SAN FRANCISCO – Voice phishing (vishing) is an often-overlooked attack vector that nevertheless affects 70% of organizations and has been involved in multiple high-profile attacks, including the 2023 MGM Resorts ransomware attack.“While most companies understand that voice security really needs to be and should be a part of an organization’s cyber strategy, less than half are aware that there are technical solutions for this aside from education and training employees,” said Brian McDonald, director of product development at Mutare. McDonald, along with Mutare CTO Roger Northrop, presented “Don’t Forget the Voice Channel in Your Security Framework” at RSAC 2025 in San Francisco Tuesday morning.The session went over the dangers of different types of attacks on the voice channel and technical mitigations that are available to block malicious calls before they reach employees.

From robocalls to AI voice deepfakes

Vishing attacks are on the rise, with CrowdStrike’s 2025 Global Threat Report finding that these attacks increased by 442% between the first and second halves of 2024.Phone call attacks – and defenses – have evolved well past run-of-the-mill cold call and robocall scams that have been around for decades, although these tactics continue to proliferate along with caller ID spoofing.Malicious callers use various social engineering techniques, leveraging excitement (“You won a free cruise!”), fear (“This is the IRS”) and impersonation (“This is your IT department”) to convince victims to give up sensitive information or money.Number spoofing makes calls appear as though they are coming from legitimate sources such as toll-free numbers or someone with the same area code as the victim, a tactic known as neighbor spoofing. More targeted attacks may even spoof the number of a coworker, family member or C-suite executive.Most recently, AI-generated voice deepfakes have made it easier for cybercriminals to pull off impersonation scams.  “With just about five minutes of publicly available audio – think about podcast recordings, YouTube videos, any interviews that [are] publicly available – you can grab that, roll that into an AI engine and you can create a very, very good deepfake voice that then you can script for any type of attack schemes that you need,” McDonald said.Attackers can not only create deepfake clones of employees, executives, celebrities, victims’ family members and more, but they can also use real-time AI audio masking to imitate voices live on an interactive call. McDonald noted this is commonly used to mask accents and imitate local dialects to better convince victims that a call is coming from someone local to them.With the rise of deepfakes – and large language models (LLMs) making it even easier for attackers to do research on victims and impersonation targets – it’s becoming even more important for vishing defenses to go beyond just employee training and awareness.

How to take vishing prevention to the next level

Mutare’s Voice Threat Survey 2024 found that while 94% of respondents believed voice attack defenses should be added to cyber strategy, only 59% were aware of the technical solutions available to block these attacks.Northrop noted that while everyone in the audience likely has a network firewall deployed, few organizations make the same investment in voice firewalls.“You don’t even want the phone to ring” when a malicious caller targets your organization, Northrop said. “That’s what this voice firewall does.”To prevent vishing calls and spam from ever reaching a target’s phone, voice firewalls perform several checks, including phone number reputation and validation lookups, and voice CAPTCHAs to thwart robocallers. Users can also whitelist and blacklist certain phone numbers or geolocations from both incoming and outgoing calls.Organizations can also take advantage of security features often made available by phone carriers, notably call labeling (when suspicious numbers are automatically labeled as possible spam on caller ID) and the STIR/SHAKEN protocol, an FCC-mandated framework that carriers use to validate, certify, and attest, using a scoring system, that a call came from a specific phone number.Northrop urged organizations to request STIR/SHAKEN data for its incoming calls from their carrier, as voice firewalls can use this data to better respond to and block spoofed calls. Many large carriers also offer free phone number reputation services, which Northrop says organizations should take advantage of to ensure their phone numbers aren’t being frequently spoofed.In addition to voice firewalls, organizations can include additional layers of defense including caller authentication and real-time fraud detection methods.Caller authentication, which would take place after a call passes the voice firewall and is picked up by an interactive voice response (IVR) system, can include multi-factor authentication to further validate the caller’s phone number, and voice recognition to verify the caller’s identity. These methods are often leveraged in high-risk industries like financial services and healthcare, and McDonald noted that many modern voice recognition systems can even detect deepfakes.However, for more advanced analysis, fraud detection services that fork, record and analyze calls that have already reached the target agent can catch additional signs of vishing in real time.“These systems can analyze the call pattern, use heuristics to match the signature of the call and within five seconds are about 95% accurate to identify deepfakes,” McDonald said. “Some of them can even identify exactly which tool created the deepfake because of the signatures.”Such systems can also use behavioral analysis, track suspicious signals across intelligence networks and provide live feedback to the call agent so they know how to respond.While not everyone organization may need this level of detection, there are other steps nearly any organization can take to improve their voice channel security. The presenters urged organizations to ensure their voice channel telemetry is being logged and passed to their security solutions, such as their SIEM and XDR, to ensure full attack surface coverage.They also recommend organizations run vishing tests in addition to their email phishing tests, because “you can never do enough training,” Northrop said.“You would be shocked as to how many of your employees are going to fail this,” Northrop noted.