Voice phishing has become the second most common initial infection vector in cyberattacks, according to the latest Mandiant M-Trends 2026 report.
Based on more than 500,000 hours of incident response investigations conducted in 2025, Mandiant found that exploits remained the top entry method, accounting for 32% of intrusions.
However, voice phishing (also known as vishing) rose to 11%, surpassing email phishing, which declined to just 6% of initial access incidents.
The report, published March 23, showed that attackers are increasingly using interactive social engineering to manipulate employees in real time across phone calls, social media, and messaging platforms.
It also noted that voice phishing played a key role in cloud attacks, especially in data theft-focused extortion campaigns like those by UNC3944 and UNC6240, where it accounted for 23% of cloud initial infection vectors in 2025.
Unlike email phishing, which relies on mass campaigns, voice-based attacks involve live conversations that are harder to identify for automated security platforms.
Help Desk Social Engineering Drives Account Takeovers
Mandiant documented multiple campaigns (including by UNC3944) in which attackers impersonated employees and contacted IT help desks to request password reset emails or MFA changes.
In other cases, such as in the UNC6395 campaigns, attackers convinced victims to approve malicious SaaS applications, allowing access to corporate data and email environments.
Red Canary’s 2026 Threat Detection Report, which analyzed over 110,000 threats across 4.5 million endpoints and identities, echoed the findings. The report found identity-based threats now account for more than half of all confirmed incidents, with ransomware affiliates increasingly using help desk impersonation and voice phishing for initial access.
Despite the rise of AI-assisted attack techniques, Mandiant found that the majority of successful breaches in 2025 still stemmed from human factors and identity-based attacks, not advanced malware.
For security leaders, the findings are a direct prompt to audit help desk verification procedures. Password resets and MFA changes made over the phone remain one of the most reliable ways attackers gain a foothold — and one of the few areas where a policy decision alone can meaningfully reduce risk.
