Phone social engineering incident response.
If a caller pushed your team to send money, change payment details, share a verification code, reset a password, or trust a cloned voice, treat it as an active incident. Speed matters more than perfect diagnosis.
Last reviewed May 2026 / Vicall Research / Not legal advice
Stop the loss path before you write the postmortem.
A phone social engineering incident usually has one objective: move money, redirect a future payment, capture credentials, or trigger an internal action. Your first job is to interrupt that path.
Freeze the requested action.
Stop the wire, ACH, vendor bank change, payroll change, password reset, gift card purchase, account unlock, or data release. If the action already happened, move directly to bank and platform recovery.
Verify through a clean channel.
Call the real person using a stored internal directory number, not the number that called you. If a vendor or customer was impersonated, use a known number from a contract, bank record, or prior verified file.
Preserve evidence and notify the right owners.
Save call logs, phone numbers, voicemails, screenshots, email headers, payment records, and chat messages. Notify finance, legal, security, leadership, and insurance before logs age out or systems overwrite state.
Which response track are you on?
Funds moved
Contact the originating bank immediately and ask for a recall or hold. File with FBI IC3. Then preserve evidence and notify counsel and insurance.
Voice clone suspected
Preserve the audio if available, document the caller number and exact script, identify who was impersonated, and warn any team that could receive a follow-on call.
Credentials or code shared
Reset credentials, revoke sessions and tokens, check forwarding rules and MFA changes, and review account activity before the attacker can pivot.
Do not clean up before you preserve.
It is natural to delete suspicious messages or reset everything immediately. Preserve first. Your bank, insurer, counsel, and law enforcement may need the original records.
Preserve these records
- Call logs, voicemail, phone numbers, caller ID screenshots
- Payment instructions, bank records, invoices, and vendor-change forms
- Emails, headers, chat messages, texts, and ticket history
- Account login history, MFA events, forwarding rules, and admin changes
Contain these paths
- Pending wires, ACH batches, payroll runs, and vendor changes
- Shared passwords, verification codes, recovery emails, and MFA devices
- High-risk phone workflows without callback verification
- Employees who may receive a second impersonation call
Where to report and what guidance says.
For funds-transfer scams, the FBI advises victims to contact their financial institution immediately and report to IC3. CISA defines vishing as social engineering over voice communication. The FTC warns small businesses about urgent payment methods, wire transfers, cryptocurrency, and gift cards.
Fast answers during a messy moment.
What should I do first after a business phone scam?
Stop the requested action and verify through a clean channel. If money moved, call your bank immediately and file with FBI IC3. If credentials or codes were shared, reset access and revoke active sessions.
Is a suspicious phone call a cybersecurity incident?
It can be. If the caller caused or attempted a payment, account change, credential disclosure, code sharing, data release, or security bypass, treat it as an incident and preserve evidence.
How does Vicall help after an incident?
Vicall helps close the live-call gap that allowed the incident: on-device voice-clone detection plus optional risky-phrase alerts for wire instructions, routing numbers, verification codes, passwords, gift cards, and payroll changes.
Close the phone gap before the next call.
Vicall adds real-time call-risk protection for the moments awareness training cannot fully cover: cloned voices, urgent payment scripts, credential requests, and risky phrases.