voice phishinghelp desk social engineeringMFA reset fraud

    July 3, 2026 · 5 min read · By Fensivo Team

    Vishing: the phone fraud that targets your help desk

    The conclusion: the phone bypasses every email control and attacks the person's trust

    The hardest channel to defend today does not arrive by email, it arrives as a phone call. Vishing, meaning voice phishing or fraud by telephone, sidesteps email filters, security gateways and link analysis entirely, because there is no message to inspect. On the other end there is a voice that rushes you, that sounds convincing, and that leans on anyone's natural willingness to help. That is the uncomfortable point: your email defenses, however good, never get a turn when the attack comes in over the phone.

    For years the conversation centered on email, and for good reason. According to CISA, more than 90 percent of successful cyberattacks begin with a phishing email. But that very concentration of defenses on the inbox opened a flank. When email is well protected, the attacker does not give up: it switches channels and dials a number.

    How a vishing attack aimed at the help desk works

    The favorite target of these calls is not just any employee, it is the help desk. The caller impersonates a real person from the company and exploits, with precision, the very purpose of support: to resolve things quickly so people can keep working.

    Human risk is managed automatically.

    Turn human risk into your first line of defense.

    Book a demo

    Free demo · 30 minutes · No commitment

    The script is more handcrafted than it looks. Before dialing, the attacker gathers public details about the person they will impersonate: their role, their department, their manager's name, sometimes information that appears in professional profiles or in earlier leaks. With that they build a believable, urgent story: they lost their phone, they got locked out right before a meeting, they need access restored now. The help desk exists to handle exactly that kind of request, and that is precisely the vulnerability being exploited. No system is broken, a person is convinced. Vishing is a form of social engineering, and it shares the same root as the rest of that family: manipulating trust rather than breaching the machine, the same shift we traced in how AI is reshaping phishing and deepfakes.

    Why resetting MFA and passwords is the goal

    The specific ask on the call is almost always the same: get the agent to reset a password or change the multi factor authentication (MFA) method, the second factor requested on top of the password. That is the prize, because it hands over full access in two moves.

    Resetting the password opens the first half of the door. Changing the MFA method opens the second. If the attacker gets support to enroll a new device, their own, as the second factor, the protection meant to stop them starts working in their favor. From there they escalate toward email, toward identity systems, and in the fastest cases toward broad privileges within minutes. Once the inbox is theirs, the next step is usually business email compromise (BEC): transfer orders or changes to banking details that go out from a legitimate account and therefore slip by unnoticed. Since much of this begins with data already in circulation, a leaked credential or an exposed email, detecting those exposures early closes part of the flank before the phone ever rings.

    The human factor under the pressure of a live call

    A live call pressures a person in a way that email cannot, and that is the key to why it works. It helps to remember where the risk comes from. Cisco's 90-5-5 framework estimates that around 90 percent of breaches involve a human factor. This is not about careless people or a lapse that a scolding would fix: it is about people doing their jobs, helping someone who sounds legitimate and in a hurry.

    The voice adds something text does not have: it leaves no room to think. It insists, silence feels awkward, and courtesy works against whoever picks up. An email can be reread, forwarded to a colleague, left to sit for five minutes. A call demands an answer now, and that immediacy is precisely the attacker's instrument. That is why the problem is not solved by asking people to be smarter or more suspicious. Under that pressure, almost anyone can give in.

    Defenses: callback verification, an identity protocol, and validation through retest

    An effective defense is not about asking people to distrust every call, it is about taking the decision out of the hands of a person under pressure and putting it into a protocol. When the process decides, the nerves of the moment stop mattering.

    The most concrete measure is callback verification: for any sensitive request, resetting a password, changing an MFA method, enrolling a device, the agent does not resolve it on that same call, they hang up and call back through a channel already on record for that person. CISA recommends this kind of out of band verification for any action that touches an account with access to sensitive data, alongside phishing resistant MFA for privileged accounts. The protocol turns a judgment call into a required step, and that is what an attacker cannot improvise.

    There is a third layer that is almost always missing: confirming that people actually resist the pretext, not just that they attended a talk. This is where the concept of retest earns its place. Training an employee on vishing and calling it done is a comfortable illusion: peer reviewed evidence shows that completing training does not, on its own, predict a reduction in real failures. What proves someone learned is not finishing the module, it is facing the same type of scenario again weeks later, in a different form, and seeing whether they fall this time. Validating behavior change rather than assuming it is the core idea of human risk management (HRM), and it is what separates a real defense from a checked box.

    At Fensivo we address this use case by combining a realistic simulation of the pretext with later validation: a person who faces an impersonation scenario and then faces it again, weeks later and in a different variant, proves by their actions that they learned the lesson, not that they remembered an email. You can see how we approach it in our use cases.

    If someone called your help desk tomorrow posing as your CFO, how much of the answer would depend on the judgment of the person who picks up, and how much on a protocol that no longer lets them decide alone?

    Human risk is managed automatically.

    Turn human risk into your first line of defense.

    Book a demo

    Free demo · 30 minutes · No commitment