Web and Mobile Fraud
The Threat of Vishing—Exploiting Human Trust
What is Vishing, and Why Is It a Rising Concern for the Retail Sector?
By Tim Rawlins, Director and Senior Advisor, and Duncan McDonald, UK Lead for Technical Assurance Services, NCC Group plc.
In 2025, cyber incidents across the retail sector have bypassed cyber defences with worrying effectiveness by targeting outsourced IT support teams using voice-based social engineering, known as “vishing”. This is just the latest version of a long running criminal activity that we might have called “blagging” in the past—i.e. talking your way in or getting something by persuading someone to do what you want them to do.
Groups like Scattered Spider, a loose criminal group of mainly young, English-speaking, people who have come out of a wider collective of online gamers and criminals known as “The Com”, have drawn particular attention for their use of this tactic.
These attacks—unlike many others that continue to present a challenge to retailers and shoppers alike—require minimal technical knowledge to break in and are effective at bypassing common cyber security controls such as multi-factor authentication (MFA), strong and complex password policies, and email security measures.
Once inside a network, they have been stealing data, and in some cases running encryption to deny the organisation from its own information until a ransom is paid.
The attackers are contacting IT support teams and impersonating legitimate staff members or contractors to have the helpdesk reset the user’s password and bypass their MFA controls.
This attack uses the same “levers of influence” that advertisers use to influence shoppers and is exploiting weak or non-existent identity verification policies to confirm whether the caller is indeed the person they claim to be. In some attacks, the caller pretends to be the user’s manager, therefore skipping the authorisation process and using the lever of authority, to nudge the helpdesk into doing their bidding.
As these criminal adversaries shift toward more direct and personalised tactics, it’s important to first understand the evolving threat landscape in retail. The sector has become an increasingly attractive target for hackers, and despite the best efforts of cyber security leaders, chief information security officers (CISOs) often struggle to make their voices heard amid competing priorities at the executive committee and board level.
The recent rise in successful vishing attacks is no coincidence: it highlights the urgent need for both security teams and employees at all levels of the organisation to understand the threat and remain vigilant as they go about their normal day.
Retail Realities in Cyber Space
In today’s digital-first retail landscape, cyber threats have become an ever-present risk, targeting businesses that handle vast volumes of transactions and potentially sensitive customer data.
From e-commerce platforms to in-store point-of-sale systems, retailers operate across a wide array of digital touchpoints, each offering potential entryways for malicious actors.
PULL QUOTES
The sector was the fourth most targeted in 2024 according to NCC Group’s Annual Cyber Threat Monitor Report, with 80 per cent of retailers experiencing a cyber-attack in the last twelve months. This high level of active attacks is likely to continue.
Retail’s appeal to the criminal hackers lies in its rich troves of personal and financial information—names, addresses, payment details, and loyalty data—that can be monetised or exploited for identity theft which in turn supports wider fraud.
Moreover, the high frequency of transactions, especially during peak shopping seasons, creates additional opportunities for attackers to strike when systems are under pressure and teams are stretched thin.
An example of the “pressure” we’re seeing is approximately 25 per cent of the total automated “bad bot” traffic targeting retailers with attacks that push usernames and passwords to try to get into accounts, known as “credential stuffing”. We are also identifying the creation of accounts with “synthetic personas”, which are digitally created individuals, with deep faked supporting documentation.
Add to this the complexity of retail supply chains and third-party integrations, and it’s clear why this industry is a prime target.
For retailers, cyber security isn’t just a technical concern; it’s a business-critical priority that directly impacts customer trust, brand reputation, and operational continuity.
Retailers Tell Us That They’re Trying to Focus On “Cyber Fundamentals” as Threats Evolve and Security Costs Rise
“We’re going back to basics”. This was the message that helped kickstart a lively discussion at a recent retail event hosted by NCC Group, and it came from a leading CISO of a European-based hospitality chain.
We’d gathered security leaders from the UK and EU to discuss the evolving cyber threat landscape in retail. Many in the room were also reflecting on shared concerns that despite rising security costs and growing threats, many breaches still stem from fundamental lapses—like poor cyber hygiene among staff or immature internal IT practices like failing to patch or replace legacy or ageing systems.
These security leaders told us that basic phishing attacks can still wreak havoc across the organisations they manage, as so many staff members are joining their team seasonally or are there on a short-term basis.
Here, unfortunately, the onus is sometimes more on training to use the tills, with the cyber risk and internal cyber training not being at the forefront when onboarding retail or hospitality workers.
We have also heard of ongoing frustration with the pressure to justify cyber security investment to boards focused on ROI, even as competitors and supply chains continued to suffer breaches.
One supermarket CISO emphasised that cyber security isn’t a competitive advantage—it’s a critical safeguard. A breach could lead to irreversible reputational damage and customer trust erosion, especially in a market where alternatives are readily available.
Despite this, getting buy-in for security first or secure-by-design development of systems remains a challenge. On a positive note, they did agree that sharing information about new attacks, new methods, and new fraud routes was something they felt committed to.
