Vishing Statistics 2025: Latest Trends & Voice Phishing Data

• Rising Calls and Losses: Vishing voice phishing is exploding worldwide. The FBI saw U.S. tech support scam complaints grow from 32,538 in 2022 $806.6M losses to 37,560 in 2023 $924.5M. Cybersecurity firms report vishing up by 260- 442% year over year.
• AI & Deepfakes Fuel Growth: Scammers now use AI voice cloning. Over 10% of banks report deepfake vishing losses >$1M avg $600K. Deepfake enabled fraud could hit $40B by 2027.
• Targets and Demographics: Financial execs and support staff are prime targets. U.S. seniors 60+ suffer most tech support scams, but younger adults are also vulnerable. Phones smartphones especially remain the preferred scam channel.
• Global Hotspots: Brazil and South Korea are hammered by vishing. Brazil’s 2024 scam losses neared $54B, and Korea saw ₩1 trillion won $718M in voice phishing losses projected for 2025. Japan’s telecom fraud losses also rose 19% to ¥44.1B in 2023.
• Defenses and Training: Awareness pays off. Effective security training yields 37× ROI on average. Organizations use vishing simulations and incident plans to close gaps. With scams evolving, constant vigilance and penetration testing services that include voice phishing drills are essential.

Vishing voice phishing phone based social engineering is no longer rare. These stats and trends highlight why leaders must track vishing data and strengthen defenses now.

What Is Vishing Voice Phishing?

Vishing is phishing via phone or voice call, where attackers impersonate trusted figures e.g. tech support, banks, government to extract money or data. It exploits the trust we put in hearing a live human voice.

Unlike email phishing, vishing creates urgency through conversation e.g. Your account is at risk, press 1 to verify. Common scenarios include tech support scams claiming your device is infected or fake bank alerts. Attackers often spoof caller ID or use caller ID farming to appear legitimate.

Vishing has become more sophisticated: AI voice cloning lets scammers mimic real people’s voices from just a few seconds of audio. The result: highly convincing calls that even tech savvy users might trust. In 2024, experts found voice phishing skyrocketed by 442% year over year, as attackers leverage AI and multi channel tactics.

Understanding vishing trends is critical. These statistics show who is targeted, how much money is lost, and why we need new defenses like vishing simulation training and call authentication.

Why Vishing Statistics Matter in 2025

As of 2025, voice phishing is a top tier threat for organizations. Recent data reveal:

• Rapid Growth: Quarterly reports show vishing incidents jumped 16% from Q3 to Q4 2023, and were nearly 260% higher than Q4 2022. Pcdn observed a 442% surge in vishing from H1 to H2 2024, highlighting a steep upward trend.
• Big Financial Impact: Annual losses hit the billions. In the U.S., vishing fraud cost Americans $29.8 billion in 2021, up 50% from 2020. FBI IC3 reports show tech support scams alone caused over $0.9 billion losses in 2023. Globally, projections estimate $40 billion lost to deepfake enabled scams by 2027.
• New Attack Techniques: The rise of AI means vishers now clone voices instantaneously. Hybrid attacks e.g. email phishing followed by a trust building call are growing about 6.1% of phishing campaigns in late 2023 used this TOAD approach. TOAD equals Telephone Oriented Attack Delivery; attackers combine text and voice.
• Who’s at Risk: Data show U.S. older adults 60+ account for 58% of tech support scam losses. But surveys indicate younger men 18- 44 also frequently fall for vishing. Banks, finance teams, and customer support departments report being hit hardest. In Q4 2023, social media and financial industries were the most targeted sectors by voice scams.
• Regulatory & Global View: Countries are responding. South Korea saw voice scam losses reach ₩543.8B in 2022 and ₩447.2B in 2023, prompting discussions on bank liability. The UK and EU have beefed up telecom spoofing rules. In many developing countries Brazil, Peru, Mexico, India, mobile phone scams are rampant and underreported.

These stats are a wake up call. Vishing isn’t just a nuisance; it’s a vector causing massive breaches and financial loss. Tracking up to date vishing statistics and trends helps security teams tailor defenses and measure training effectiveness e.g. using tools like the NIST Phish Scale to rate attack difficulty.

