Vishing examples: real world attacks and consequences

Vishing

Compared to phishing, vishing is still very new.

Don't get me wrong: vishing is growing a lot. More and more people face this threat everyday. But vishing attacks are less known, especially in a corporate context.

In this article, I’ll show you vishing examples. I'll present the attacks that happened. Attacks that targeted companies in most cases and had dire consequences.

This will help you get more inspiration for your vishing simulations and better train your people.

Let's get started.

Key takeaway

* **Vishing attacks are evolving with technology** – From traditional impersonation scams to sophisticated AI-powered voice cloning, vishing has grown more deceptive and effective, targeting both individuals and large organizations.
  • Real-world incidents show severe consequences – High-profile cases like the Twitter breach, the MGM ransomware attack, and finance-related scams (e.g., AIB, Morgan Stanley) highlight how vishing can lead to major financial losses and reputational damage.
  • Training is critical for prevention – Organizations can mitigate vishing risks by educating employees to recognize social engineering tactics and by running realistic simulations to build defensive reflexes.

The Twitter vishing attack

Let’s start with a very impressive hack that targeted Twitter (before it was X).

To be exact, it wasn’t revealed if the phone-based attack was a smishing or a vishing attack. One thing is certain, though: phones were the delivery mechanisms.

On July 15, 2020, a phone based spear-phishing attack took place. It allowed attackers to access Twitter’s internal network and specific employee credentials.

This gave them access to internal support tools which allowed them to take over individual Twitter accounts. They chose wealthy and reputable people to then share a financial scam to their audience.

The impact was two fold. First, the victims who got scammed, following the hacked accounts instructions. The total reported loss was $117,000.

Second, the reputation of Twitter. A-list celebrities with large audiences saw their accounts exploited to conduct a scam. I would not be happy either.

AIB, Morgan Stanley Wealth Management and finance-themed vishing examples

This series of vishing examples is finance-themed. They are very common and can target businesses as well as private individuals.

Let's start with the Allied Irish Banks vishing attack.

Here is the process followed by the attack to conduct this vishing attack:

  1. The attacker pretends to be a Fraud Prevention specialist from the bank
  2. The pretext is that important payments are about to happen from the customer’s account. The attacker is calling to prevent the fraud as he fears it is not a legitimate operation. To make it more believeable, the attacker provides fake information: payment reference, origin, amount, etc.
  3. From there, the attacker asked the victim to download a secure chat application. This "secure chat application" is in fact a remote access tool, providing access to the victim’s computer. During the interaction, the victim also provided security codes. This resulted in a €41,000 payment benefitting the attacker.

The bank detected the fraud when the attacker pushed his luck by calling the real customer service to ask to speed up the wire transfer. This triggered internal alerts that defeated the attack.

A very similar attack was targeting Morgan Stanley customers. It extracted login credentials to make unauthorized money transfers using Zelle.

Common variations of this attack include attackers manipulating their victims into wiring out the money themselves. Often to “protect” the funds from being wired out from fraudulent operations, or "frozen by the FBI”.

Italian Defence Minister AI Voice clone

This vishing example is really interesting as it leverages voice cloning technology.

Italian businessman Massimo Moratti got scammed for $1,04 million from an AI-powered vishing attack.

The attack targeted prominent business figures, from Giorgio Arman to Prada co-founder, as well as Massimo Moratti. Moratti is the former owner of the Inter Milan soccer club, a wealthy target.

The pretext for the attack was one we already saw in France years ago. The attacker impersonated the Italian defence Minister.

He pretended to need urgent external funding for the release of kidnapped Italian journalists in the Middle East.

The twist here is that they used voice cloning technology to reinforce their pretext and trick their targets.

Vishing Energy Firms and next-gen CEO fraud

In 2019, a UK-based energy firm was scammed out of $243,000 with a vishing attack.

The target was a UK executive. The attackers seem to have used an AI software to produce a clone of the boss of the German parent company’s voice. With this borrowed authority, they asked for a transfer of $243,000 to a Hungarian supplier.

The money was supposed to be refunded very quickly but of course, the funds were laundered through different banks in different countries and never to be seen again.

A similar attack, targeting an unnamed bank, yielded a $35 million loss. Attackers used AI voice cloning to impersonate a company director, convincing a bank manager to transfer $35 million during a fake acquisition process.

This is the next generation of the CEO fraud: small technical improvements that increase the yield of tried and tested scam.

IT Help Desk Vishing

An interesting pattern targeting businesses is attackers impersonating the IT service desk. This allows them to call and ask employees to reset their passwords to get unauthorized access.

This happened to Marks & Spencer and Co-op Supermarkets as well as Harrods.

This resulted in operational disruptions and personal data exposure for millions of customers.

As it often happens, the customer’s data can be used for follow up attacks. Data leaks containing credit card information could be used to build authority and legitimacy for a banking-fraud vishing pretext for instance.

The IT Help Desk pretext is a very popular one and was used in our last example for this article: the MGM hack.

MGM Hack

Attackers from the ALPHV/BlackCat ransomware group used social engineering via phone to impersonate an MGM employee.

They reportedly gathered personal information from public sources like LinkedIn, then called MGM's IT help desk, pretending to be the employee.

By convincing the support staff of their identity, they were able to gain access to internal systems, leading to a massive ransomware deployment.

This resulted in the shutdown of slot machines, hotel check-in systems, digital keys, and more, causing days of disruption and millions in losses.

Conclusion

With these vishing examples, I hope this article gives a general awareness of the type of vishing attacks that are occurring.

I didn’t talk about callback attacks as this type of attack is initiated from a phishing email but we have a complete article on the subject so feel free to read it if you want to know more about callback vishing.

Vishing can be seen as just a new iteration of existing scams. After all, it's just a new vector. But you’ll note the use of new technology such as voice cloning that allows for more dangerous attacks, harder to detect.

If you want to better protect your company against these attacks, you should train your employees to detect and mitigate them.

This is why we have created a complete vishing simulation and awareness platform. It will help you execute effective simulations to train your people in realistic conditions and build reflexes.

If you want to know more about it, you can request a demo or have a look at our solutions against vishing.

Can your team spot a vishing attack?

Test them and find your blind spots before attackers do.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.