Vishing is telephone fraud in which criminals pose as your bank, IT supplier or management to extort sensitive information or payments. In Belgium, €49 million was captured through phishing and related techniques in 2024. Businesses are a growing target: real-time voice manipulation bypasses spam filters and gives victims no time to think. Protection starts with procedures, not technology.
Your chief financial officer receives a phone call. The voice on the other end sounds professional, knows the company by name and refers to a pending invoice. “There’s a problem with the payment, I’ll send you the correct details in a moment.” Sound believable? That’s exactly what makes vishing so dangerous. In Belgium, Febelfin reported that cybercriminals captured about 49 million euros in 2024 through phishing and related techniques, including telephone fraud. Safeonweb published a specific warning about the rise of vishing in January 2026. And while most protection advice focuses on consumers, businesses remain conspicuously unprotected. This article fills that gap.
What is vishing and why is it more effective than email?
Vishing is a contraction of “voice” and “phishing”: fraud via telephone calls in which the caller pretends to be a trusted party. It is a specific form of social engineering, the collective term for manipulation techniques that abuse human psychology to gain access to systems, premises or information.
What distinguishes vishing from classic e-mail phishing is its real-time nature. With an e-mail, you can pause, think and check the sender. With a phone call, the attacker sets the pace. The tone of voice, choice of words and apparent knowledge of your business create a sense of legitimacy that is hard to resist. Spam filters, which stop many of the attacks in e-mail phishing, are virtually powerless in telephone fraud.
Internationally, researchers report that vishing attacks will increase 449% by 2025 from the previous year. That explosive growth is no accident: as technical security measures improve email filtering, criminals seek the path of least resistance, and that’s the phone line.
Want to know more about the broader world of manipulation techniques? Then read our article on the 7 most common phishing variants that enter through digital channels.
The vishing wave in Belgium: why 2026 threatens to be a record year
The figures for the Belgian market are worrisome. Safeonweb received nearly 10 million reports of suspicious messages in 2025, an average of 26,000 per day. In doing so, the CCB (Centre for Cybersecurity Belgium) identifies a growing integration of vishing and smishing to intercept two-factor authentication codes, a technique that pure digital phishing cannot achieve.
Febelfin confirms that banks detect, block or recover 75% of fraudulent transfers, but that the remaining 25% still amounted to 49 million euros in 2024. Their research with Indiville shows that 13% of Belgians have already become victims of phishing. In February and March 2026, both the CCB and Safeonweb specifically warned of a vishing wave: victims receive a call from a Belgian mobile number, a robotic voice announces a fictitious payment of 2,600 euros, after which the caller insists on sharing bank details to “block” the transaction.
At the regional level, police figures confirm the scale of the problem. In the Brussels police zones of Marlow and Montgomery, 120 acts of help desk fraud were recorded in 2025 alone. In the Geel-Laakdal-Meerhout zone, police recorded 589 cybercrime offenses in 2025 (up 13%), accounting for 2.74 million euros in damages.
The 5 vishing scenarios facing Belgian companies
The fake IT help desk
The most common scenario: an employee gets a call from someone claiming to be from Microsoft or the internal IT department. A “critical security problem” has allegedly been identified. The employee is convinced to install remote access software (AnyDesk, TeamViewer) and share access codes. Once the attacker has control, login credentials are stolen or ransomware is rolled out. Belgian police explicitly warn about these “Microsoft Support Scams,” in which the callers often speak English and threaten to block the system if immediate cooperation is not obtained.
CEO fraud over phone
The most expensive variant for businesses. The attacker poses as the CEO or another director and requests an urgent, confidential transfer. In Belgium, the case of Crelan remains the most telling example: the bank lost 70 million euros through CEO fraud in which an employee acted in good faith based on instructions that appeared to come from the management. Industrial company Agidens also fell victim to a similar attack. Whereas these frauds used to be primarily via e-mail (Business Email Compromise), the telephone is increasingly being used as an additional means of persuasion.
Bank fraud-vishing
The attacker spoofs the official number of a bank or Card Stop and warns of a “suspicious transaction.” The employee is professionally and convincingly guided to perform actions with the card reader or itsme. Important to know: Card Stop never proactively calls cardholders to report fraud. Febelfin repeats this with every campaign, but the scenario remains effective because it capitalizes on the fear of losing money.
Supplier phone fraud
An accounting clerk receives a call from someone claiming to be a known supplier. The account number is said to have changed. This vishing call often confirms a previously sent phishing email, reinforcing credibility. The danger lies in familiarity: because the supplier has been working with the company for years, the threshold for being critical is lower. Without a strict verification protocol, a company can send payments to criminals for months.
Spoofing of government numbers
Criminals spoof official numbers of police or federal government departments. In 2025, the Zaventem police zone warned that their own general number was being misused to call citizens and businesses. The scammers used fake PD numbers to inspire confidence and then asked for bank details or payments for fictitious fines. The FPS Finance is also regularly imitated in vishing campaigns surrounding tax returns.
