Vishing: The Detrimental Cost of a Call

Google Threat Intelligence sheds light on a growing cyber threat targeting enterprise employees: voice phishing (vishing) used to extort credentials and gain unauthorized access to cloud services and sensitive data. These sophisticated social engineering campaigns exploit human trust and urgency, duping unsuspecting staff into giving up login credentials that adversaries then weaponize for lateral movement, information theft, and extortion.

While this threat is not new, its scale and precision are evolving rapidly, and AI is now amplifying its reach. Deepfake audio, real-time voice synthesis, robocalls, and adaptive replay attacks are increasingly used to impersonate trusted figures with alarming accuracy. Attackers no longer need to exploit software flaws; sounding believable on a phone call is often enough.

This trend has been vividly illustrated by Google’s recent tracking of UNC6040, a financially motivated threat group known for impersonating IT personnel in vishing attacks. Their method involves manipulating employees into installing a malicious version of Salesforce’s Data Loader, which provides direct access to sensitive cloud data. In multiple incidents, this access enabled attackers to extract large volumes of information, not only from Salesforce but also from integrated platforms like Okta and Microsoft 365, following credential theft and lateral movement.

In some cases, stolen data remained undetected for weeks or months, only surfacing later through extortion demands, suggesting either delayed monetization or collaboration with secondary threat actors. These breaches didn’t stem from technical vulnerabilities; they stemmed from trust, manipulated in real time.

These are exactly the kinds of advanced social engineering threats that modern, AI-powered voice authentication is built to defend against.`

The Fatal Flaw in Traditional MFA: Credentials That Can Be Stolen or Tricked

Most organizations still rely on multi-factor authentication (MFA) based on what the user knows (passwords) or has (devices, tokens). But these methods are vulnerable to manipulation. A persuasive phone call or phishing email can easily extract both elements, especially when bolstered by AI-generated voices.

As Google’s report highlights, attackers pose as IT staff or executives to trick employees into revealing credentials or performing actions that compromise internal systems. Once inside, they can move laterally, siphon sensitive data, and inflict serious damage, all enabled by social engineering and stolen access.

What’s needed is a shift away from static credentials. Instead of relying on information that can be intercepted or replayed, secure access should be based on who the person is, validated in real time, through something inherently human: their voice.

AI: Powering a New Standard Against Vishing

To counter this new breed of AI-enabled threats, authentication systems must use AI not just as a tool, but as a defense mechanism.

The modern solution works through three integrated layers:

1. Voice Biometrics: A person’s speech is compared to a voiceprint recorded during enrollment. This biometric match ensures that the speaker is the same individual who originally enrolled, leveraging advanced machine learning and deep neural networks trained on real-world data.
2. Real-Time Challenge-Response: The user is shown a time-sensitive sequence of digits on their screen and asked to read them aloud. This confirms their physical presence and interaction, preventing pre-recorded or injected audio from being used.
3. Spoof Detection: AI-driven models evaluate the audio to detect replay attacks, synthetic speech, or signs of deepfake manipulation. These systems are constantly trained and updated to recognize evolving fraud patterns.

Together, these layers ensure that only a real, present, and verified human can complete the authentication process. Even if a one-time credential is intercepted, it cannot be reused or faked.

Turning the Human Layer from Liability to Strength

As Google points out, the weakest link is often the human, not the system. Attackers know this and increasingly target people, not infrastructure. That’s why modern defenses must secure not just devices or passwords, but the people themselves.

By requiring live voice input, dynamic challenges, and biometric confirmation, this approach makes it nearly impossible for fraudsters to succeed, no matter how advanced their AI tools. It transforms the human layer from a vulnerability into a verified asset.

Securing Access in the AI Era

Phishing, credential theft, and social engineering will continue to evolve, particularly with AI lowering the cost and effort of launching convincing attacks. But access controls that rely on dynamic, ephemeral, and biometric factors create an insurmountable barrier to entry.

With live authentication that can’t be replayed, spoofed, or forwarded, identity isn’t just claimed, it’s demonstrated in the moment. And because each interaction is cryptographically unique and time-bound, even intercepted data becomes useless.

This is the future of access security: one where identity is irrevocable, non-repudiable, and impossible to fake. And with AI on both sides of the equation, only solutions that evolve just as fast, and detect just as smartly, can stay ahead.

Schedule a demo to see this model work in real time.