The phone rings. A professional voice on the other end: “Hello, I’m from Microsoft technical support. We’ve detected suspicious activity on your computer.” In 30 seconds they ask you to install software to “fix the problem.” If you do, you’ve just handed over access to your business network. This is vishing — phone-based social engineering that targets Italian SMEs every day. At Meteora Web, we see it when clients arrive who have already been hit. You don’t need to be paranoid, but you do need to know what to look for and how to respond.
How does vishing differ from other social engineering attacks?
Vishing (voice phishing) is the telephone version of phishing. The attacker uses voice — live or via an automated system — to create urgency, trust, or fear. Unlike a suspicious email, a phone call has an immediate emotional impact: the person answering has no time to check addresses or links. The goal is the same: steal credentials, bank details, remote access, or install malware.
Differences from smishing and traditional phishing
With smishing (SMS), the user has a few seconds to read and think. With email phishing, they can forward the message to a colleague. With vishing, the human voice (or a convincing bot) closes the window for reflection. The attacker pushes for immediate action: “click here”, “tell us the code you received by SMS”, “download this software”. Phone numbers are bought from leaked databases. We’ve seen cases where the visher knew the victim’s name, company, and even the accounting software version — all from a vendor data breach.
Sponsored Protocol
What are the most common vishing techniques used against businesses?
Vishers don’t improvise. They follow well-tested scripts. Here are the three most frequent scenarios targeting companies.
1. Fake technical support (Microsoft, Google, telecom)
“We’ve detected a virus on your computer. To remove it, you must allow us remote access.” If the victim agrees, they install VNC or TeamViewer, steal files and credentials. Sometimes they ask for payment for the “service”.
Sponsored Protocol
2. Fake bank or postal service
“This is the fraud department. We have detected an unusual transfer attempt. To block it, you must provide the code you just received by SMS.” In reality, that code authorizes the visher to move money from the business account.
3. Fake CEO or supplier (spear vishing)
The visher impersonates the CFO or a trusted consultant. “I urgently need a transfer to this IBAN for a blocked payment. No time for formalities.” Anyone in the company would recognize their boss’s voice, right? Sometimes they use a voice clone generated by AI (voice deepfake) — we cover this in our pillar on social engineering.
How can you recognize a vishing call?
There’s no single red flag, but a combination of elements makes a call suspicious. Here’s a practical checklist you can use immediately.
- Unnatural urgency: “If you don’t act now, your account will be blocked / your computer will be infected / you’ll lose data.” Real businesses don’t create panic.
- Request to install software: No tech support asks you to install programs without you having opened a ticket first.
- Request for access codes: No bank ever asks for the code you received by SMS. Never.
- Unknown or spoofed number: The caller ID often looks Italian but is spoofed. Solution: if the number isn’t in your contacts, let it ring and call back on an official number.
- They already know internal info: Even if the visher knows data that seems internal, don’t trust it — it could be from a password leak or public sources.
- Recorded or too-fluent voice: With modern text-to-speech, even a human-sounding voice could be synthetic. If in doubt, ask to call back on a known number.
A simple rule: if you didn’t initiate the call, never provide sensitive data or remote access. Period.
Sponsored Protocol
What technical and organizational measures should you adopt in your company?
Vishing is fought with training and processes, not just software. But some tools help.
Regular training and simulations
Run 30-minute awareness sessions with employees, showing real call examples. Then launch vishing simulations: a colleague or external service calls mimicking a visher. Who falls for it? They learn without damage. We recommend doing this at least twice a year, updating scripts with new techniques (deepfake, extortion, etc.).
Sponsored Protocol
Double-check procedure for wire transfers and sensitive data
Establish a protocol: any request for a transfer or data change received by phone must be confirmed by email to a known address, or by calling back on an official number (not the one you received the call from). This simple block stops most vishing.
Block suspicious numbers and use whitelists
If your company uses a VoIP PBX, you can configure rules to block known scam numbers. Services like Truecaller for Business or anti-spam phone systems help, but beware: vishers change numbers daily. Focus on behavior.
Shared secret code for identity verification
In small teams, agree on a keyword only you know. If someone calls pretending to be the CEO, the employee can ask: “What’s today’s code?” No attacker will know it. No technology needed, just discipline.
Sponsored Protocol
What to do right now
Don’t wait for the phone to ring. In 10 minutes you can implement these concrete actions:
- Print the red flag checklist and place it next to every office phone (or set it as desktop wallpaper).
- Define the double-check procedure for transfers and data: write it in a document and share it with the whole team.
- Choose a secret keyword for critical communications, share it only with relevant people, and change it monthly.
- Report suspicious numbers to the local cybercrime unit or via the Italian Police website. This helps build shared databases.
- Plan a vishing simulation within 30 days. It doesn’t need a budget: even a friend or family member calling from a script works.
We at Meteora Web have been following companies since 2017 — from domain to revenue, one single point of contact. If you want a check on your SME’s security, get in touch. Vishing is defeated with awareness, not fear.
