720-891-1663

Best Practices, Hacks, Security Practices

How Old School Voice Phishing Still Works Very Effectively

Leave a comment

Five of eight Ivy League schools have been hacked in the last six months. Add the most effective technique is definitely not high tech – it is plain old social engineering on the phone.

Harvard discovered that its Alumni Affairs and Development systems were compromised last month. The hack exposed the personal information of the school’s high net worth donors. It includes emails, phone numbers, home and work addresses, event attendance info, donation records and biographical information. With that it would be easy to create a phishing campaign against the donors.

The fundamentals of this kind of attack are simple:

Step 1 – Do reconnaissance. Find public information, LinkedIn profiles, news articles and social media posts that provide background information.

Step 2 – Create a “pretext”. Could be IT support calling about an urgent update, a vendor calling about a bill. Any number of ideas.

Step 3 – Leverage social engineering. This is a “psyop” – a psychological attack on the target. Create implied authority. Urgency. Fear. And finally, helpfulness.

Step 4 – As soon as the attacker has the target’s credentials, start stealing (exfiltrating in technical terms) data. As much as as fast as possible. Before they are detected.

Part of this step is to create backdoors so that if the initial method is blocked they still have a way in. Figure out what systems they can get to and move laterally. FAST!

According to CrowdStrike, voice phishing or vishing attacks increased 442% between the first and second halves of 2024, with continued acceleration in 2025. Why? Because it is relatively easy and doesn’t not require any technical hacking.

Why does it still work?

Humans tend to trust a phone call. Even if what is on the other end turns out, unknown to the victim, to be an AI.

All an attacker needs is 3 seconds of your phone to clone you. The AI can replicate tone, pitch, accent and even emotional inflections and it is amazingly accurate.

Caller ID spoofing (NEVER, EVER trust callerID) along with VoIP phones make tracing calls almost impossible.

Lack of vishing training on the part of organizations.

How many people have been compromised? Here are some rough numbers:

  • Columbia, June 2025 – 870,000
  • Dartmouth, August 2025- 33,000 including 226 gigabytes of data
  • Harvard, October 2025 – Oracle breach, number unknown
  • Princeton, November 2025 – Donor database including alumni, donors, faculty, students and parents
  • Harvard (again), November 2025 – Alumni Affairs database (see above)
  • University of Pennsylvania, November, 2025 – Oracle again; around 1,500

If the hackers THINK you have high value or interesting data, they will come after you. How successful they are depends on the weakest link.

If you want to enhance your end user training, please contact us.

Credit: Breached Company

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 CyberCecurity, All rights reserved. Privacy Policy