Voice phishing, or vishing, has been transformed by AI voice cloning technology. In 2026, threat actors can clone a person's voice from as little as three seconds of audio, producing synthetic speech that is nearly indistinguishable from the real person. This capability has made vishing attacks dramatically more convincing: an employee who receives a phone call that sounds exactly like their CEO is far more likely to comply with an urgent request than one who receives a suspicious email. The FBI reported that voice-based social engineering attacks increased by over 200 percent in 2025, with losses from vishing-facilitated fraud exceeding $1.2 billion. Despite these statistics, fewer than 8 percent of organizations include voice phishing in their security awareness programs.
How Do Modern Vishing Attacks Work?
Modern vishing attacks combine AI voice cloning with social engineering techniques refined over decades of phone fraud. The attacker identifies a target and the person they will impersonate, typically a senior executive, IT administrator, or trusted vendor contact. They obtain voice samples from earnings calls, conference presentations, YouTube videos, or social media. The AI model generates a voice clone that matches the target's speech patterns, tone, and cadence. The attacker then calls the target using a spoofed caller ID and conducts a live conversation using the cloned voice, requesting wire transfers, credential resets, or sensitive information disclosure. The most sophisticated attacks use real-time voice conversion, allowing the attacker to speak naturally while the AI transforms their voice into the impersonated person's voice with minimal latency.
How Do You Build a Vishing Simulation Program?
Vishing simulations are more resource-intensive than email-based simulations because they require live phone interactions. Start by defining the scope: test a representative sample of employees each quarter rather than attempting to call every employee monthly. Use trained simulation operators who follow scripts designed to mimic real vishing techniques: urgency, authority, and requests for specific actions. Common scenarios include IT support requesting credentials for a system migration, a senior executive requesting an urgent wire transfer, a vendor requesting payment information updates, and HR requesting employee verification data. Track whether employees comply with the request, ask verification questions, transfer the call to security, or refuse and report. After each simulation call, provide immediate educational feedback and document the interaction for compliance and training purposes.
What Training Should Accompany Vishing Simulations?
Vishing training should focus on verification procedures rather than voice recognition, since AI voice cloning makes it unrealistic to expect employees to detect fake voices by ear. Train employees to always verify urgent requests through a separate, trusted channel: hang up and call the person back at a known number, not the number that appeared on caller ID. Establish a clear policy that no one, including the CEO, will request wire transfers, credential changes, or sensitive data disclosures over the phone without following the established verification protocol. Make clear that questioning a caller's identity is expected and encouraged, regardless of who they claim to be. Role-playing exercises that let employees practice refusing and redirecting suspicious calls build the confidence needed to apply these skills under pressure.
How Do Vishing Simulations Complement Your Overall Program?
Vishing simulations complete the multi-vector testing picture alongside email, SMS, and QR code phishing. Organizations running multi-channel simulation programs see the most comprehensive view of their human risk exposure because different employees are vulnerable to different channels. An employee who consistently identifies email phishing may be completely unprepared for a convincing phone call from a cloned voice. By testing across all vectors, you identify and address vulnerabilities that single-channel programs miss entirely. For guidance on building a comprehensive multi-channel simulation strategy, see our guides on SMS phishing simulation and QR code phishing simulation.