Vishing in 2026 — Voice Phishing Attacks and the Helpdesk Bypass

At 17:42 on a Friday the IT helpdesk at a 9,000-person Dutch retail group takes a call from a panicked-sounding employee named 'Jeroen van Dijk'. Jeroen says he's about to board a flight to Madrid for the regional ops meeting, his laptop just bricked at the gate, and he needs MFA reset on his account so he can sign in from a kiosk machine when he lands. He sounds genuinely stressed. He knows his employee number, his manager's name, the project name from his most recent SharePoint activity (scraped earlier in the week from a misconfigured public link), and the gate number at Schiphol he is supposedly at. The helpdesk agent resets MFA. Twenty-three minutes later the attacker — not Jeroen, who is at his desk in The Hague — registers a new authenticator app on Jeroen's account, exports five SharePoint sites and the entire finance shared mailbox, and pivots to the CFO's calendar before being caught. Total dwell time: 4 hours 18 minutes. Damage: regulatory disclosure under NIS2, six months of forensic work, customer notifications. The MGM Resorts incident in 2023 followed exactly this pattern and cost over $100M.

Vishing is the social-engineering equivalent of a remote shell — it gives the attacker live, interactive control over a human's decision-making while bypassing every email security control. In 2026 the three dominant patterns are: helpdesk-bypass (the attacker calls IT pretending to be an employee under pressure, requesting an MFA reset, password reset, or new-device enrolment), consumer-bank-fraud (the attacker calls an account holder pretending to be the bank's fraud team, walking them through 'confirming' transactions that are actually authorising wires out of their own account), and executive-voice-clone (the attacker calls a subordinate using AI-synthesised speech of the CEO or CFO, authorising an off-process payment). The voice cloning leverages three-to-thirty seconds of public audio scraped from podcast appearances, conference talks, or earnings calls — readily available for any executive. The attacker also spoofs caller ID through grey-market SIP gateways or SS7-routed calls so the inbound number matches the legitimate bank, telco, or internal extension. MITRE ATT&CK techniques: T1566.004 (Spearphishing Voice), T1078 (Valid Accounts), T1556.006 (Modify Authentication Process: Multi-Factor Authentication). The single most effective control against vishing is a non-bypassable callback protocol: every sensitive request from a phone call must be re-initiated from the verifier's side, on a number from records, regardless of how convincing the caller is.

• Caller ID matches a legitimate organisation but the caller asks you to perform an action you would normally initiate yourself (e.g. 'confirm this transaction', 'reset your MFA from your side')
• Pressure to act now — flight boarding, audit underway, fraud transaction pending, board meeting in 10 minutes
• Requests to read aloud one-time codes, authentication codes, or session URLs
• Caller demonstrating unusual knowledge of internal context — names, projects, schedules — that suggests prior reconnaissance
• Background noise that does not match the claimed situation, OR a perfectly studio-quiet background where realistic ambience would be expected
• Voice prosody that sounds 'slightly off' — flat affect, oddly timed pauses, mismatched breathing — possible AI synthesis indicators
• Caller refuses or deflects when you offer to call back on a known number ('I'll lose the queue', 'this number doesn't accept calls')
• Inbound call following an inbound SMS, email, or push notification on the same topic — a coordinated multi-channel pretext

1. Hang up and call back on a number from your own recordsUse the number on the back of your bank card, in your contracts file, in your CRM, or the company's published main switchboard. Never call back a number provided by the caller.
2. Never read aloud OTP codes, passwords, recovery codes, or session URLsNo legitimate organisation will ever ask. Treat any such request as proof of vishing.
3. Apply the callback protocol regardless of how convincing the caller isVoice cloning is good enough in 2026 that 'it sounded just like them' cannot be the signal. Process beats perception.
4. If you are an IT helpdesk agent, refuse to reset MFA or credentials on a phone request from outside the officeRequire an in-person presence, a verified video call with valid corporate ID visible, or a callback to a number registered in HR — not a number supplied during the call.
5. Report the incident to security even if you did not actA targeted vishing attempt confirms the attacker has reconnaissance on your organisation. Security needs the signal.
6. If you did act, escalate to security immediately and assume credentials are compromisedForce a password reset, revoke active sessions, re-enrol MFA from a known-clean device, and audit account activity for the past 72 hours.

• NCSC-NL — Telefonische fraude en vishing[primary]
• MITRE ATT&CK — T1566.004 Spearphishing Voice[primary]
• NIST SP 800-63B — Authenticator phishing resistance[primary]
• FBI IC3 — Annual Report (vishing trends)[primary]
• Krebs on Security — MGM and Caesars breach coverage[secondary]
• Mandiant — UNC3944 / Scattered Spider helpdesk-vishing playbook[secondary]

• Smishing in 2026 — SMS Phishing Attacks and How to Stop Them

  7 min read

• Deepfake Voice Phishing in 2026 — When the Voice on the Phone Is Synthetic

  8 min read