Vishing UK SME losses are climbing fast, with UK Finance’s most recent Annual Fraud Report putting authorised push payment (APP) and impersonation fraud in the hundreds of millions of pounds a year and identifying voice-channel attacks as the fastest-growing vector. Vishing (voice phishing) means a fraudster on the phone or a VoIP line, pretending to be your bank, a supplier, HMRC, the IT helpdesk, or, increasingly in 2026, your own MD speaking in a cloned voice. This guide explains how the attacks work, the five patterns hitting UK small and medium businesses right now, and the eight-point program that hardens an SME against them.
Phishing arrives by email, smishing by SMS, and vishing by voice. A vishing attack is a social-engineering call placed over PSTN, mobile or VoIP, in which the attacker pretexts as a trusted party (a bank, supplier, regulator, IT colleague or executive) and pressures the target into transferring money, surrendering credentials, approving a multi-factor prompt or disclosing data.
The single attribute that makes vishing dangerous is real-time conversational pressure. An email phish can be reread; a voice call cannot. A skilled vishing operator will use urgency, authority and confidentiality to push the victim past the moment of doubt. UK Finance and Action Fraud have documented an order-of-magnitude increase in APP fraud over the last five years, with voice contact involved in the highest-value incidents.
What changed in 2024 and 2025 was the commercialisation of high-quality voice cloning. Off-the-shelf services now produce a convincing clone of any English-speaking voice from as little as 30 seconds of clean source audio, and the source material is trivially available for almost any UK SME: YouTube interviews, LinkedIn audio posts, podcast appearances and conference keynotes provide far more than enough training data.
The most-cited case in security press is the 2024 Arup incident, in which the UK-headquartered engineering firm’s Hong Kong office lost roughly £20 million after staff were deceived by a deepfaked video and voice call impersonating the group CFO. CNN’s reporting and NCSC guidance both highlight the case as a turning point. Mid-market UK engineering, accounting and law firms have reported smaller but conceptually identical incidents to Action Fraud since.
The takeaway is uncomfortable: voice familiarity is no longer evidence of identity. Anyone with a public-facing executive whose voice can be sampled online should assume an attacker can synthesise that voice on demand for under £50.
The most lucrative pattern. The attacker spoofs the executive’s mobile or office number on inbound CLI, then plays or speaks a synthesised voice instructing finance to release a payment to a supplier with a “new bank account”. Confidentiality is requested. Target: finance lead, group accountant. The spoofed CLI usually shows a real UK geographic or mobile range; cross-checking against a UK number lookup tool is one of the few fast tells. See spoofed caller ID business fraud for the network-side mechanics.
The attacker calls staff from a UK mobile or 020 London number, pretexting as internal IT. They walk the victim through “verifying” identity by approving an MFA push notification, sent several times in quick succession. Once approved, they reset the password and pivot to email and finance systems. Target: any staff with corporate identity. NCSC has warned UK SMEs about MFA-fatigue patterns in its small-business guidance.
“Your bank’s fraud team” calls about a “suspicious transaction” on your business account and instructs you to move funds to a “safe account”. The spoofed CLI matches the bank’s published number. The “safe account” is the attacker’s mule. Target: finance staff, sole traders, founders. For the variant scripts see our full UK phone scams 2026 pattern guide.
A recorded or live caller threatens immediate arrest, court action or company strike-off over an alleged tax debt. Payment “to avoid prosecution” is demanded in vouchers, cryptocurrency or bank transfer. Target: founders, finance staff, anyone on Companies House filings. HMRC maintains a public list of genuine and scam contact methods on gov.uk; pressure for instant payment is a tell.
The attacker phones accounts payable in the voice of a long-standing supplier’s finance contact, “updating our bank details for the next invoice”. The new sort code lands in the next payment run, and by the time the real supplier chases the missing payment the funds are gone. Target: accounts payable, finance admin. Detect with mandatory callback via the supplier’s known direct line, never the number on the call.
Large corporates have controls SMEs typically lack: dual-authorisation on every payment over threshold, a 24/7 security operations centre, named bank relationship managers. SMEs are exposed for predictable structural reasons.
The mitigation is not to spend like an enterprise. It is to introduce a small number of mandatory, low-tech checks that break the vishing pattern’s reliance on speed and trust.
None of those three are a silver bullet against vishing, but each closes a small percentage of the attack surface and the cost of implementing them is near zero.
Hard to quantify, because investigators rarely distinguish cloned audio from skilled mimicry in their reports. What is clear from UK Finance’s published fraud statistics and NCSC commentary is that voice-impersonation incidents involving executives are growing fastest in value, and that off-the-shelf voice-cloning services have been linked to specific reported UK and Hong Kong cases. The prudent assumption for any UK SME in 2026 is that any executive voice on a public recording can be cloned.
Sometimes. The Contingent Reimbursement Model (CRM) Code applies to most UK retail banks for personal and micro-enterprise customers, and the standard of care is met by following published advice (not transferring funds in response to phone instructions, using Confirmation of Payee, calling 159). For larger SMEs outside the CRM Code, a social-engineering rider on cyber insurance is the recovery route. Prompt reporting matters; recovery prospects fall sharply after 24 hours.
Yes, for personal use and for documenting fraud, in the UK. Under the Telecommunications (Lawful Business Practice) Regulations and ICO guidance, recording a call to capture evidence of fraud is lawful provided the recording is not used for unrelated purposes such as marketing. If you intend to share with police, Action Fraud or your bank, a clear chain of custody is enough.
No. Commercial voice-cloning services now produce convincing English-language clones from 30 to 60 seconds of clean audio. LinkedIn audio posts, a single podcast episode or a webinar recording is more than enough source material. The realistic mitigation is not to suppress all public audio (often impossible for an SME leader) but to assume a clone is possible and design controls that do not depend on voice familiarity.
Mandatory callback via a known number for any payment, MFA reset or change-of-bank-details instruction. No exceptions, including from the MD. This single rule breaks the entire vishing kill chain because every credible attack relies on the target acting on the call itself rather than verifying through an independent channel. Pair it with Confirmation of Payee enabled on the business account and you cover the vast majority of SME APP-fraud risk.
Cyber Essentials gets the technical hygiene right (patching, MFA, secure configuration, malware control, access management) and is the baseline most insurers and public-sector buyers now require. It does not directly cover vishing, but a Cyber Essentials-certified SME tends also to have the documented payment authorisation, supplier verification and incident-response processes that defeat vishing. For SMEs at the start of the journey, our Cyber Essentials guide covers what the certification involves and which insurers waive social-engineering exclusions in exchange.
Read one of our other resources to help you get the best telecoms and IT solutions for your business