Voice Phishing (Vishing) Is Bypassing MFA

Voice phishing attacks now bypass multi-factor authentication, risking company, healthcare, and financial data in record-breaking cyber breaches.

Details

• Voice phishing (vishing) is the fastest-growing tactic in cybercrime, targeting employees to trick them into revealing credentials and one-time MFA codes over the phone.
• Attackers impersonate IT support or trusted contacts, using urgent scenarios and real-sounding scripts to build trust quickly.
• In August 2025, advanced vishing campaigns were behind breaches in major corporations—including Salesforce, healthcare groups, and staffing agencies—by bypassing multi-factor authentication protections with stolen codes and social engineering.
• This new wave of attacks allows hackers to sidestep standard security barriers, gaining unauthorized access to cloud platforms, CRM systems, and sensitive internal data.
• Cybersecurity experts warn organizations to train staff in recognizing voice-based threats, always verify caller identity, and never share MFA codes.
• Vishing highlights the need for ongoing employee education and stricter voice verification protocols, as even robust tech defenses can be undermined by human error and social tactics.

How to Avoid Voice Phishing

To thwart voice phishing (vishing) and minimize its impact, organizations must adopt both robust technology solutions and strong procedural safeguards. Modern security platforms now deploy AI-driven voice analytics and anomaly detection that assess caller behavior, flag unusual patterns, and alert teams to possible social engineering attempts mid-conversation. Integrating these tools with phone systems and SIEM (Security Information and Event Management) solutions means suspicious calls can be detected and blocked in real time, even before employees are exposed.

Enforcing call authentication measures—such as unique caller verification codes, pre-shared security tokens, or secure callback procedures—helps verify a caller’s legitimacy before sensitive information is exchanged. Endpoint security, including MFA and conditional access policies, adds extra layers if credentials are compromised, while adaptive multi-factor authentication can respond to high-risk activity dynamically.

However, technology alone isn’t enough. Ongoing employee training remains essential: simulating vishing scenarios, teaching employees to never share MFA codes over the phone, and providing clear, penalty-free processes for reporting suspicious calls. Companies should also maintain up-to-date contact directories and encourage staff to cross-check unfamiliar phone numbers or requests independently. In short, combine advanced detection with vigilant human oversight to block vishing before it leads to damage.

LuwakTech provides end-to-end cybersecurity that hardens your apps, cloud, and network—covering risk assessments, penetration testing, and secure SDLC/DevSecOps.
Our Managed Detection & Response pairs SIEM/SOAR with 24/7 monitoring and rapid incident response.
AppSec services include SAST/DAST, API security, code reviews, and threat modeling to stop vulnerabilities early.
We tackle the human layer with phishing-resistant email (SPF/DKIM/DMARC), simulated campaigns, and role-based cyber awareness training.
Compliance & governance support spans ISO 27001, SOC 2, and PCI-DSS, plus zero-trust designs and ransomware readiness.

👉 Contact us at connect@luwaktech.com or visit luwaktech.com.