Recent high-profile breaches show just how quickly phishing tactics are evolving. In a recent incident, Bumble and Match Group confirmed a data security breach, with the notorious ShinyHunters hacking group claiming responsibility. The same group was also linked to the Jaguar Land Rover cyber-attack, signalling a worrying pattern rather than an isolated event.
What makes these attacks particularly dangerous is the shift towards highly sophisticated, voice-based phishing, known as vishing. These campaigns blend social engineering with real-time web interaction and even multi-factor authentication bypass techniques. The attackers are actively targeting Google, Microsoft, and Okta environments, platforms used by the vast majority of organisations, to steal Single Sign-On credentials and enrol attacker-controlled devices for MFA approval. Okta warned us about this exact technique recently.
Unlike traditional phishing emails, modern vishing attacks are interactive. Victims receive a call, often from a convincingly spoofed number posing as an IT helpdesk or Microsoft or Google support. The scammer then walks them through a fake security process, coaching them step by step as the victim enters credentials in real time, matching what appears on screen. The result is an attack that feels legitimate, personal and dangerously effective.
Attackers control the session
What makes these vishing kits so advanced is how attackers can manipulate a victim’s login session as it unfolds:
- The attacker sets up a custom phishing page that mimics your company’s or your managed service provider’s sign in portal, sometimes even branded with real logos and layouts.
- They place a fake tech support voice call and tell you there’s an urgent security issue that needs immediate attention, navigating you to a fake login page.
- As you go to sign in, the attacker controls what you see and what you are asked to enter, synchronising the phishing page with your real login flow.
- The vishing kit relays your credentials to the attacker, so they can prompt you for MFA if used.
- MFA protections can be bypassed as the attacker enters your username and password into the legitimate site. They can update the phishing site in real time with pages that support their request for you to enter a one-time password, accept a push notification or other MFA challenges.
- This provides the attacker with a session token. They can adjust the phishing page to show the fake IT issue has been resolved, leaving you unaware you’ve been hacked.
In essence, the attacker is on the line with you, guiding you step by step while simultaneously controlling a session in the background. It’s not a static, one-way email scam. It’s interactive, adaptive, and much harder to recognise.
Why these attacks are effective
Vishing kits succeed where traditional phishing often fails because they exploit trust and context:
- The call feels legitimate because it often mimics real support numbers and/or processes.
- The interaction is immediate and personal, reducing the victim’s instinct to question it.
- The phishing pages are dynamic, giving the attacker real-time control over what the user sees.
For busy financial advisers, it’s easy to follow instructions after receiving warning of a security issue, especially if the voice on the other end sounds confident and authoritative.
Staying aware and questioning unexpected calls can protect your clients and your firm.
How to protect yourself from this kind of attack:
Never trust unsolicited calls that ask you to authenticate or provide credentials.
- Cybercriminals may impersonate internal teams or trusted vendors. If you’re unsure, hang up and dial the known, official number yourself.
Avoid entering credentials or MFA codes during a phone call.
- Real support teams don’t ask you to approve MFA prompts or enter codes over the phone.
Be sceptical of urgency.
- Scammers rely on making you feel pressured – “You must act now or your account will be locked.” Stop, think, and verify.
Use phishing-resistant authentication where possible.
- Passkeys provide stronger protection than SMS or app-based MFA.
Never miss an update
The cyber landscape is constantly evolving, staying informed and proactive can help businesses mitigate risks.
Sign up to our fortnightly 'Adviser Insight' newsletter for expert insights – use the 'Sign up' button on the left-hand side to receive our updates.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
