What You Need to Know About Voice Phishing in 2026

Table of Contents

Your phone rings, showing a bank like Maybank, CIMB, or Public Bank. A professional voice claims your account has been accessed and requests immediate verification. The urgency alone can be alarming.

This type of scam, known as voice phishing or vishing, affects thousands of Malaysians daily and is increasingly sophisticated, often using AI to mimic real voices.

By 2025, Malaysia saw RM2.77 billion in scam losses, up 76% from 2024. Phishing made up 77% of fraud cases, and vishing was the most frequent telecom scam, with 28,698 cases costing RM715.7 million.

Awareness is the best defense. Understanding local vishing tactics, such as fake bank alerts or fraudulent e-wallet and DuitNow requests, helps identify suspicious calls. Suspected scams should be reported to your bank, Bank Negara Malaysia, and CyberSecurity Malaysia.

Sources:

  1. The Star. RM2.77bil lost to financial scams last year, highest in three years, says Home Ministry.
  2. Malay Mail. Home Ministry: Malaysia’s online fraud surge drains RM2.77b in 2025.
  3. Lowyat.net. Malaysians Lose RM2.7 Billion From Online Scams, Says CCID.
  4. NST. Phishing made up 77pct of fraud cases last year. 
Paper labeled “PHISHING” hooked by a fishing line, symbolizing online scams, against a blue background.

The Basics of Vishing Attacks

Voice phishing is basically email phishing done over the phone. Except it works better because people trust voices more than emails.

Here’s what most folks don’t realize—these calls aren’t random. Attackers spend weeks preparing before they ever dial your number.

How Attackers Plan Their Strikes

Criminals follow a playbook. They don’t wing it.

They start by collecting your information.

Data breaches happen constantly. Your phone number, email address, bank name, and even partial account numbers are sold on underground forums. Attackers buy this stuff cheaply. Then they check your social media. LinkedIn tells them where you work. Facebook shows your friends and family.

Next, they make themselves sound legit.

Armed with real details about you, they craft a believable story. They may know your credit card ends in 4829. Or they mention your manager, Tom, by name. These specific details make you think the call is real.

Then comes the pressure

Something bad is happening right this second: your card has been declined, and someone logged in to your email from Russia. A payment bounced. Whatever it is, you need to fix it immediately.

They go for the prize.

What they really want varies. Sometimes it’s your password. Other times it’s a code texted to your phone. It could be your social security number or approval to move money somewhere.

The attack doesn’t stop when you hang up.

They might email you next. Or text a sketchy link. They could use what you told them to break into your accounts overnight.

What Attackers Want

The primary goals include stealing credentials, gaining system access, and obtaining financial information. Sometimes they want you to install software that gives them control of your computer. Other times, they’re trying to approve a fake wire transfer.

Recent data shows just how common this has become. Seventy percent of organizations experienced a voice phishing attack. These attacks cost organizations an average of $14 million per year (Cyber Defense Magazine, 2025).

The Technology Making It Worse

Artificial intelligence changed everything. Criminals now use AI tools to clone voices. They only need a few minutes of someone’s speech. They might grab audio from a podcast, a YouTube video, or a company presentation.

Some organizations saw voice deepfake attempts affect 30% of their staff in 2024. The technology keeps getting better and cheaper. What used to require expert skills now works with simple software anyone can download.

Architecture Design

Your network topology shapes how branches communicate. Hub-and-spoke designs direct all traffic to a central headquarters, which is easier to manage but creates a single point of failure. Full-Mesh topologies allow branches to be directly interconnected to enhance performance, but they also increase complexity.

Most businesses benefit from SD-WAN best practices that automatically route traffic based on performance and availability. Segment your network properly with these zones:

  • Staff network – Employee devices and workstations
  • Guest Wi-Fi – Visitor access with internet-only permissions
  • POS systems – Payment terminals isolated for compliance
  • IoT equipment – Cameras, sensors, and smart devices

This segmentation identifies security threats, making troubleshooting easier.

Criminals use AI tools for voice phishing

Examples of Vishing in Action

Vishing attacks are usually patterned. Unlike hypothetical scenarios, the following examples illustrate real-world attack techniques frequently employed by cybercriminals. These situations underscore how attackers can play on victims from the initial call through attempted exploitation.

Financial impersonation

Attackers impersonate bank representatives who state that there is something suspicious about an account. The victim is encouraged to confirm identity by giving an OTP or authorizing a transaction. Money is transferred in a few minutes, and the victim does not suspect anything before it happens. Such calls frequently employ spoofed caller identities to sound legitimate.

