Many companies initially associate IT security with systems: firewalls, passwords, VPNs. All important, no doubt. But sometimes, a simple phone call is enough. Someone who sounds convincing enough. Perhaps with a hint of urgency. Or even with real background knowledge, because they’ve already got hold of some information somewhere.

A New Attack Vector: When Hackers Call

Cybercriminals are constantly evolving their methods. While many organisations focus on protecting themselves from phishing emails, ransomware or technical vulnerabilities, another channel is increasingly coming into focus: the telephone.

Vishing, a form of social engineering, uses the telephone as a gateway. The term is a blend of “voice” and “phishing”. It refers to attempts to deceive people over the phone in order to extract sensitive information such as login credentials or internal processes.

Attackers use well-prepared scenarios, spoofed phone numbers and sometimes even AI-generated voices. All to build trust and bypass critical cybersecurity mechanisms.

The Salesforce Incident: How Attackers Gained Access to Customer Data

In spring 2024, it became known that criminals had gained access to Salesforce customer data via vishing attacks. Particularly concerning: Salesforce itself was not the primary target. The attacks were directed at employees in customer service.

Using previously compromised information, presumably obtained through security gaps at third-party providers, the attackers were able to impersonate legitimate users over the phone. This enabled them to undermine existing authentication processes.

The attack demonstrates how insidious vishing can be: through cleverly timed phone calls, sometimes with real insider knowledge, attackers win the trust of their victims and override security concepts.

Why Vishing Works: The Human Weakness

Technological cybersecurity measures are already established in many companies. But what happens when people become the weakest link?

Vishing attacks target exactly that. Employees are often under time pressure, want to be helpful, or genuinely believe they are speaking to someone from within the organisation. These psychological levers make it easy for attackers to bypass cybersecurity routines.

It becomes particularly problematic when companies have not established clear processes for support requests or phone-based authentication. A short phone call is all it takes, and important data or system access may be at risk.

What We Should Learn: Rethinking Cybersecurity

The Salesforce case makes one thing clear: it is not enough to secure only technical infrastructure. A holistic approach must also include communication channels such as phone calls.

Organisations should apply zero-trust principles not only at the network level, but also at the interpersonal level. This means: no one is trusted automatically – not even if the voice on the other end of the line sounds trustworthy.

In addition to training, companies above all need processes that enable employees to report or verify suspicious requests, without pressure and with clear escalation paths.

Awareness Is The Best Protection

Vishing is not a theoretical threat, but already a reality. And with AI-assisted deception techniques, it is becoming even more dangerous. The attack on Salesforce customers shows just how quickly critical information can be accessed via a phone call.

Companies must now establish both technical and organisational cybersecurity measures. And most importantly, they must raise employee awareness of this invisible threat. Because at the end of the day, one thing is clear: the best protection is not just technology, but a vigilant and well-trained team.

How well protected is your organisation against vishing and other social engineering attacks?
Our cybersecurity experts support you in identifying vulnerabilities, raising employee awareness, and implementing effective protection measures.