AI makes vishing more dangerous: deepfake voice clones
The biggest escalation in vishing is coming from artificial intelligence. Voice cloning technology makes it possible to create a digital copy of someone’s voice based on just 20 to 30 seconds of audio material. Think LinkedIn videos, webinars or company presentations: for criminals, that’s plenty of source material.
The most famous example is the incident at engineering firm Arup in Hong Kong (2024). An employee was convinced via a video conference with AI-generated deepfakes from the CFO and colleagues to transfer $25.6 million to fraudulent accounts. No IT systems were hacked; it was pure social engineering amplified by technology.
The CCB warns that deepfake audio and video are increasingly being used to make CEO fraud and targeted attacks more credible. Classic warning signals such as language errors disappear when AI generates flawless Dutch, French or English. If this can happen at a multinational company, it can also happen at a Flemish SME. Want to know more about this technology and how to protect against it? Then read our extensive article on deepfake fraud and voice cloning.
How do you protect your business from vishing?
This is where the difference lies between a consumer item and a business approach. Where individuals are mostly told “hang on,” a business needs structural procedures.
Callback authentication protocol. The most powerful weapon against vishing is surprisingly simple: hang up and call back at a number you look up yourself. Not the number given by the caller, not the number in the display (that may be spoofed), but the number from your own contact list or the official website. This applies to any external party: bank, supplier, IT partner, and also to internal requests that feel unusual.
Dual-authorization for financial transactions. Payments above a set threshold amount must always be approved by at least two people, through independent channels. Had Crelan applied this protocol more strictly, the damage would probably have been limited.
Code word system. For sensitive telephone communications between management and finance, an agreed code word can serve as an additional layer of verification. Important: this code word is never shared digitally (not via e-mail or chat), so it is also protected against voice cloning.
MFA on all accounts. Multifactor authentication ensures that even if login credentials are captured via vishing, the attacker does not get any further. It is not protection against vishing itself, but limits the damage if an employee does share information.
Vishing simulations as part of awareness training. Just as Cyberplan uses phishing simulations to train employees to recognize fraudulent emails, vishing simulations can expose employees to realistic phone attacks in a safe environment. KnowBe4 benchmark data shows that untrained employees have an average risk rate of 33.1%. After a year of continuous training, this drops to 4.1%, a risk reduction of more than 86%.
Culture change. The most important measure is perhaps the most difficult: create a culture where hanging up and calling back is not distrust, but professionalism. Employees who report a suspicious call deserve recognition, not impatience. Cyberplan supports companies in establishing such awareness programs, including vishing training components.
Vishing and NIS2: why awareness training is becoming mandatory
Since the entry into force of the Belgian NIS2 law (Oct. 18, 2024), security awareness is no longer an optional extra for companies covered by the legislation. Article 21(2)(g) explicitly requires entities to “cyber hygiene practices and cyber security training.” Specifically, companies must be able to demonstrate that they train their employees against social engineering, including vishing.
The CCB’s CyberFundamentals framework translates this requirement into concrete guidelines by maturity level. Even at the foundation level, awareness training is a core requirement. Cyberplan’ s NIS2 guide explains what this means for your company.
Good news for the budget: awareness training is subsidizable through the VLAIO SME portfolio (45% subsidy for small enterprises, 35% for medium-sized enterprises). In addition, the VLAIO cybersecurity improvement program offers up to 50% subsidy on a guided path in which awareness training is a standard component.
Frequently asked questions about vishing
What exactly is vishing?
Vishing stands for “voice phishing”: telephone fraud in which the caller poses as a trusted organization (bank, government, IT vendor) to convince you to share sensitive information or make a payment. Unlike e-mail phishing, the manipulation takes place in real time, giving the victim less time to think.
What is the difference between phishing and vishing?
Phishing is the umbrella term for fraud through digital communications. Email phishing is conducted through fake emails, smishing through text messages, and vishing through phone calls. The difference is in the channel and the psychological pressure: in vishing, the attacker sets the pace and the tone of voice can reinforce trust.
How do I recognize a vishing attack?
Beware of unexpected urgency (“you must act now”), requests for sensitive information (passwords, codes, bank information), and threats or time constraints. A trustworthy organization will never ask you for passwords or PINs over the phone. When in doubt: hang up and call back at the official number you look up yourself.
Does Card Stop call me if there is fraud?
No. Card Stop never proactively calls to report fraud. If someone calls you on behalf of Card Stop and asks for your card information, it is always fraud. When in doubt, call Card Stop yourself at 078 170 170.
Is vishing-awareness mandatory under NIS2?
Yes. The Belgian NIS2 law (art. 21(2)(g)) requires companies covered by the legislation to have cyber hygiene practices and cyber security training. Awareness training against telephone social engineering is explicitly included in this.
How can I get my company tested for vishing vulnerability?
Through vishing simulations: controlled fake phone calls where employees are tested for their response. Cyberplan combines this with phishing simulations and security awareness training into a complete program.
Want to test how vulnerable your employees are to phone manipulation? Cyberplan combines phishing simulations with vishing awareness training tailored to your company. Book a no-obligation introductory consultation and discover how to structurally make your team more resilient.