IT Impersonation: Credential Calls

A caller poses as part of the company’s IT department, threatening a security issue or a system upgrade. The target is requested to verify the credentials to log in or install the remote-access software. Once the access has been granted, attackers take sensitive data or install malware.

Executive Impersonation: Internal Approval Bypass

In this strategy, attackers pose as senior executives and force workers to make urgent payments or send confidential files. The caller is persuasive and uses urgency to bypass the normal approval process.

This wasn’t a one-off. Deepfake vishing exploded by over 1,600% in the first quarter of last year compared to late 2024.

The Multi-Channel Attack

These scams often mix phone calls with other methods. An attacker emails you a phone number. When you call it, they convince you to click a link they text you. That link drops malware on your phone.

Or they leave a voicemail demanding you call back urgently. When you do, they walk you through visiting a fake website that looks identical to your bank’s real site. You type in your password, thinking you’re logging in. Instead, you just handed it over.

In each case, the success of the attack relies on urgency, manipulation of trust, and pre-planned dialogues that entice victims to act immediately.

How to Know a Vishing Attempt

Spotting these calls before they cause damage is totally doable. You just need to know what to listen for.

Red Flags That Scream Danger

Urgency is the dead giveaway. Real companies give you time. Real banks don’t threaten to lock your account in ten minutes. Real IT departments don’t demand passwords immediately.

Listen for these lines:

  • “This is urgent, and I can’t wait.”
  • “Your account gets locked in the next 10 minutes.”
  • “We need this right now.”
  • “Don’t hang up, or we can’t help you.”

Asking for sensitive info over the phone: No legitimate caller wants your password, PIN, or IC Number (MyKad) over a call they initiated. Not your bank. Not the IRS. Not your company’s tech support.

They know too much about you: When callers recite suspiciously detailed information, that’s actually suspicious. They probably bought it from a data breach. Real customer service asks you to verify your identity. They don’t prove themselves by listing your personal details.

Weird payment requests: Gift cards? Cryptocurrency? Wire transfers to random accounts? That’s a scam every single time. Legitimate businesses don’t collect payments this way.

Caller ID lies: The name and number on your screen can be completely fake. It’s called spoofing, and it takes about five minutes to set up. Roughly 70% of scam calls use fake numbers.

How Attackers Manipulate You

Now that you know what scam calls sound like, it’s important to understand why these tactics work because awareness reduces compliance.

Understanding their mind games helps you resist.

Authority works on almost everyone.

Attackers pretend to be someone with power over 95% of the time: your boss, a government agent, a bank security officer. People naturally want to cooperate with authority figures. It’s hardwired.

Fear shuts down rational thinking.

They tell you something terrible happened or will happen soon. Your account got hacked. The IRS is charging you with fraud. Someone stole your identity. Fear makes your brain focus on the threat rather than question whether the caller is real.

Social proof makes it seem normal.

Sometimes they mention that “lots of customers” have this same problem. Or “we called everyone in your department.” This makes the situation feel more legitimate.

Reciprocity creates obligation

The attacker pretends they helped you. They “saved” your account from fraud. They “caught” suspicious activity. You feel like you owe them cooperation in return.

Trust in Authority Figures

When someone says they’re from your bank, insurance company, or IT department, your instinct is to believe them. Society teaches cooperation with official organizations.

This becomes dangerous fast. Attackers use official-sounding titles. They drop real employees’ names. They reference actual company policies.

Cognitive Overload and Multitasking

Victims often comply with vishing requests because their attention is divided or they are already stressed. Handling multiple tasks during an unexpected call reduces critical thinking, increasing the likelihood of following instructions without fully evaluating the situation.

Urgency Overrides Caution

Even when people recognize urgency as a red flag, stress and multitasking still cause compliance. Your window to fix the problem is closing fast. This triggers stress responses that make careful thinking nearly impossible.

Your brain switches from slow, analytical mode to fast, instinctive reactions. That’s exactly what they want. They know if you slow down and think, you’ll catch them.

Awareness Training Gaps

Lots of people get training on suspicious emails, but none on phone scams. Most programs treat vishing like an afterthought. They mention it exists, but don’t prepare anyone to handle actual calls.

We’re trained to question email messages but still wired to trust human voices. That creates a dangerous blind spot.

Overconfidence

People who think they’re too smart to get scammed sometimes become the easiest victims. They assume they’ll recognize obvious signs. But modern vishing attacks aren’t obvious at all.

Younger people who grew up with technology sometimes show more confidence than caution.

Vishing scam warning displayed on a phone screen, surrounded by symbols of financial security including a padlock and payment card.

How to Protect Yourself from Vishing Attacks

Good news here—simple habits slash your risk dramatically. You don’t need expensive software or tech expertise.

