Voice Phishing (sometimes called vishing) is a form of criminal fraud where a malicious attempt is made to gain access to personal or financial information over a telephone system. Because phone systems themselves are still considered to be a secure form of communication, these sorts of attacks take advantage of peoples trust to manipulate the target to reveal the desired information.
Usually the attacker will attempt to impersonate a legitimate caller such as a customer, a support service or even a government official. If done correctly the target has no idea a breach has occurred thinking the call to be a normal everyday transaction. This is why it is critical to make staff aware of this danger and perform testing to ensure staff follow correct procedures and work with an adequate level of diligence, especially when working with confidential data.
A voice phishing assessment will attempt to gain information over the phone utilising a range of techniques and targets to test the users response to the attack and to see what information can be gathered.
Often voice phishing assessments are performed in concert with social engineering tests and traditional penetration tests to allow a full end to end test of the possible threat to the business. It can often be the case that a password gained through a voice phishing attack can then be used in a social engineering engagement or internal penetration test to access an otherwise protected system.