Vishing Story: A Fictional Tale about a Very Real Problem

It started like any other Tuesday: Jordan at her desk, with a steaming mug of coffee, a browser full of open tabs, and a bulldog named Chunk Norris snoring softly beside her. Around 10:00 a.m., as she was knee-deep in reconciling vendor payments, her phone rang.

“Hey, Jordan! It’s me, Rob. I need a wire sent immediately to finalize the new AI vendor we discussed. CFO’s in the loop. Use the fast method. Here are the details...”

Rob Blake. The CEO. And he sounded urgent, using the exact tone she’d heard in a dozen last-minute meetings, radiating the message: let’s knock this out. As he rattled off account numbers and SWIFT codes, and Jordan franticly scribbled them down on a post-it note, something tugged at the back of her mind.

"Um, Rob, I really think I should run this by -" she started to say, but Rob cut her off.

"Jordan, I need this done ASAP. I'm running into a meeting, so I can't talk more. Please just do it." With that, he hung up, leaving Jordan feeling frazzled. But she did what she was told.

And ten minutes later, she was sending $130,000 to a Hong Kong fintech firm that didn’t exist.

The Reality of Remote Risk

Jordan had never met Rob in person.

She had recently joined the company, onboarded over Zoom, and interacted with Rob only through Slack, email, and all-hands webinars.

Jordan's situation isn't unusual. In 2025, roughly 32.6 million Americans (~22% of the U.S. workforce) work remotely. But while remote work has done wonders for productivity, flexibility, and talent access, it’s also reshaped the attack surface:

• There's no security guard between your desk and the street

• Urgent calls on the phone don't raise eyebrows - in remote work, it's one of the fastest ways to reach out

• Gone are the days of the hallway “gut checks” after a weird request

People behave differently at home. There’s more multitasking. More trust in digital interactions. And far less built-in skepticism when high priority requests come from someone senior.

So it wasn't surprising that Jordan did what she was asked to do.

The Moment of Truth

It was only when the real Rob Slacked her seconds later to join a quick call that the horror settled in. Why was he messaging her during his meeting? Why was he asking her to join another call…when he had just called her? Had that not been Rob!?

Her heart sank as she realized: she had been vished.

What Is Vishing, Anyway?

Vishing (voice phishing) is a form of social engineering attack where cybercriminals use AI-generated voices to impersonate real people over the phone. And now that AI voice cloning can mimic someone with less than 30 seconds of audio, attackers don’t need to break into your company - they can just call and let you open the door.

According to Crowdstrike's 2025 Global Threat Report, vishing attacks rose 442% between the first and second quarters of 2024. These attacks are on the rise, and they often target finance or HR employees - people like Jordan.

Owning It

Jordan felt sick. Her stomach was in knots. She fought the urge to grab her keys and drive into the sunset, never to be seen again. But instead of running away, she got back on her laptop and started typing.

First a Slack to Rob: “I think I made a mistake. You didn't call me earlier, did you?”

Then to IT: “Nora, I need help. I think I just got hit with a phishing call.”

It wasn’t easy to hit send. But what made the difference - what kept $130,000 from vanishing forever - was the fact that Jordan knew she had to speak up. The company was at risk, and worse than making a mistake would be to stay silent. Because in a company that takes security culture seriously, the goal isn’t perfect behavior. It’s reporting early and recovering quickly.

Enter Nora from IT

While Jordan paced the kitchen and Chunk Norris knocked over a plant, Nora - the calm, slightly mysterious IT manager - was already in motion.

Nora didn't judge or blame Jordan, because she understood what happened and why. And she was grateful that Jordan had done the right thing by saying something early. That gave Nora the precious few minutes she needed to slam digital doors shut before the attackers got their money.

By 10:30 a.m., the wire was reversed. By 11:00 a.m., the company was hosting a mandatory “What Just Happened?” all-hands. By lunch time, Jordan was no longer terrified - just wiser and more wary of 'calls from Rob.'

Two weeks later, Nora quietly rolled out a Herd deepfake vishing simulation. Twelve employees failed it. But they failed safely this time.

From there, she began sharing more Herd trainings - bite-sized lessons, deepfake examples, and best practices that felt real, not theoretical. Her goal wasn’t fear. It was fluency. So the next time someone got a suspicious call, they’d know the difference between “That sounded like Rob” and “Let me verify that first.”

The Real Moral

Yes, remote work makes security weird. Your CEO can call you from vacation and be an AI spoof. Your neighbor can watch your practice QBR speech through the window. Your router might be older than your niece.

But here’s the thing: breaches can happen everywhere - at home, in offices, on beaches with VPNs. What matters most isn’t preventing every mistake, but building a culture that spots them fast, owns them faster, and fixes them together.

Remote work didn’t create the risks. It just exposed how much trust we were already placing in people, and how few tools we gave them to handle it.

Enter Herd: Security Awareness That Doesn’t Snooze

At Herd Security, we build awareness training that actually trains. Think realistic simulations and short, human-first lessons designed to raise eyebrows - not roll eyes. Because if your people are your first line of defense, they deserve better than a 20-minute quiz and a cartoon hacker.

Ready to learn more? Check out this demo video. Let’s make awareness impossible to ignore.

One Last Thing

Jordan might be fictional (and Chunk Norris, too, sadly), but stories like this happen every day. A Salesforce customer gets hit by a group posing as IT support. An executive in the UK lost $243,000 because he trusted an AI’s german accent. Even major banks like AIB have had to put out warnings because too many of their customers are falling for vishing scams.

Reality, as always, is weirder than fiction. But you’ll be fine as long as you verify first, panic never, and remember: real-world Robs don’t rush wire transfers.