Euro Vishing Fraudsters Add Physical Intimidation to Arsenal

Europol has announced the arrest of 54 people in connection with a voice phishing (vishing) scam, in combination with social engineering tactics and physical threats to target elderly Spanish citizens.

The criminals posed as bank employees, first calling their targets and extracting personal information. Their criminal partners then physically targeted the victims at their homes, where they demanded payment, credit cards, and personal possessions and jewelry.

"As a final step in this criminal process, the perpetrators used the stolen cards to make ATM withdrawals or expensive purchases, while the bank details were misused for so-called account takeovers," the Europol report noted.

The agency said the criminal activity has resulted in $2.7 million in losses.

"What stands out about this vishing attack is the unique approach used," says Abu Qureshi, threat intelligence lead of BforeAI. "The attackers actually physically visit the victim's address and lure them into handing over physical data."

He explained that, traditionally, scams have been limited to digital assets, such as stealing passwords or credit-card information online.

"This physical element adds a new layer of complexity and danger, demonstrating the lengths to which cybercriminals are willing to go to exploit their victims," he says. "The combination of digital and physical tactics makes this operation particularly concerning."

Face-to-face social engineering tactics enhance the effectiveness of vishing attacks by adding a layer of personal interaction that builds trust and reduces skepticism for the target in the interaction.

"When attackers employ social engineering techniques, such as posing as legitimate representatives or creating a sense of urgency, they can manipulate their targets even more effectively," Qureshi says.

Striking in Scale, Sophistication

Stephen Kowski, field chief technology officer (CTO) for SlashNext Email Security, calls the scale and sophistication of the vishing operation and subsequent takedown "striking," with dozens of arrests across multiple countries and millions in losses.

"The use of call centers and impersonation of bank staff shows how vishing tactics have evolved to become more convincing and targeted," he says. "Advanced voice AI and a number of spoofing technologies have made these attacks increasingly difficult for victims to detect."

He explained that "old school" vishing methods are resurging because they exploit human psychology and trust in ways that technical defenses struggle to prevent.

"As email security has improved, attackers have pivoted to voice channels where victims may let their guard down," Kowski says.

He added that the shift to remote work has also created new opportunities for vishing scams targeting employees.

Financial losses, data breaches, and compromised customer information are some of the main concerns and potential consequences — incidents can also damage a company's reputation and erode customer trust.

"Furthermore, businesses may face regulatory fines and legal repercussions for falling victim to a social engineering attack of this nature," Qureshi says.

Security agencies themselves have also been targeted in recent months, including a vishing scam where cyberattackers impersonated Cybersecurity and Infrastructure Security Agency (CISA) officials.

Kowski recommends that organizations implement regular security awareness training that includes realistic vishing simulations.

"Deploying advanced voice threat detection and automated call screening technologies can also help protect vulnerable users from malicious calls," he says. "It's critical to create a culture where employees feel comfortable reporting suspicious calls without fear of repercussion."