Phishing moved to the phone. A calm, confident voice claiming to be your bank or your IT provider can get past defenses that an email never would. Here is how voice scams work and how to shut them down.
We've all learned to be a little wary of suspicious emails. A phone call is different. A real voice — calm, polite, confident — carries a kind of trust that text never does. Attackers know this, which is why so many scams have moved to the phone. Voice phishing, or vishing, is social engineering delivered by a human you can hear, and it can talk people past defenses an email would never beat.
Why the phone works so well
On a call, the attacker controls the pace. They can react to your hesitation, answer your questions, project authority, and apply gentle pressure in real time. They can also spoof the number on your caller ID so it shows your bank's real name or a local area code. To you, everything looks and sounds legitimate before the person even speaks.
The phone also removes your usual checkpoints. There's no link to hover over, no sender address to inspect, no spam filter standing between you and the message. It's just a conversation — and conversations make us want to be helpful and agreeable.
The calls that hit small businesses
A few scripts come up over and over:
- "This is your bank's fraud department." They've spotted suspicious activity and need to verify your account — or move your money to a "safe" account to protect it. The pressure is fear, and the goal is your credentials or a transfer.
- "This is Microsoft / your IT support." They've detected a problem on your computer and need remote access to fix it, or need you to read back a code. The goal is access to your systems.
- "This is a supplier / the tax office / a courier." A routine-sounding reason to confirm details, make a quick payment, or update an account.
- The callback trap. An email or voicemail tells you to call a number about a charge or a refund. You call, so it feels like your idea — but it's the attacker's number, and now you're in their script.
The most advanced versions use AI to clone a familiar voice, so the call can sound like a colleague or even the owner. The defense, fortunately, is the same regardless of how convincing the voice is.
The one rule that ends a vishing call
Hang up and call back on a number you already trust. Not the number that called you, not a number they give you, not a number from a search result they suggest. The number on your bank card, your saved contact for your IT provider, the official number on a statement you already have.
This works because the entire attack depends on the attacker controlling the channel. The moment you reach out through a contact you established yourself, their story has nowhere to go. A real bank, a real supplier, and a real IT provider will all be completely fine with you calling them back to confirm.
Make it a team-wide reflex
Vishing usually targets whoever answers the phone or handles money — reception, finance, the owner. So the habit has to live with them, not just in a policy document. A few things that help:
- Agree that no one is ever in trouble for hanging up to verify. Removing that social pressure is the whole game.
- Never read back a code, password, or full account number to an inbound caller. Legitimate organizations don't ask for these on a call they initiated.
- Treat "move your money to a safe account" as a guaranteed scam. No real bank ever asks this.
- Decide your verification numbers in advance — the saved, trusted contacts for your bank, your IT provider, and your key suppliers — so nobody has to find one mid-call.
Phones aren't going away, and neither is this attack. But a single calm reflex defeats it.
A vishing call often aims to get into your Microsoft 365 or your money, so the damage depends on what's waiting behind the door. Tenant Strike checks those settings in read-only mode — whether multi-factor authentication would stop a handed-over password, whether one approval could grant too much, whether forwarding rules could hide an intruder — and shows you, in plain terms, where a convincing phone call would hurt most.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.