VoIP and Phishing: How Criminals Use Calls to Trick Your Team

Phone calls feel personal and urgent — which is exactly why criminals use them. With VoIP, attackers have cheaper, easier ways to impersonate suppliers, spoof numbers, and launch voice-based scams that fool even experienced staff. Vishing (voice phishing) and related tactics now sit alongside email phishing as a top risk for businesses.
This article explains how criminals use VoIP to trick teams, what the consequences look like for Australian businesses, and a clear, practical playbook of technical controls, processes and staff behaviours that block those attacks.

Table of Contents

1. What is vishing and why VoIP makes it easier
2. Common vishing techniques used against businesses
3. Real risks and business impacts (Australian context)
4. Detection signals — how to spot a fraudulent call
5. Practical technical controls to reduce risk
6. Operational controls and staff processes (including scripts)
7. Incident response: what to do if a call is suspicious or successful

1. What is vishing and why VoIP makes it easier
Vishing is voice-based social engineering where attackers use phone calls to trick people into revealing credentials, transferring money, or approving changes. VoIP lowers the barrier for attackers because it:

• Lets them make large volumes of low-cost calls.
• Makes number spoofing and caller ID manipulation easier.
• Allows attackers to host infrastructure (softphones, bots, cloud PBX) cheaply.
• Integrates with other attack channels (email, SMS) for convincing multi-channel fraud.

In short: VoIP doesn’t create new tricks so much as make old tricks cheaper and more scalable.

2. Common vishing techniques used against businesses

Caller ID spoofing
Attackers falsify the displayed number so a call looks like it’s coming from a bank, supplier, government agency, or even your CEO.

Impersonation of suppliers or IT“
Hi—this is Telco Support / Xero / your cloud provider—there’s an issue with your account.” The aim is to get credentials, MFA codes, or permission to change settings.

Invoice and payment scams
Caller claims an invoice is overdue and requests an immediate transfer to a “new” bank account. When combined with an email invoice, the scam looks legitimate.

Callback scams
A phishing email asks the recipient to call a number. When they do, the attacker uses social engineering to extract details or authorise payments.

Voicemail and missed-call traps
Automated messages ask staff to call back or press a number to confirm a delivery—used to harvest responses or confirm active numbers for follow-ups.

Deepfake and AI voice impersonation
Rising risk: attackers can synthesize a manager’s voice to order payments or change banking details. It’s rare today but growing more accessible.

3. Real risks and business impacts (Australian context)

• Financial loss from fraudulent transfers or toll-fraud.
• Data breaches when credentials are handed over.
• Regulatory exposure under the Privacy Act 1988 if personal or health data is leaked.
• Operational disruption if attackers change VoIP settings, disable lines, or launch DDoS.
• Reputational damage if clients’ sensitive info is exposed or fraud affects customers.

Examples: accounting and legal firms risk client confidentiality; retail/hospitality can be hit with fake supplier invoices; councils and local government face impersonation attempts tied to grants or emergency communications.

4. Detection signals — how to spot a fraudulent call
Train staff to look for quick, observable signs:

• The caller presses for urgency (“Do this now or penalties apply”).
• They ask for credentials, MFA codes, or one-time passwords.
• The number displayed doesn’t match the organisation they claim to be, or it’s a local number that’s unexpected.
• Requests to change bank details or approve out-of-hours transfers.
• Callers who refuse verification or get defensive when you verify them.
• Unusual phrasing or someone who says “I’ll send an email” but the email uses strange domains.

If something feels off, treat the call as suspicious — verification is allowed and encouraged.

5. Practical technical controls to reduce risk
Enforce TLS + SRTP
Encrypt signalling and media so attackers can’t easily intercept or replay sessions.

Use a Session Border Controller (SBC)
SBCs hide internal addressing, filter malformed SIP traffic, and provide an extra layer against spoofing and DDoS.

Deploy spam SIP/robocall filtering
Block known bad IPs and use reputation-based SIP filters to drop obvious bot traffic.

Restrict outbound destinations and set spend caps
Block international destinations you never call; set hard monthly or per-extension spend limits to stop toll fraud from running up big bills.

Require strong auth and 2FA for admin access
Admin portals are a prime target—lock them down with multi-factor and IP restrictions.

Monitor and alert on anomalies
Alert on bursts of outbound calls, high-cost destinations, or many failed authentication attempts.

Harden device configurations and update firmware
Disable default accounts, remove unused services, and patch regularly.

Use CDR/recording retention & audit trails
Maintain logs so you can quickly review what happened after a suspicious event.

6. Operational controls and staff processes (including scripts)
Technical controls will help, but the human layer is the one attackers exploit. Combine technology with clear processes.
Verification protocol (3-step script staff can use)

1. Pause and state policy: “I’m happy to help — our policy is to verify any request for sensitive info. May I call you back on the number we have on file?”
2. Verify via a trusted channel: call the supplier’s published number, check their account portal, or use a verified email address.
3. Confirm in writing: get the request repeated via company email before actioning payments or account changes.

Sample “call-back” response for reception or accounts staff“
Thank you—our policy requires we confirm any change to payment details. I’ll call back on the number listed on your invoice. Please expect a verification call shortly.”

Segregation of duties for payments
Require two people to approve payment changes: one to verify and one to execute.
Daily briefing & micro-training
5–10 minute refreshers before busy periods (payroll, EOFY) highlighting common scams and any new threats.

Locked changes for telephony admin
Changes to trunks, routing, or PINs must be authorised by at least two identified admins and logged.

7. Incident response: what to do if a call is suspicious or successfulIf you suspect an attack:

1. Stop any action (don’t transfer money, don’t disclose more data).
2. Isolate: suspend the affected account or extension.
3. Verify: use official channels to contact the purported caller organisation.
4. Collect logs: export CDRs, recordings, and admin logs.
5. Notify: your VoIP provider, your bank (if payments involved), and IT/security.
6. Report: for Australian businesses, consider reporting to the Australian Cyber Security Centre (ACSC) and to your local police if fraud occurred. You can also report scams to Scamwatch (ACCC) and, if necessary, ACORN.
7. Remediate: rotate credentials, revoke compromised tokens, apply patches, adjust routing/blocks.
8. Review & train: run a short post-incident drill and share learnings with staff.

Fast action limits damage and helps with recovery and any insurance claims.

8. FAQs
Q: Can caller ID be fully trusted?
No. Caller ID can be spoofed. Treat it as an indicator, not proof. Always verify independently for sensitive requests.
Q: Are mobile VoIP apps safer than regular mobile calls?
They can be — if they use TLS/SRTP, enforced device management, and VPNs. But the app is only as secure as the phone and network it runs on.
Q: Will blocking international calls stop vishing?
It reduces a large class of fraud (toll scams) but won’t stop targeted social-engineering calls that use local numbers or impersonate local suppliers.
Q: How real is the deepfake voice risk?
It’s real and growing. Combine voice verification with out-of-band checks (call-backs, written confirmations) for high-risk transactions.

Conclusion
Vishing uses human trust as its entry point. VoIP makes the attacker’s job easier, but most successful attacks still come down to a few predictable failures: weak verification processes, default credentials, permissive outbound rules, and lack of basic monitoring.
Fix the basics first: enforce encryption and 2FA, limit what extensions can do, monitor for odd patterns, and teach staff a simple verification script to use every time a caller asks for money, credentials, or configuration changes. Those measures will stop most attackers before they get in.
If you want help testing your VoIP setup for these risks or rolling out staff training and protective controls, contact us and we’ll run a practical security check tailored to your business.