So, Mandiant dropped M-Trends this week, bet who’s on top?
Voice phishing: 11% of all investigated incidents in 2025 – while email phishing scores 6%.
Read that again: the attack vector the entire awareness training industry was built around is now responsible for less than one in fifteen intrusions. Meanwhile the one that requires a human to pick up a phone, stay calm, say the right thing under pressure, and not hand over a one-time passcode to a stranger, that one is surging.
And most companies are still running the same email phishing module they bought three years ago, and ok, won’t talk about it until next time.
Buuuut, that program is being wrong, lemme show you.
Here is what the current version of the attack looks like, because it is worth being specific.
An employee gets a voicemail.
Their account is flagged.
Their access will be suspended unless they verify within the hour.
The voice sounds like support.
The urgency is precise, not panicked, delightfully calibrated – the kind of calm authority that makes people comply before they think.
They call back.
What happens next depends on how much effort the attacker wants to spend.
In the simple version, they reach a fake support agent, AI-driven or a low-skill human with a script, who walks them through verification: name, employee ID and the code that just arrived by SMS. The employee reads it out loud. The attacker uses it before the call ends.
In the more patient version, the telephony layer is set up to intercept OTP messages in real time while the victim stays on the line. The employee never knows and the attacker is already in before the call disconnects.
No sophisticated capability required: the voice tools are commercial.
The script takes an afternoon to write and the telephony infrastructure to route calls and intercept codes can be rented by anyone with a browser and a prepaid card. Also, Mandiant noted that these techniques were pioneered by groups like Scattered Spider and The Com – what those groups developed as specialist tradecraft is now a commodity, the barrier came down… it is not coming back up.
Ok then, this is the part that should make each and every security teams uncomfortable in that shirt: the companies that absorbed the most damage in 2025 were not breached because their firewall failed, they were breached because someone in the company picked up a phone and did exactly what a normal, helpful, slightly stressed employee does when someone who sounds like IT calls and asks for help. They helped.
That person was never tested, nobody ran a vishing simulation against them and nobody put them in a controlled scenario where they felt the pressure of a convincing caller and had to make a decision in real time. They had completed the email phishing module (GGWP) and they knew not to click suspicious links. They had no idea what to do with a voice – a convincing voice.
After all, hey, not their fault.
It is the fault of every security program that treated awareness as a content delivery problem – things like watch the video, pass the quiz, earn a badge, move on.
Actually, the quiz does not simulate pressure and the video does not teach someone how their own nervous system responds when a caller is patient, authoritative, and knows their manager’s name.
Untested IS NOT neutral.
Untested IS a person who has a self-assessment and no evidence. And self-assessments, in the context of social engineering, are optimistic by default.
Now the stricly personal part, I received a phone call, did not picked up (never pick up numbers I do not know).
Generally, spam and AI-powered calls, quit thei job either the user answers (scores positive aka valid number, to call again) or not (scores negative, aka not valid number, skip it); that was the very first time they left a message on the voicemail.
I felt like “hey, what the heck!”.
No preciseness, no names, no brands. Just a french-speaking female voice warning my number would be terminated (how rude!) and I had to press “2” to avoid this loss.
#funfact: after the voice said “press 2”, there was the registration of a voicemail tone.. phreaking vibes dudes!
So, for me or for every business, six figures in tools is not a security posture. It’s a fucking good starting point.
Always remember that the phone call that ends a Tuesday afternoon (worste case is Friday) badly does not care about the firewall.
Prove me wrong or I’ll pay a ginger shot!
Chief Marketing Officer • social engineer OSINT/SOC/HUMINT • cyberculture • security analyst • polymath • COBOL programmer • nerd • retrogamer