Another retail leader shared their practical approach to maintaining board-level support: presenting data on attempted attacks, results from internal stress tests, and threat intelligence from across the sector. This transparency helps their senior and operational leadership understand the real-world risks and the value of proactive defence.
Three key security recommendations emerged from our discussions with retailers:
Threat Modelling: Map cyber risks to financial impact. Prioritise assets across the IT estate to understand the systems and processes that support the most important business services and quantify the cost of potential loss. This will help to make risk tangible for decision-makers. Most people are biased towards loss aversion, so it makes sense to present it in this way. Explain it to them in simple financial terms rather than in any technical language which only serves to baffle them.
Going Beyond Compliance: One CISO mentioned that they installed a password policy which met the compliance threshold. But when they scratched under the surface with their own audit, they found that over 800 members of staff were using the same credentials to log in to a critical operating system. Compliance “tick box” mentality can provide a false sense of security, so it’s best to conduct your own due diligence into what the regulations may be asking for and then test the real-world application of the rules on your system. Regularly cracking the passwords, if you can’t enforce complex passwords at a technical level, will demonstrate if the policy is worth the paper it’s written on.
Actionable Intelligence: Regularly run simulations and exercises based on real threat information. This should allow you to identify opportunities to improve your resilience by adjusting your defences. Cyber-attacks may be unpredictable, but patterns and trends across the wider sector and beyond can help you prepare for the inevitable and guide smarter investment.
The insights shared in these conversations underscored a shared commitment among security leaders to protect their organisations, not just through technology, but by fostering awareness, accountability, and strategic alignment with business goals.
The Rise of Vishing: Old Tactics, New Tools
Most retailers have come a long way in defending against phishing emails, despite some of the concerns we’ve heard above. From spam filters to phishing simulations and awareness campaigns, email-based social engineering is a familiar battlefield. But while phishing gets the spotlight, vishing or voice phishing has been quietly gaining traction among attackers. And it’s working.
At the beginning of the year, NCC Group’s 2024 report highlighted that AI-driven phishing and deep fake impersonation are making attacks harder to detect and easier to scale.
Vishing involves attackers impersonating trusted individuals or organisations over the phone to trick employees into revealing sensitive information or performing actions that compromise security. Think of it as phishing’s more personal, and in many ways more dangerous, cousin.
Unlike email phishing, which now faces increasingly sophisticated spam filters and anomaly detection, vishing has fewer built-in protections. Email address spoofing is hard to pull off these days—but spoofing a phone number is easy, especially with VoIP services and caller ID manipulation. This makes vishing attacks harder to detect and the calls much easier to trust, especially when the attacker knows just enough about the target to sound convincing.
Why Vishing Works
The psychology behind vishing is deceptively simple: urgency, authority, (those marketing levers of influence), and confusion. A convincing voice on the line claiming to be from IT, HR, a line manager or even the CEO can cause someone to bypass normal verification protocols—especially if the caller already knows personal or internal details gleaned from previous calls to unsuspecting colleagues, LinkedIn, company websites, or previous breaches.
And in an era of MFA, vishing is increasingly used as a bypass technique. Attackers may impersonate support staff and coax employees into sharing one-time passcodes or clicking malicious links sent during the call. These hybrid attacks—blending voice and email—create dynamic scenarios that increase the attacker’s chances of success.
Vishing is a Human Risk—Train Accordingly
Many organisations still rely too heavily on digital defences, assuming MFA and anti-virus software will protect them from most threats. But vishing doesn’t target your technology; it targets your people. And when policies aren’t clear or training is outdated, even your most security-aware employees can be caught off guard.
Running vishing simulations and training your staff on phone-based attack indicators is no longer optional. It’s essential.
How Threat Actors Use Social Engineering and Open-Source Intelligence (OSINT)
Unlike phishing, vishing uses phone calls as the primary attack vector. These attacks are often supported by OSINT. Threat actors use social media platforms like LinkedIn to identify employees, understand their roles, and map the organisational structure.
Vishing: Beyond Just a Phone Call
Targeting
Vishing attacks can be as simple as contacting the IT helpdesk, posing as legitimate employees who have “upgraded their mobile phone and lost access to their MFA app” or “lost access to their password manager”. In organisations without a comprehensive caller policy or with undertrained helpdesk teams, these calls can lead to unauthorised access being granted.
Caller Verification Policy
Your organisation’s verification policy for confirming callers should be considered public. Threat actors can place multiple calls to IT helpdesks over time, gradually piecing together the policy. While each individual call may seem inconsequential, the cumulative effect allows threat actors to map out verification processes, identify gaps, and ultimately bypass security controls more effectively.
After figuring out what the verification policy is, threat actors can research staff and the organisation online or through calls to other users, such as the reception or customer services teams, to obtain the required information to successfully verify their identity with the IT helpdesk. Verification questions such as “Who is your line manager?” or “What was your start date?” and “Can you confirm your job title?” are common but simple to answer using publicly available information from social media.