Key Vishing Trends and Data

Several authoritative reports and studies shine light on the vishing landscape:

• FBI IC3 Reports USA: The FBI’s IC3 categorizes many phone scams under Tech/Customer Support and Government Impersonation. In 2022 there were 32,538 such complaints $806.6M losses, and in 2023 the count rose to 37,560 $924.5M losses. This 15% increase underscores growing phone scams in the U.S.
• APWG/OpSec: The Anti Phishing Working Group reported voice phishing incidents increased 16% QoQ Q3 - Q4 2023 and 260% YoY compared to Q4 2022. They also note hybrid email+voice TOAD attacks are emerging as a trend, used in 6% of campaigns by late 2023.
• Virginia Fusion Center: The 2025 Global Threat Report calls vishing a hands on keyboard favorite. It found vishing spiked 442% from H1 to H2 2024, largely due to AI enhanced calls and callback phishing. This shift shows attackers leaning heavily into voice channels when social engineering emails get filtered.
• Group IB: Security firm Group IB’s research notes that every major financial institution saw fraud attempts involving deepfake voices. They estimate over 10% of banks have suffered deepfake vishing losses above $1 million, with an average loss of $600K per incident. They forecast deepfake fraud costs reaching $40B by 2027.
• Keepnet/Industry Surveys: Industry surveys fill gaps in public data. For instance, Keepnet Labs reports that 59.4 million Americans were vishing victims in 2021, and 2021 losses were $29.8B avg $502 loss per victim up 50% from 2020. In other countries: Brazil’s overall scam losses hit $54B in 2024 vishing a major part; Peru saw 12M spam calls in Oct 2021; Mexico 3.2M vishing calls 2021; India had one scammer making 202M spam calls in 2021.
• Demographics and Targets: Older Americans are prime victims: 40% of U.S. tech support scam victims are 60+, accounting for 58% of these losses. But businesses also face targeted attacks: Group IB warns that CEOs and finance execs are often impersonated with cloned voices to trick treasury teams into large transfers. Manufacturing and customer support staff 19.2% and 11.5% vulnerability rates, respectively also rank high.
• Pandemic Effect: COVID 19 brought new schemes: 59% of Americans got COVID related scam calls in 2021 up from 44% in 2020. Remote work tech support scams boomed. As email filters tightened, vishing thrived by exploiting trust in human voice during uncertain times.
• Global Hotspots: High smartphone penetration correlates with vishing. Brazil is often cited as most spammed country, with 94% of Brazilians reporting monthly scam attempts. South Korea’s NPA data show voice phishing losses reached ₩543.8B in 2022 $436M and ₩447.2B $359M in 2023; 2025 losses are on track to top ₩1 trillion $718M. Japan’s telecom fraud cost jumped 19% to ¥44.1B $295M in 2023.

Vishing vs Other Channels Email Phishing, Smishing

AI, Deepfake, and Hybrid Vishing

A key 2025 trend is AI powered vishing. Advances in speech synthesis mean attackers can clone any voice with minimal audio samples. Group IB notes that today’s deepfake voices bypass traditional voice filters and can trick employees into wire transfers because they appear so genuine. In Asia Pacific, deepfake scams exploded 194% surge in 2024. One survey says over 10% of banks have lost >$1M each to a deepfake call.

Phishers also combine channels in hybrid attacks. A common scheme starts with a bogus email e.g. fake invoice or alert then follows up with a call from support to harvest info. These TOAD Telephone Oriented Attack Delivery attacks are on the rise: in late 2023, 6% of phishing campaigns used hybrid email+voice tactics. The idea is to build credibility via one channel and then exploit another.

Myth vs Fact Vishing Edition

• Myth: Vishing is easy to spot because scammers never know personal details.Fact: Modern vishers gather info online or clone voices, making scams very convincing. They often reference real recent events e.g. order shipments, COVID 19 programs to seem legitimate.
• Myth: Only seniors fall for phone scams.Fact: While older adults are heavily targeted, studies show younger adults 18- 44 often slip up too. In 2021, 59.4% of vishing victims were male, many under 45.
• Myth: Caller ID spoofing protections make vishing rare. Fact: Vishing still works because many people trust numbers or use landlines. Even with new ID authentication standards, the volume of spoofed calls is high.