Verify Before You Trust

Never hand over sensitive information to someone who calls you. Doesn’t matter how legit they sound. Doesn’t matter what they know about you.

Tell them you’ll call back using the official number. Then look up that number yourself. Don’t use a number they provide. Don’t hit redial on your recent calls.

For example:

  • “Your bank” calls? Hang up and call the number on the back of your card
  • “IT support” calls? Hang up and call your company’s official help desk
  • “The IRS” calls? Hang up and call the IRS directly using the number from their website.

This one step stops almost every vishing attack. Real organizations won’t mind. Scammers usually just hang up.

Use a Call-Back Policy

Make yourself a rule. Any request for sensitive information or urgent action gets verified through a different channel.

Does someone want you to approve a payment? Call them back. Does someone need your password to fix something? Call IT directly. Someone says your account is compromised? Hang up and contact the company yourself.

Enable Multi-Factor Authentication

Multi-factor authentication adds another security layer. Even if a vishing attacker steals your password, they still can’t access your account without the second factor.

Use authentication apps instead of text messages when possible. Texts can be intercepted more easily than codes generated by apps like Google Authenticator or Microsoft Authenticator.

Educate Your Team

If you manage people, invest in real voice phishing training. Don’t just send an email about it. Run simulations. Have someone from security make test vishing calls.

Companies that run regular vishing simulations help employees spot and handle voice phishing with up to 90% success rates. Organizations investing in staff awareness see returns up to 37 times their investment.

Make reporting suspicious calls safe and easy. Don’t punish people for being careful. Praise those who follow proper verification steps.

Set Up Proper Verification Procedures

Create specific protocols for sensitive operations.

For money stuff:

  • Require two people to approve transfers above a certain amount
  • Set up code words or security questions for phone approvals
  • Use callback procedures for all payment changes

For IT and access requests:

  • Never share passwords over the phone, period
  • Require in-person verification for sensitive credential resets
  • Use official ticketing systems for all support requests

For executive requests:

  • Build a protocol for urgent requests from leadership
  • Require confirmation through official channels
  • Create a culture where questioning unusual requests is encouraged and rewarded

Use Technology Tools

Several tools help reduce vishing attempts.

  • Call filtering apps block known scam numbers. Both iOS and Android offer built-in spam protection. Third-party apps like Truecaller add extra filtering.
  • Network-level protection helps businesses. Some firewall systems, such as FortiGate, have voice security features that detect and block suspicious calling patterns.
  • AI-powered detection is emerging as a defense tool. These systems identify voice cloning and alert you to potential deepfakes during calls.

Stay Informed About Current Scams

Scammers change tactics constantly. Follow security news sources. Sign up for alerts from the FBI’s Internet Crime Complaint Center.

Many banks and service providers send warnings about current vishing campaigns targeting their customers.

Practice Healthy Skepticism

Develop a questioning mindset for unexpected calls:

  • Why call instead of email?
  • How did they get my number?
  • Why does this need to happen right this second?
  • What happens if I verify through official channels first?

Trust your gut. If something feels off, it probably is. Better to be overly cautious than to become another statistic.

Phone Scam or phishing

FAQ about Voice Phishing

Act quickly. Hang up immediately and do not call back. Contact your bank if financial information was shared, and change passwords while re-enabling multi-factor authentication. Inform your company’s IT or security team if relevant, and monitor your accounts for suspicious activity.

Answering doesn’t harm your phone directly, but it signals that your number is active. Scammers may record your voice, attempt SIM swap fraud, send malware links, or trick you into activating chargeable features.

Even short recordings can be misused. Scammers may create AI-generated deepfakes, impersonate you to colleagues or family, authorize fraudulent transactions, or bypass voice authentication systems.

Conclusion

Voice phishing is becoming more sophisticated in 2026. Attackers use AI voice cloning, automated calls, and stolen data to create convincing scams. In Malaysia, 2025 saw a rise in “Boss Scams,” in which deepfake voices pressured employees into making urgent DuitNow transfers.

Awareness is the best defence. Hang up and call back using official numbers, enable multi-factor authentication, and report suspicious calls to reduce risk.

While vishing targets humans, it can trigger secondary threats like malware, phishing links, or credential theft. FortiGate Next-Generation Firewalls help mitigate these follow-on risks, with FortiGuard AI Security Services providing real-time protection across networks and hybrid environments.

Key takeaways:

  • Vishing often involves multi-channel attacks
  • Urgency and authority are common manipulation tactics
  • Verification stops most attacks
  • Human judgment matters as much as technology

Stay alert: the next time your phone rings with an urgent request, you’ll know exactly what to do.