Voice-phishing (vishing) toolkits are rapidly proliferating across dark web forums, Telegram channels, and underground cybercrime marketplaces in early 2026. These customizable kits empower even novice attackers to launch sophisticated, real-time social engineering attacks that combine voice calls with phishing elements to bypass multi-factor authentication (MFA), steal SSO credentials, and enable account takeovers. Targeting major identity providers like Okta, Microsoft, and Google, the kits mimic legitimate authentication processes, profile victims during live calls, spoof caller IDs, and capture sensitive data such as one-time codes or session details on the fly.

This surge represents an evolution from traditional email-based phishing kits toward hybrid, voice-enabled Phishing-as-a-Service (PhaaS) models. Attackers can now rent or purchase ready-made tools that lower technical barriers, scale operations, and increase success rates by exploiting human trust in phone interactions over digital ones. Reports indicate growing adoption of these kits for helpdesk-style scams reminiscent of groups like Scattered Spider, with voice components making them harder to detect via email filters or standard endpoint protections.

Detailed Breakdown of the Vishing Kits Trend

• Kit Features and Capabilities — Modern vishing kits often include real-time MFA bypass mechanisms, OTP interception bots (via Telegram integration), voice call scripting, caller ID spoofing tools, and victim profiling interfaces. Some incorporate AI-assisted elements like voice cloning or synthetic speech to make impersonations more convincing. These extend broader phishing ecosystems where kits act as modular SaaS platforms, supporting combo attacks across banking, crypto, e-commerce, Microsoft 365, and SSO providers.
• Underground Market Dynamics — Sales occur primarily on deep web forums (around 59% of observed sources), Telegram channels (14%), dark web markets (8%), and even some open channels. Kits are bundled with tutorials, infrastructure setup guides, and customer support—mirroring legitimate software models. Pricing varies from low-end (~$20–$100 for basic templates) to premium subscriptions ($1,000–$2,000+ for advanced real-time MFA bypass kits like those inspired by EvilProxy or Tycoon2FA variants). Combo kits dominate, allowing multi-brand targeting (e.g., 44% of analyzed offerings support multiple lures simultaneously).
• Proliferation Statistics and Growth — Analysis of thousands of underground posts shows phishing kits (including extensions to voice-enabled attacks) commoditized and widely available. For instance, high-end real-time phishing tools appear in hundreds of listings, with MFA-bypass kits linked to a majority of recent credential theft incidents. The accessibility has fueled a broader “fifth wave” of cybercrime, where AI tools amplify impersonation and social engineering tactics, including vishing via scam calls and deepfake audio.
• Real-World Campaign Examples — Recent alerts highlight custom vishing kits used in targeted attacks on Okta SSO accounts, where attackers pose as IT support, guide victims through fake verification flows, and capture credentials live. These campaigns often start with email or SMS lures before escalating to voice calls, enabling full session hijacking and data exfiltration.

Why This Surge Poses Serious Risks

• Higher Success Rates — Voice interactions exploit psychological trust factors that email phishing struggles against, leading to better MFA code extraction and reduced suspicion.
• Scalability for Threat Actors — As-a-service models allow non-experts to rent call operations (sometimes called Vishing-as-a-Service or VaaS), outsource “helpdesk” scams, and target enterprises at industrial scale.
• Broader Attack Surface — Impacts extend beyond individuals to corporate environments, fueling business email compromise (BEC), ransomware entry points, extortion, and identity theft.
• Detection Challenges — Traditional defenses focus on email/web vectors; vishing adds phone-based evasion, making it harder for SOC teams to spot without employee reporting or advanced behavioral analytics.

Indicators of Compromise (IOCs) to Monitor

• Unsolicited incoming calls claiming to be from IT/security teams requesting MFA codes, session verification, or remote access.
• Sudden spikes in MFA fatigue/push notifications followed by voice call attempts.
• Unusual VoIP or outbound call patterns from corporate networks, especially to unknown numbers.
• Dark web/Telegram chatter advertising vishing kits with Okta/Microsoft/Google branding or real-time bypass demos.
• Reports of spoofed caller IDs matching company helpdesk numbers.

Recommended Defenses and Best Practices

• Employee Awareness Training — Conduct regular simulations of vishing scenarios, teaching verification protocols (e.g., hang up and call back via official directory) and red flags like urgency or requests for codes.
• Callback Verification Policies — Mandate confirming any sensitive request via a known internal channel rather than responding to inbound calls.
• Enhanced MFA Configurations — Prioritize phishing-resistant options like FIDO2 security keys or passkeys over SMS/voice OTPs; enable number-based call screening and block suspicious patterns.
• Monitoring and Intelligence — Use threat exposure platforms to track brand impersonation and emerging kits on dark web/Telegram; integrate dark web monitoring into security operations.
• Technical Controls — Deploy endpoint detection for anomalous remote access tools (e.g., Quick Assist, Teams sharing); enable strict VoIP logging and anomaly detection for call behaviors.
• Incident Response Prep — Update playbooks to include vishing vectors, with rapid account lockdown procedures for suspected compromises.

Phishing kits are no longer one-offs. They’re part of a growing ecosystem of services, marketplaces, and automation. Flare research team, highlighting the SaaS-like commercialization driving accessibility.

Source and full details:

• Flare: The Phishing Kits Economy in Cybercrime Markets (January 15, 2026)