Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Business professional using Microsoft Teams Phone for cloud-based calling

What is vishing? The phone scam that bypasses your MFA

Vishing — short for “voice phishing” — is a social engineering attack delivered by phone call or voicemail. Instead of a dodgy email with a suspicious link, the attacker rings you directly and impersonates someone you trust: your IT helpdesk, your bank, or a vendor. The goal is the same as any phishing attack — steal credentials, authorise access, or extract sensitive data — but using voice makes it harder to spot and easier for the attacker to adapt in real time.

Why vishing works so well

Email phishing has become familiar enough that most people know to check for red flags. A phone call is different. When someone rings claiming to be from IT support and says your account has been compromised, the pressure feels immediate. There’s no URL to hover over, no sender address to inspect. The attacker can adjust their story on the fly based on your responses, making the conversation feel natural. Critically, vishing attacks now target multi-factor authentication (MFA) directly — the attacker talks you into approving an MFA prompt, reading out a one-time code, or enrolling their device into your account.

A real-world example: the Helix group

A threat group called Helix, recently documented by BleepingComputer, is using exactly this approach. They cold-call employees pretending to be IT support, convince them to install remote access tools, then use that access to steal data from SharePoint and OneDrive. The calls are convincing because the attackers do their homework — they know the target’s name, role, and enough about the company to sound legitimate. MFA doesn’t stop this because the victim willingly grants access during the call.

How to protect your business

MFA is still essential, but it’s not a complete defence against vishing. The real protection comes from combining technical controls with staff awareness.

On the technical side, disable legacy authentication methods like device code authentication flows that attackers exploit. Restrict SharePoint and OneDrive access to managed, compliant devices only — if an attacker can’t register their own device, stolen credentials are less useful. Use conditional access policies to block sign-ins from unusual locations or unrecognised devices.

On the people side, train your team to recognise vishing patterns. Legitimate IT support will never cold-call and ask you to install remote access software. If someone calls asking for credentials or MFA approval, hang up and call your IT provider on a known number. This verification step — calling back on a number you already trust — defeats the entire attack.

For Australian businesses, especially those handling sensitive client data under the Privacy Act, a successful vishing attack that leads to a data breach triggers mandatory notification obligations under the Notifiable Data Breaches scheme. Prevention is far cheaper than the alternative.

If you’d like help tightening your conditional access policies or running security awareness training for your team, get in touch.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →