florida. If the scenario above sounds like a call your finance team could get, and your current callback policy is “it depends,” that’s the conversation to start.

Learn more about our cybersecurity program →

Sources

1. FBI Internet Crime Complaint Center. 2025 Internet Crime Report. 2026. ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
2. CrowdStrike. 2025 Global Threat Report. February 2025. crowdstrike.com/press-releases/crowdstrike-releases-2025-global-threat-report
3. Magramo, Kathleen. “British engineering giant Arup revealed as $25 million deepfake scam victim.” CNN, May 16, 2024. cnn.com/2024/05/16/tech/arup-deepfake-scam-loss-hong-kong-intl-hnk

Further Reading

• Verizon 2025 Data Breach Investigations Report: social engineering prevalence and breach pattern data
• FBI IC3 Business Email Compromise PSA: wire fraud recovery guidance, including the same-day complaint window