Your firewall is properly configured. Your endpoint protection is up to date. Your staff have all completed the annual security awareness course. None of it matters if someone in accounts payable believes the person on the phone really is calling from IT support and needs a password reset urgently, right now, before the call ends.
Why a voice on the phone still works so well
Vishing, short for voice phishing, and pretexting, the practice of inventing a plausible scenario to extract information, both rely on something no firewall can patch: human trust under mild pressure. A caller claiming to be from IT, a supplier, or even a senior executive can talk their way past policies that would stop a suspicious email cold, simply because a phone call feels more immediate and personal than text on a screen. People want to be helpful, and attackers exploit exactly that instinct, often deliberately manufacturing a sense of urgency to stop the target thinking too carefully, sometimes with background office noise piped in to sound more convincing.
These attacks succeed because they target process gaps rather than technical ones. No amount of firewall investment addresses a receptionist who transfers a caller straight through because they sounded confident and used the right internal jargon picked up from a company directory or an old job advert. An internal network pen testing that genuinely tests your organisation should include a social engineering component, because a network can be technically sound while the people operating it remain the easiest way in.

The scenarios that catch people out
The most effective pretexts are rarely dramatic. A caller posing as a software vendor asking to confirm account details before a scheduled update that was never actually scheduled. Someone claiming to be a new starter who has forgotten their login and needs a quick reset before an important meeting they are already running late for. A supposed auditor requesting information to complete a compliance check that sounds entirely plausible given the time of year. None of these raise obvious alarm bells, which is precisely why they work as often as they do.
William Fieldhouse has run these exercises enough times to know exactly how quickly they can succeed.
“On one engagement, I called the helpdesk pretending to be a director locked out before a board meeting, and had a temporary password reset and read out to me in under six minutes, no verification beyond a confident tone of voice”
— William Fieldhouse, Director of Aardwolf Security Ltd
Six minutes is not a reflection of a careless helpdesk. It is a reflection of how effectively urgency and authority combine to override a process that, on paper, should have required proper identity verification before any reset took place, regardless of how senior the caller claimed to be.
Build verification into the culture, not just the policy
Technical defences will never close this gap alone, because the vulnerability lives in human decision-making under pressure. Clear callback procedures, mandatory verification steps that cannot be skipped for convenience, and realistic training that includes actual simulated calls make the difference between a policy on paper and a habit people actually follow. Talk to Aardwolf Security about the best pen testing company they offer as standard, built to test exactly how far a confident voice on the phone could get inside your organisation today.