Securing IT helpdesks against voice phishing

Among the various strategies employed by threat actors to gain access to networks, voice phishing (also known as ‘vishing’) is a form of social engineering that utilises voice communication to deceive individuals into disclosing sensitive information. Attackers will impersonate trusted individuals or legitimate services, often using tactics such as caller ID spoofing or machine-generated voices to make their calls sound convincing.

 

It’s a very serious problem, and according to CrowdStrike’s 2025 Global Threat Report, the number of vishing attacks jumped by nearly 450% between the first and second halves of 2024 alone. Of particular concern is the increasing emphasis that threat actors are placing on helpdesks, which often hold privileged access to account management systems, password repositories, and network administration tools.

 

When a vishing attack is successful, a single compromised user session can provide attackers with the internal access they need to gain a foothold and if successive privilege escalation or lateral movement attacks prove successful, this can often end up providing a shortcut to critical internal infrastructure. Aside from the level of access they can potentially facilitate, helpdesks are appealing to attackers because it’s their job to respond efficiently to requests relating to passwords and authentication and to help enable workflows. In this context, the psychology of urgency plays a significant role, as people calling helpdesks are often under stress, creating an environment ripe for manipulation.

 

But how does this work in practice? While vishing tactics vary, an attacker typically begins by researching the target using publicly available sources. Using a spoofed, cloned or masked voice, a call is then made to the helpdesk with an urgent-sounding pretext, such as “I lost my MFA token and have a meeting in five minutes, please reset it,” or “there’s a service outage, I need temporary access to a specific service now.”

 

These are credible reasons for requesting assistance, and if proper security processes aren’t in place or not followed correctly, the helpdesk may initiate that MFA reset, password change, or other activity, giving the attacker a springboard to further their access internally.

 

 

Empowered by AI

In pursuing these tactics, threat actors also have a powerful ally: AI. It’s now increasingly common for AI to be used to create cloned voices or to generate realistic audio on the fly by masking/voice filtering. This not only improves the chances that a vishing attack will be successful, but it also lowers the bar for creating a compelling impersonation.

 

For instance, AI can be applied as a method for capturing samples of a user’s voice and creating clones of their voice profile. This can then be used to imitate the voice of someone the target knows and trusts with a high degree of realism. This is then integrated within pre-generated audio via Text-to-Speech (TTS) to create written scripts that are converted using a cloned voice and then replayed on calls as if someone is speaking.

 

Even more effective is real-time voice transformation. Here, the voice is cloned using the same methods, but instead of using a basic TTS soundboard to generate replies, attackers use a technique called voice masking that simply disguises their real-time vocal responses as if in a genuine conversation.

 

For helpdesk professionals, this is a serious problem, and the situation could become even more challenging if real-time impersonation, where AI is doing all the work and responds live to the target using a cloned voice profile, is perfected.

 

 

Boosting protection

So, how can helpdesks be protected from these increasingly effective tactics and technologies? One of the first steps should be to review verification policies and remove any reliance on publicly available data, such as names, job titles, dates of birth, etc, to verify callers. Instead, helpdesks should use unique, employee-specific identifiers or passphrases that can’t be found online.

 

Another effective preventive measure is to introduce three-way verification for sensitive actions, such as requiring a quick video check with the caller’s line manager to confirm their identity. This alone can cause attackers to abandon their efforts and alert the organisation that their helpdesk is being targeted.

 

Ideally, helpdesk verification should be subject to the same robust verification and logging used in customer-facing environments, such as multi-factor caller checks, call recording, and automatic logging of all credential resets or MFA changes. Enhanced training also plays an important role, with scenario-based exercises or “pretend” social-engineering drills demonstrating what a modern vishing call sounds like. Organisations should also review and update their incident response processes, include vishing in playbooks, and ensure staff know how to report and escalate suspicious calls. 

 

---

 

Andy Swift is Cyber Security Assurance Technical Director at Six Degrees

 

Main image courtesy of iStockPhoto.com and Andrey Zhuravlev