How to Prevent Vishing Attacks: A Step by Step Guide

Defending against vishing requires training, tech, and processes. Follow these steps to bolster your defenses:

1. Employee Awareness Training: Conduct regular training that includes voice phishing scenarios. Use vishing simulation tools to test and reinforce learning. Effective programs can cut susceptibility by 80%.
2. Phishing Scale Metrics: Use the NIST Phish Scale to rate call difficulty and tailor your simulations. Calibrate training starting from simple scripts low difficulty to highly personalized calls-high difficulty.
3. Verify Before You Trust: Establish a strict verification process: e.g., callback known company numbers instead of using a provided one. Train staff to never give out personal or financial info over an unsolicited call.
4. Multi Layered Security: Implement call blocking and robocall filtering technologies at the network level. Use behavioral analytics to flag unusual call patterns e.g. many calls requesting wire transfers. Ensure authentication systems like secure IVRs are hardened.
5. Incident Response Plan: Have a clear vishing incident response plan. This should cover how employees report suspicious calls, how IT investigates, and how to notify affected parties. Integrate this into broader cybersecurity and compliance procedures e.g. HIPAA/PCI/DORA regulations may require this.

Performing penetration testing that includes phone based social engineering is also critical. DeepStrike’s penetration testing services include red team calls to expose weak spots in your human defenses. By embedding these scenarios in tests, you learn how real attackers exploit phone channels.

Vishing is a rapidly growing cyber threat that demands attention. The statistics above rising incident counts, soaring losses, and advancing attack methods show that voice phishing is no longer a fringe issue. Organizations and individuals must stay vigilant.

Key Takeaways:

• Voice phishing incidents are climbing dramatically. Losses are already in the billions annually.
• AI enabled deepfakes have made vishing far more convincing and dangerous.
• Training and testing are effective countermeasures. Companies that invest in staff awareness see up to 37× ROI while drastically reducing their risk.

Ready to Strengthen Your Defenses? The threats of 2025 demand more than just awareness; they require readiness. If you're looking to validate your security posture, identify hidden risks, or build a resilient defense strategy, DeepStrike is here to help.

Our team provides clear, actionable guidance to protect your business. Explore our penetration testing services to see how we can uncover vulnerabilities including vishing before attackers do. Drop us a line we’re always ready to dive in.

About the Author: Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.

FAQs

• What is the difference between vishing, phishing, and smishing?
  • All three are social engineering scams but use different media. Phishing uses email, smishing uses SMS/text, and vishing uses voice calls.
  • Vishing can feel more urgent because it involves live conversation, making it harder to ignore.

• Why are vishing attacks increasing now?
  • Vishing is rising because phone scams are lucrative and trust in calls remains high. Advances in AI voice cloning make scams easier to pull off.
  • Criminals have also adapted post pandemic, exploiting the remote work environment and overtaxed support lines.

• How can I recognize a vishing call?
  • Common red flags include unsolicited requests for sensitive info, high pressure language act now!, and offers that sound too good.
  • Also watch for caller ID spoofing numbers you know but the call doesn’t match. If asked to pay by gift card or cryptocurrency, that’s a scam.

• How do I report a vishing incident?
  • If you believe you’ve been targeted by vishing, report it immediately to the FBI’s IC3 Internet Crime Complaint Center.
  • You can also notify your local authorities and regulators e.g. FTC in the U.S., Action Fraud in the U.K..
  • Many banks and telecoms have anti-fraud hotlines as well. See guide on how to report vishing to FBI IC3 for details.

• What is a TOAD attack?
  • TOAD Telephone Oriented Attack Delivery is a hybrid scam combining email and phone.
  • The attacker might send a phishing email and then follow up with a convincing phone call about that email.
  • According to APWG, hybrid vishing is an emerging tactic, seen in about 6% of recent phishing campaigns.

• Are deepfake voices a real threat in vishing?
  • Yes. Scammers can now clone any voice to sound like a boss or relative.
  • According to industry reports, deepfake vishing scams have caused million dollar losses for businesses.
  • Always verify surprising requests like urgent wire transfers through a second channel, even if you hear your CEO’s voice.

• Does HIPAA or GDPR cover vishing?
  • While not named explicitly, GDPR/HIPAA frameworks expect organizations to protect personal data and train employees.
  • Failing to defend against vishing leading to breaches of health or personal info can be seen as non compliance.
  • Security training including vishing and breach response plans are part of these regulations.
  • See our HIPAA penetration testing checklist for guidance on including social engineering.