Phone Fraud Is Targeting Finance Teams: Voice Phishing
How voice phishing pressures accountancy practice staff into approving MFA prompts, resetting passwords or changing bank details, and the simple defences that stop it.
- Security
- Phishing
- Staff Training
Most accountancy practices have spent years tightening up email. Staff have learned to hover over links, distrust unexpected attachments, and double-check requests to change bank details. That work matters. But while everyone was watching the inbox, the phone quietly became an attack surface of its own.
Voice phishing, often shortened to vishing, is a scam delivered by phone call. A criminal rings a member of your team, sounds entirely legitimate, and talks them into doing something they shouldn’t: approving a login prompt, reading out a code, resetting a password, or changing the bank details on a client payment. This article explains, calmly and in plain English, how it works, why finance teams are squarely in the firing line, and the handful of habits that defend against it.
How voice phishing actually works
The strength of a vishing call is that it doesn’t feel like an attack. There’s no dodgy link to spot and no misspelt sender address. There’s just a person on the line who seems to know what they’re talking about.
That credibility is built on research. Before they ever dial, a criminal pulls together details from public sources: LinkedIn profiles, your website’s team page, public filings. From those they learn the names of real colleagues, the software you run, and the internal language your practice uses. So when the call comes, it isn’t a stranger fumbling around. It’s someone who can drop in the right name, mention the right system, and sound exactly like the kind of person they’re pretending to be.
The caller then plays one of a few familiar roles:
- A partner or principal, calling from “outside the office”, needing a payment pushed through or a login sorted urgently.
- Your IT provider, ringing about a security issue and asking you to approve a prompt or confirm a code so they can “fix” it.
- A bank, warning of suspicious activity and walking you through steps to “secure” the account.
- HMRC, raising a problem with a return or a payment that needs resolving right now.
Whichever mask they wear, the goal is almost always the same: get a member of staff to hand over credentials, approve a multi-factor authentication request, reset a password, or move money. Once they’re in, they move quietly through your accounts looking for the valuable material, client records, financial files, correspondence, and copy it out.
Why finance teams are prime targets
Accountancy practices are an attractive target for a simple reason: you sit close to money and to sensitive data, and a great deal of your work runs on trusted instructions.
Think about who answers the phone in a practice. A junior might approve an MFA prompt because they assume a colleague triggered it. A payroll or accounts staffer is used to receiving requests about payments and bank details, so a call about exactly that doesn’t feel unusual. The everyday rhythm of the job, acting on instructions about money, is the very thing the scam imitates.
There’s a multiplier effect too. The credentials your team holds often reach further than your own systems. A compromised password at your end can unlock access to a client’s records or portals as well. That makes a single successful call disproportionately valuable, which is exactly why practices, alongside law firms and similar custodians of sensitive data, are sought out.
And timing matters. Criminals understand the calendar as well as you do. Around the January self-assessment peak, or any tight filing deadline, your team is busy, stretched and primed to deal with things quickly. A confident, urgent caller is far harder to challenge when the to-do list is already overflowing. The pressure is real, and the scam is designed to lean on it.
The defences that work
The reassuring part is that you don’t need exotic technology to shut most of this down. Vishing relies on persuasion, so the strongest defences are clear rules and a team that feels confident using them. Here is where to focus.
Verify with a call-back on a known number
This is the single most effective habit. If a call involves money, credentials or access, the member of staff ends it and rings the person back on a number the practice already holds, never a number the caller offers and never one read from the incoming call. A genuine partner, bank, IT provider or HMRC officer will never object to being verified. A criminal cannot survive it.
Make “no action on a phone call alone” a written rule
Take the decision out of the individual’s hands. Set it down in writing that no payment, no change of bank details, and no password or MFA action ever happens on the strength of a phone call by itself. When it’s policy, a junior or a payroll clerk isn’t being awkward or distrustful by pausing to check. They’re simply following the rule, and that removes the social pressure the scam depends on.
Use MFA that resists prompt-bombing
Not all multi-factor authentication is equal. A simple “tap to approve” prompt can be defeated by a caller who bombards someone with requests and then phones to say “just approve that for me”. Number-matching, where the person has to read a code from the screen and type it into the app, breaks that trick, because the criminal can’t supply a number they can’t see. Move your team onto number-matching, or stronger still, onto passkeys where you can.
Give staff the confidence to say “I’ll call you back”
Technology only helps if people feel allowed to use it. Make it explicit, from the partners down, that hanging up to verify is encouraged and expected, never a sign of being difficult or wasting time. Back it with short, practical awareness training so the team recognises the pressure tactics, the urgency, the appeal to authority, the request to bypass a normal step, and knows that pausing is always the right move. A team that can comfortably say “I’ll call you back” is a team this scam cannot beat.
Limit what any one account can reach
Finally, reduce the prize. Review who has access to what, and make sure each person’s permissions match what their job actually requires. If a single compromised login can’t reach everything, a successful call does far less damage. This kind of sensible access discipline sits at the heart of good managed IT support and is worth revisiting regularly.
Pulling it together
Voice phishing works because it targets people, not machines, at the precise moment they’re busy and inclined to be helpful. That’s also its weakness. A short, clear set of habits, verify on a known number, never act on a call alone, use MFA that can’t be tricked, and a team that feels free to hang up and check, defeats almost every version of it.
These phone-based scams are a close cousin of the email frauds covered in our piece on invoice fraud and business email compromise, and the defences reinforce each other. They also fit within the broader good practice covered by Cyber Essentials and a sound security posture, which gives your whole practice a tested baseline to work from.
If you’d like an honest, jargon-free look at where your practice stands, including how your team would handle a call like this, our free Practice IT Health Check is a straightforward place to begin.
Frequently asked questions
What is voice phishing, or vishing?
Voice phishing, often shortened to vishing, is a phone-based scam where a caller pretends to be someone trusted, such as a partner, a bank, HMRC or your IT provider, and pressures a member of staff into handing over something valuable. That might be a password, a one-time code, approval of an MFA prompt, or a change to a client's bank details. There's no malware involved, it relies entirely on persuasion and a moment of misplaced trust.
Why are accountancy practices targeted by phone scams?
Practices handle money, client funds and sensitive data all day, and staff are conditioned to act on instructions about payments and accounts. A single set of stolen credentials can unlock client systems as well as your own. Criminals also know that around deadlines like the January self-assessment peak, finance teams are busy and under pressure, which makes a confident, urgent caller harder to question.
How should our staff respond to a suspicious call?
The safest response is to end the call politely and ring the person back on a number you already hold, never a number the caller gives you. No genuine partner, bank, HMRC officer or IT provider will mind you verifying. Make it a stated rule that no payment, no bank-detail change and no password or MFA action ever happens on the strength of a phone call alone, so saying I'll call you back is simply policy, not awkwardness.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check