Alternatively, threat actors may call end users directly, posing as members of the IT helpdesk team. These calls can coincide with phishing emails or SMS messages (smishing) to increase urgency and credibility. A typical script might involve requesting the MFA PIN from a user:
“Hey Adam, it’s Rory from helpdesk. I’ve been forwarded a ticket from networks as they’re experiencing some issues with your MFA device, it appears that there’s an error with the synching of the MFA pin. So that we can make sure you don’t lose access would you mind opening your MFA app and letting me know what numbers are currently displaying, it may be worth waiting till the next cycle. I will then make sure everything is in sync.”
Caller ID Spoofing and Deep Fakes
Phone number spoofing is simple, allowing threat actors to make their calls appear to come from legitimate and known telephone numbers. And if the number is already stored in your phone as “Helpdesk” or “IT Support” when the attack spoofs the number that’s what will come up on your phone.
Moreover, real-time deep fake voice cloning can now be used to impersonate individuals within organisations. With only a few minutes of recorded speech, often gathered from public podcasts, social media, or corporate videos, threat actors can create AI-generated voices nearly indistinguishable from the real person.
Check your Exposure
The process your IT staff follow to verify staff members before carrying out password resets and MFA bypasses is critical. If attackers can exploit it, it may mean a direct compromise of a user account, and then your wider IT systems.
Here are three areas you can review to check if you might be excessively exposed, and how you can increase your organisation’s resilience to these types of attacks:
Policy Review: You should start with a comprehensive review of your organisation’s policies and procedures for verifying the identity of the individual making an inbound call. Are staff trained to verify identity before sharing sensitive data? Before they agree to make changes to an account do they understand your temporary lockout policies that may help restrict access to the attacker and escalation paths for appropriate support? Are the methods used to verify the caller effective or easy to defeat? Gaps here become red flags during the initial phase of any successful attack.
Open-Source Intelligence (OSINT) Gathering: Review the publicly-available data about your organisation, staff, and structure. This includes job titles, email formats, leadership names, telephone numbers and more. This is all information an attacker could use to correctly answer your company’s verification process and successfully authenticate with the helpdesk. The better the intelligence, the more effective the attack. Don’t forget that much of the information is collected by companies looking to make it easy for potential suppliers to contact your organisation; it may surprise you quite how much information is out there to be exploited.
Simulated Vishing Attacks: Test yourself. Simulating attacks seen in the real world against your organisation is the best method to determine whether you are likely to fall victim to these attacks. It raises the awareness of your teams to such attacks and helps them prepare to deter threat actors.
Best Practices to Prevent Voice Phishing Attacks
While it is not possible to block all spoofed calls or prevent deep fakes, retailers can mitigate vishing risks with a structured approach:
Policies: A comprehensive policy should be in place outlining how IT helpdesk staff and end users verify the identity of incoming callers, along with the specific steps to follow when handling such requests.
Call Verification: Caller verification questions should not rely on information considered public, such as job role, line manager, or start date. They should be unique to each staff member and not include generic questions about the organisation.
Three-Way Video Calls: Including a line manager, the user, and the IT helpdesk in a three-way video call where the line manager will ask questions of the user, only known to them, to establish their identity.
Awareness Training: Ensure staff can recognise social engineering tactics and verify unusual requests through secondary channels.
Call-Back Policies: Instruct employees to end calls and call back on numbers recorded internally.
Identity and Access Management (IAM) Controls: Limit helpdesk capabilities to reset passwords or grant access without secondary approvals.
Monitoring and Reporting: Encourage prompt reporting of suspicious calls.
Trigger Alerts: All password requests (successful or not) should trigger an email to the user to alert them if someone is trying to reset their password.
As retail leaders have rightly called out, it is a sector that will always need to focus on the basics and reducing the vulnerabilities they have, such as internal threats (high employee turnover, short-term or season staff) as well as the most sophisticated attacks.
Meanwhile, as technical controls improve at preventing phishing emails from landing and phishing training improves awareness among staff, threat actors are becoming more creative: the high-volume use of voice-based social engineering techniques makes this clear.
Without strict verification policies, ongoing and up-to-date staff training, and periodic social engineering assessments, threat actors can exploit weaknesses you might not yet have considered.
As retailers head into the golden quarter, attackers ramp up efforts to exploit vulnerabilities in busy, high-transaction environments.
Peak trading is your biggest opportunity and your biggest risk. To help retailers secure their golden quarter with confidence, NCC Group’s Retail Compromise Assessment helps you uncover hidden threats, validate your defences, and ensure your network is secure, so you can trade safely when it matters most. Learn more at nccgroup.com/retail-assessment
*******
Duncan McDonald has worked in the cyber security industry for over 20 years and has extensive experience designing, building, implementing, and running services to protect organisations across commercial sectors, critical national infrastructure, financial services, and Government.
Tim Rawlins has over 30 years of expertise in global security and is a Senior Advisor at NCC Group, where he works closely with Boards, executives, and senior leadership teams to address business risk and enhance operational resilience.
