Summary
AI voice cloning has collapsed the cost of vishing from hundreds of dollars per targeted call to effectively zero at scale. Vishing attacks doubled in 2025 (CrowdStrike Threat Hunting Report 2025), and the insurance sector alone saw a 475% rise in synthetic voice fraud (ENISA). Finance, treasury, and executive assistant teams now face the same volume of voice-based social engineering that inboxes faced a decade ago. This article explains the shift and gives CISOs a defensive blueprint. For a broader view, see our 2026 CISO guide to AI social engineering threats.
What changed in vishing between 2023 and 2026?
Three technical shifts changed the economics. AI voice cloning now needs only 3 seconds of audio to replicate a specific person's voice with 85% accuracy. LLMs handle real-time conversation with contextual awareness, including pushback and objections. Integration with VoIP infrastructure lets one operator run thousands of concurrent calls, each personalized from scraped data.
The numbers tell the story: vishing surged 442% in 2024 (CrowdStrike) and doubled again in 2025. According to Arsen's 2026 Social Engineering Risk Report, 45% of financial services organizations faced an AI-powered cyberattack in the 12 months leading up to mid-2025 (Deep Instinct). AI vishing is no longer an edge technique — it's the primary voice-based threat vector for banks and insurers.
Why are finance and treasury teams the primary targets?
Finance staff authorize money movement. That's the short answer. The longer answer: they work under time pressure, often receive legitimate last-minute requests from executives, and use voice confirmation as a standard control. Every one of those conditions is weaponizable. The Scattered Spider group demonstrated this by targeting help desks at major U.S. insurers to reset MFA credentials and gain network access through manual voice phishing.
| Target Role | Why Attackers Choose Them | Typical AI Vishing Attack |
|---|---|---|
| CFO / Finance Director | Wire authorization authority | Cloned CEO voice requesting urgent transfer |
| Treasury analyst | Executes transfers | Impersonated CFO citing a live deal |
| Executive assistant | Gatekeeper, trusted voice access | Impersonated exec rerouting calls or approvals |
| Accounts payable | Vendor payment changes | Impersonated vendor updating bank details |
| IT help desk | MFA reset authority | Impersonated employee requesting credential reset |
How does AI vishing differ from traditional vishing?
| Dimension | Traditional Vishing | AI Vishing (2025–2026) |
|---|---|---|
| Voice | Attacker's real voice or bad impression | Cloned voice from 3 seconds of reference audio |
| Scale | One call at a time | Thousands of concurrent calls |
| Personalization | Generic script, rigid under questioning | LLM-generated, data-driven, adaptive in real time |
| Cost per target | High | Near zero |
| Language barriers | Accents, cultural context errors | Perfect grammar in any language |
| Defense difficulty | Moderate — classic red flags present | High — traditional red flags absent |
The traditional red flags — bad accent, wrong name, stilted speech — are gone. Defenders need new signals.
What controls actually work against AI vishing?
Procedural control: out-of-band callback. The single most effective control. Any voice request for money movement, credential reset, or access change triggers a callback to a pre-registered number. The attacker can clone the voice but cannot answer the callback. This is the vishing equivalent of a hardware security key.
Training control: realistic vishing simulation. Staff who have been called by a cloned voice — in a safe simulation — recognize the second one faster. Arsen runs vishing simulations that mirror real attacker techniques, including voice cloning and LLM-driven conversation, so finance teams build muscle memory before the real attempt arrives.
Detection control: anomaly monitoring on transactions. Even if human verification fails, behavioral anomaly detection on outbound transfers (unusual recipient, unusual amount, unusual time) provides a last line of defense. Pair with mandatory delay windows for transfers above threshold.
What does a real AI vishing attack look like? The Canadian insurance case
In February 2025, attackers used AI tools to clone the voice of a Canadian insurance firm's CFO. The synthetic audio was used during a phone call to pressure a subordinate into facilitating wire transfers. This was part of a broader campaign — groups like Scattered Spider also targeted help desks at major U.S. insurers to reset MFA credentials. The firm lost nearly $12 million. Read our full analysis of vishing in insurance.
What should a CISO's 30-60-90 day plan look like?
| Days | Action |
|---|---|
| 0–30 | Inventory all voice-authorized workflows. Publish callback policy for transfers >€50K. Brief finance and treasury leads. Audit verification processes against AI voice-cloning risks. |
| 30–60 | Deploy vishing simulation to finance, treasury, and EA populations. Measure baseline susceptibility. Test cross-channel scenarios (email then call). |
| 60–90 | Run tabletop exercise simulating a successful deepfake CFO call. Update IR runbook with synthetic media branch. Report metrics to board. Assess regulatory compliance gaps. |
FAQ
Detection exists but is unreliable under typical call quality. Do not depend on it as a primary control. Use procedural controls (callbacks, dual authorization, delay windows) as your primary defense.
Quarterly at minimum. Arsen's 2026 Report recommends merging phishing and vishing into a single social engineering simulation strategy to avoid siloed training gaps. Annual-only sessions are too far apart to build durable recognition.
First-time baseline commonly lands between 20% and 40% for untrained finance populations. With consistent simulation, well-run programs drive this below 10% within 12 months.
You cannot prevent cloning: any public earnings call, conference presentation, or interview provides sufficient reference audio. Focus on making cloned voices useless: callbacks, dual control, and trained staff.
Vishing is increasingly used to compromise vendor relationships and third-party access. 97% of U.S. banks experienced indirect data exposure in 2024 following third-party compromises. Read our supply chain risk analysis.
Stay ahead of advanced cyber threats. Discover key social engineering risks and readiness insights for financial security leaders.
