Voice Phishing
Voice phishing is fraud conducted over a voice channel (phone call, VoIP, voicemail) in which an attacker impersonates a trusted party to extract money, credentials, or sensitive actions from the target. The term is functionally synonymous with vishing; "voice phishing" is preferred in regulatory and academic contexts, "vishing" in security-industry vernacular.
Voice phishing is fraud performed over a voice channel. It's the phone-call counterpart to email phishing — an attacker impersonates a trusted party (bank, government, colleague, family member) and uses social engineering to get the target to transfer money, reveal credentials, or take an action they wouldn't take if they knew who was actually calling.
The terms voice phishing and vishing refer to the same thing. Regulators, academic papers, and older security literature tend to use the full phrase; industry practitioners use the contraction.
Why it's different in 2026
Pre-AI voice phishing relied on (1) a spoofed caller ID, (2) urgency framing, and (3) a skilled human caller. The technology available to the attacker was ordinary telephony.
Since 2023, voice cloning has collapsed the "skilled human caller" constraint. A 30-second reference clip — scraped from LinkedIn video, a podcast, a public keynote — is enough to produce a convincing synthetic voice. The attacker becomes, for the purposes of the call, the person they're impersonating.
This is what the Arup $25.6M incident demonstrated publicly in early 2024. It's what the Biden New Hampshire robocall showed at scale two weeks later. And it's what dozens of smaller banking, insurance, and executive-impersonation cases have repeated since, most of which never get named publicly.
Categories of voice phishing
- Consumer fraud. "This is your bank — your card is being compromised right now, we need to move your money to a safe account." Millions of calls per year; most hit elderly targets.
- CEO / wire fraud. "This is the CFO. Approve this transfer to the new supplier before close of business." See Arup, WPP attempt, Ferrari attempt.
- Credential harvest. "This is IT, we need your password to fix an issue right now." Common against help desks and junior employees.
- Family emergency scams. "Grandma, I'm in jail in Mexico, I need bail money." Voice-clone version uses 20 seconds of the grandchild's social-media audio.
- Investment / romance scams. Longer-running relationships where the voice is part of the trust build.
The defender's playbook
Organizations with measurable risk should layer three defenses:
- Out-of-band verification policy. No financial authority can be approved solely on a voice call. Callback on a known-good number is the control. WPP's case shows it works.
- Real-time audio deepfake detection integrated into call routing for banks, telcos, and large contact centers. See the banking playbook.
- Consumer training. The worst voice-phishing hit rates come from consumers who don't know voice cloning exists. Awareness campaigns and bank-side alerts on suspicious inbound transfers move the needle.
Related reading
- Vishing — short-form synonym, same concept
- Smishing vs vishing
- Voice cloning — the underlying technology
- Banking deepfake detection
- How to survive a deepfake scam call
Check a suspicious call
If you have a recording of a suspicious call, run it through the free audio detector — upload the file, get a verdict and a per-timestamp explanation within a few seconds.