Cynical politeness in the pipe has become the most effective tool of hacking.
Attacks using social engineering continue to develop - now attackers use voice calls in combination with dynamic phishing sets, which allow real-time control of the victim’s actions in the browser. This is reported by the team of Okta Threat Intelligence, which analyzed new tools available under the model «as a service» and actively used in attacks on users of Google, Microsoft, Okta and cryptocurrency platforms.
The main feature of these solutions is that they adapt to the communication scenario in the call process. While one of the attackers conducts a conversation in order to convince the victim to perform the required actions, the other controls the content of the page opened by the user in the browser. All this allows to synchronize the voice instructions with the displayed pages and strengthens the trust effect, especially at the moment of multifactor authentication.
Such sets can capture account data and simultaneously display interfaces that mimic official pages. This helps to convince the user that a legitimate process is taking place - for example, password reset or activity check. It looks plausible, as the phishing site is instantly adjusted to the authentication stage where an attacker entering on behalf of a victim on this site is present.
The attack scenario looks like this: it first collects information about the target, including the applications used and the contacts of the support service. The phishing page is then configured, and the call begins - the number is faked as corporate. The victim is encouraged to open a website and enter a login with password.
This data is immediately transferred to the closed channel, where it is used by the second party of the attack. Depending on the type of MFA requested, the phishing page is updated promptly, asking the user to confirm the entry via push notification or enter a code. All this is accompanied by voice instructions, which makes cheating particularly convincing.
As noted by experts, even MFA methods with the choice of number in the push notification are not protection - the attacker simply asks the victim to choose the right number. At the same time, methods like Okta FastPass or FIDO keys are protected from such attacks.
There is a trend to create increasingly specialized solutions: new panels are created not universal, but for specific services. In addition to this is gaining popularity not only the trade itself, but also the skills of voice cheating - now access to «operators» is also sold.
To protect against such attacks, specialists recommend implementing authentication methods that are resistant to phishing, especially in the corporate environment. If you are using Okta, it is advisable to connect several protection mechanisms at once. It is also useful to restrict access by network zones and create lists of allowed IP addresses, excluding connection via anonymisers.
Some financial institutions are experimenting with the call verification feature in mobile applications - the user can verify whether or not a company representative is speaking to them.
According to Okta, this tactic is actively developed and already used in real attacks. The company’s analysts previously issued warnings on the subject in April 2025 and January 2026. They contain technical details, compromise indicators and protection recommendations.
Attacks using social engineering continue to develop - now attackers use voice calls in combination with dynamic phishing sets, which allow real-time control of the victim’s actions in the browser. This is reported by the team of Okta Threat Intelligence, which analyzed new tools available under the model «as a service» and actively used in attacks on users of Google, Microsoft, Okta and cryptocurrency platforms.
The main feature of these solutions is that they adapt to the communication scenario in the call process. While one of the attackers conducts a conversation in order to convince the victim to perform the required actions, the other controls the content of the page opened by the user in the browser. All this allows to synchronize the voice instructions with the displayed pages and strengthens the trust effect, especially at the moment of multifactor authentication.
Such sets can capture account data and simultaneously display interfaces that mimic official pages. This helps to convince the user that a legitimate process is taking place - for example, password reset or activity check. It looks plausible, as the phishing site is instantly adjusted to the authentication stage where an attacker entering on behalf of a victim on this site is present.
The attack scenario looks like this: it first collects information about the target, including the applications used and the contacts of the support service. The phishing page is then configured, and the call begins - the number is faked as corporate. The victim is encouraged to open a website and enter a login with password.
This data is immediately transferred to the closed channel, where it is used by the second party of the attack. Depending on the type of MFA requested, the phishing page is updated promptly, asking the user to confirm the entry via push notification or enter a code. All this is accompanied by voice instructions, which makes cheating particularly convincing.
As noted by experts, even MFA methods with the choice of number in the push notification are not protection - the attacker simply asks the victim to choose the right number. At the same time, methods like Okta FastPass or FIDO keys are protected from such attacks.
There is a trend to create increasingly specialized solutions: new panels are created not universal, but for specific services. In addition to this is gaining popularity not only the trade itself, but also the skills of voice cheating - now access to «operators» is also sold.
To protect against such attacks, specialists recommend implementing authentication methods that are resistant to phishing, especially in the corporate environment. If you are using Okta, it is advisable to connect several protection mechanisms at once. It is also useful to restrict access by network zones and create lists of allowed IP addresses, excluding connection via anonymisers.
Some financial institutions are experimenting with the call verification feature in mobile applications - the user can verify whether or not a company representative is speaking to them.
According to Okta, this tactic is actively developed and already used in real attacks. The company’s analysts previously issued warnings on the subject in April 2025 and January 2026. They contain technical details, compromise indicators and protection recommendations.
