By Ryan Windt | Head of Growth Marketing | Updated June 2026
Most security programs are built to stop attacks that arrive by email or through software. Vishing works because it arrives by phone, where there is no spam filter, no link to scan, and no attachment to detonate in a sandbox. Just a human voice, a plausible story, and a target who wants to be helpful.
Voice-based social engineering has become one of the most effective ways attackers get past defenses that took years and real money to build. It was central to some of the largest enterprise breaches of the last few years, and it is now a routine tactic against businesses of every size. This post explains how vishing and callback phishing actually work, why they walk right past multi-factor authentication, and where your cyber insurance policy does and does not respond.
A note on scope: this post covers human-operated voice phishing. For attacks using AI-generated or cloned voices, see Deepfake Fraud and Cyber Insurance and AI-Assisted Social Engineering.
What Vishing and Callback Phishing Actually Are
The two terms describe related but distinct techniques.
Vishing (voice phishing) is social engineering conducted over a phone call. An attacker calls an employee, impersonates someone with authority or urgency, an executive, an IT technician, a vendor, a bank, and manipulates the target into revealing credentials, approving access, or moving money.
Callback phishing is a hybrid that starts with a benign-looking email and pivots to the phone. The email contains no malicious link or attachment, which is exactly why it slips past email security. Instead it includes a phone number and a reason to call: a fake invoice, a subscription about to renew, a security alert. When the victim calls, a live attacker on the other end walks them through “resolving” the issue, which usually means installing remote-access software or handing over credentials.
The shared insight behind both techniques is simple: it is far easier to manipulate a person in real time than to defeat a well-configured technical control.
Why It Bypasses MFA: The Help-Desk Attack
The most damaging version of vishing does not target rank-and-file employees. It targets the IT help desk.
Here is the pattern that has driven some of the most significant intrusions in recent years. An attacker calls the help desk impersonating a legitimate employee, often one whose details they have researched in advance. They claim to be locked out, to have a new phone, or to be traveling. They ask the help desk to reset the account password or, critically, to re-enroll multi-factor authentication on a device the attacker controls.
If the help desk verifies identity weakly, by asking for information an attacker can easily find or guess, the reset goes through. At that point the attacker has a valid credential and a valid MFA token. Every dollar spent on MFA is now working for the attacker, because the authentication is legitimate. This is the technique behind the MGM and Caesars attacks, and it is why underwriters have started asking specifically about help-desk identity-verification procedures.
The lesson underwriters took from these incidents is that MFA is necessary but not sufficient. The reset and recovery process is now part of your attack surface, and it is a human process, not a technical one.
Why These Attacks Are So Effective
- No technical indicator to catch. A phone call generates no email header to analyze, no URL to block, no file to scan. Most security stacks are blind to it.
- They exploit helpfulness. Help desks and customer-facing staff are trained and incentivized to resolve problems quickly. Attackers weaponize that.
- Urgency and authority short-circuit judgment. “This is the CFO, I need this wire released before the bank closes” pressures people into skipping verification.
- Research makes them convincing. Attackers harvest names, titles, and reporting structures from social media and breach data before they ever call.
- They scale. Callback phishing campaigns blast thousands of emails; the phone stage only engages the people who take the bait, concentrating attacker effort on the most vulnerable.
Where Cyber Insurance Responds
This is where businesses get surprised. A vishing attack can lead to several very different kinds of loss, and each may fall under a different coverage part, often with a different sublimit.
| What the attack leads to | Coverage that typically responds |
|---|---|
| Employee tricked into wiring funds | Social engineering / funds transfer fraud coverage |
| Attacker gains network access, deploys ransomware | Cyber extortion and business interruption |
| Credentials stolen, data exfiltrated | Privacy / breach response and third-party liability |
| Fraudulent vendor payment via spoofed call | Social engineering fraud, often a separate sublimit |
| Account takeover leading to further BEC | Funds transfer fraud and/or BEC coverage |
The most important thing to understand is that social engineering and funds transfer fraud are frequently sublimited, meaning they are capped well below your full policy limit. A policy with a $2 million limit might cap social engineering losses at $250,000. If a vishing attack convinces an employee to wire $500,000, the sublimit, not the headline limit, is what matters. See Cyber Insurance Sublimits Explained and Social Engineering and Funds Transfer Fraud Coverage for how these caps work.
There is also a recurring coverage dispute worth knowing about. Some carriers argue that a voluntary transfer induced by social engineering is not “computer fraud” in the traditional sense, which is exactly why dedicated social engineering coverage exists and why its presence and limit matter so much. For how this plays out in email-based fraud, the closely related Business Email Compromise post covers the same coverage tension.
Where the Gaps Are
- Inadequate sublimits. The single most common gap. Full limit looks reassuring; the social engineering sublimit is what actually applies.
- Verification requirements as conditions. Some policies require documented call-back verification before a wire to pay a social engineering claim. Fail to follow your own procedure and the claim can be contested.
- The “voluntary transfer” argument. Without explicit social engineering wording, a carrier may deny a fraud that the employee technically authorized.
- Help-desk-driven access events. When vishing leads to network access rather than a direct wire, the loss can shift into extortion or breach coverage, which behave very differently. Knowing which part responds before an incident matters.
What Underwriters Now Ask About
Voice and help-desk social engineering has changed the application. Increasingly underwriters want to see:
- Strong help-desk identity verification, ideally something an attacker cannot easily obtain, before any password or MFA reset.
- Out-of-band verification (call-back) procedures for any change to payment instructions or any funds transfer above a threshold.
- MFA re-enrollment controls that prevent a single help-desk call from handing over an account.
- Employee training that specifically covers voice and callback pretexts, not just email phishing.
- Defined escalation paths for urgent or executive requests that bypass normal process.
Documenting these controls strengthens your submission. For the broader control picture, see the security controls hub, and for the MFA side specifically, MFA and Cyber Insurance.
Frequently Asked Questions
Is vishing covered by cyber insurance? Often yes, but the relevant coverage depends on the outcome. A fraudulent wire falls under social engineering or funds transfer fraud coverage, frequently sublimited. Network access leading to ransomware falls under extortion and business interruption. Confirm both the coverage and the sublimit.
How is callback phishing different from regular phishing? Regular phishing tries to get you to click or open something. Callback phishing contains no malicious link or attachment, just a phone number and a pretext, so it bypasses email security and moves the attack to a live phone call.
Why doesn’t MFA stop these attacks? Because the attacker doesn’t defeat MFA technically. They convince a help desk to reset or re-enroll it on a device they control, producing a fully legitimate login. The weakness is the human recovery process, not the MFA itself.
What is the single best defense? Strong, documented identity verification at the help desk, combined with out-of-band call-back verification for any funds transfer or payment-instruction change. These controls also align with what underwriters now expect.
Related Resources
- Quishing and Cyber Insurance: How QR Code Phishing Works
- AiTM Phishing Is Breaking MFA: What Underwriters Now Want to Know
- AI-Assisted Social Engineering and Cyber Insurance
- Social Engineering and Funds Transfer Fraud Coverage
- Business Email Compromise and Cyber Insurance
- Cyber Insurance Sublimits Explained
Vishing succeeds precisely because it sidesteps the technical defenses most businesses rely on, and it lands in the corner of your policy most likely to be sublimited or contested. The fix is two-sided: tighten the human procedures attackers exploit, and confirm your social engineering coverage and sublimit are sized to your real exposure. If you want a review of how your current policy would respond to a voice-based fraud, get in touch with our team.