Key Takeaways:
- Vishing is the new frontline threat: Attackers are shifting from emails to phone-based scams, using AI and social engineering to bypass traditional security controls.
- DevSecOps must expand its scope: Securing code is no longer enough; communication channels like voice, chat, and messaging must be integrated into threat models and security pipelines.
- Human and technical defenses must work together: Strong architecture (encryption, authentication, Zero Trust) combined with employee awareness and verification practices is key to stopping modern social engineering attacks.
As cybercriminals shift from email to phone lines, security professionals need to expand their scope. As a result, voice phishing or “vishing”, which involves social engineering through telephones or VOIP, is becoming increasingly common alongside traditional email phishing. Recent statistics indicate an exponential rise in vishing cases, which cost people over $1.2 billion in 2023.
In this day and age, where attackers employ deepfakes and AI-generated voices to conduct fraudulent activity, including posing as colleagues and business executives, it would not be wise for organizations to adopt a DevSecOps approach to code alone. The means of communication used by businesses can be considered equally valuable and should be included in the DevSecOps pipeline.
The Human Attack Surface: Why Vishing Works
The strength of the vishing attack is that it takes advantage of the human element. While a classic phishing email may be blocked or put into quarantine, a good vishing call would work on the employee in a way that could bypass security measures put in place. The attack on Cisco in 2025 is a good example where the hackers successfully contacted a support engineer through a telephone call.
They pretended to be from within the organization and used this deception to trick the engineer into giving access to the CRM, which was cloud-based. Malware was not needed, nor a zero-day attack for that matter, and yet the attackers were able to successfully steal sensitive client records. This incident highlights how even a well-defended network could be compromised through one call.
Embedding Communication Security Into DevSecOps
The takeaway for DevSecOps professionals is straightforward: communications security should always have a place in threat modeling and design review. Whether your software product includes features for messaging or voice capabilities, or whether your company depends on digital communications, you need to consider the security of those mechanisms within DevSecOps.
Take the case of voice-activated capabilities, where there needs to be a requirement for secure APIs, secure VoIP traffic, and tokenization to limit access. The same applies to infrastructure as code (IaC) and continuous integration and deployment (CI/CD), where there are policies that need to be enforced regarding third-party communication services.
This could be anything from call center capabilities to integrations with chat tools. A security incident like Cisco’s proves just how much validated user data can be obtained via social engineering attacks on non-critical systems.
Key Controls to Mitigate Vishing Risks
Several concrete controls stand out. Caller ID authentication is a key defense against vishing. Protocols like STIR/SHAKEN can cryptographically verify that a VoIP call’s caller ID really belongs to the caller. Many enterprise VoIP providers now support these standards to display verification indicators on incoming calls, making it more difficult for attackers to spoof trusted phone numbers.
Deploying such technology makes it much harder for attackers to spoof a trusted number. However, organizations should not rely solely on caller ID. Continuous verification is essential, with policies requiring multi-factor authentication before sensitive information is shared, even over the phone.
Other multi-layered controls fit naturally into DevSecOps pipelines. Enforcing role-based access control (RBAC) on communication platforms ensures limited exposure if an attacker succeeds. Automated security testing for chat and voice features, such as fuzz testing APIs and running social engineering simulations, can further strengthen defenses.
Maintaining audit logs and integrating them into SIEM systems also enables teams to detect unusual access patterns that may follow a vishing attempt.
Bridging Culture and Technology
In terms of organizational practices, DevSecOps culture could assist in bridging the disconnect between development and people-focused cybersecurity. Security champions in development teams can raise awareness about vishing as much as they would about email phishing. Automated measures within the development pipeline can identify misconfigured or default communication modules.
However, technical measures alone would not suffice. Organizations need to train their employees to verify suspicious phone calls, such as asking for a callback at a known phone number, and implement stringent procedures regarding gaining access to systems. As demonstrated by Cisco in the case at hand, this includes restricting access to CRMs, alerting relevant authorities, and increasing training.
DevSecOps can aid with resilience by having incident response plans that also account for communication breaches besides code.
Building a Security-First Communication Architecture
Security should be implemented first in the process of securing communications channels. Industry research shows what design elements can be used by the DevSecOps teams in order to provide secure communications.
First, when building messaging systems and voice channels, the company should use official integration tools and not custom-made “wrapper” applications. Also, enterprise software solutions for communication should enable encryption and customer management of keys (bring your own key).
Zero Trust security model should also apply to voice services, where every call or message received from another party needs to be considered dangerous until the authentication proves otherwise. A real-time scan of messages or files sent via a communication channel would help detect attempts at social engineering attacks. Finally, communications need to have a “secure by design approach.
Compliance, Data Sovereignty, and Governance
Another area of interest when it comes to compliance is the area of communications security. It is vital to select such products that can be deployed in regional environments while retaining full ownership of sensitive data.
This especially holds when dealing with voice recording and transcript management because these types of communication records frequently include personal identification information. More and more regulatory bodies are fining companies in the finance industry heavily for inadequate maintenance of records pertaining to electronic communication.
Conclusion: Securing the Human Layer
In summary, the DevSecOps approach requires extending the scope to include the human and communications elements. The transition from phishing to vishing due to artificial intelligence-based deepfakes implies that security is not confined to software and IT systems. It is present in every phone call and message exchange.
A security-first approach to any channel of communication, from secure APIs to encrypted messaging to human interaction with training and awareness, is required to remain ahead of evolving attacks. The way forward is the creation of systems that incorporate security from the start rather than trying to patch holes.
DevSecOps professionals who follow this approach can be sure that the weakest link in their system will never be human communication.
