Adversary-in-the-Middle Session Theft via Vishing Calls
How vishing calls are used to extract session cookies or one-time codes that allow attackers to hijack authenticated web sessions without ever knowing the victim's password.
Part of: Adversary-in-the-Middle Session Theft Scams
Last reviewed: 9 June 2026
Adversary-in-the-middle session theft is primarily a technical attack, but phone calls are increasingly used as a social engineering layer to complete it. An attacker who has partially compromised an account — perhaps holding a session token intercepted through a phishing proxy — may call the victim under a pretence to extract the final piece of information needed to complete the takeover, such as a one-time code or to approve a push notification.
The voice call adds a human element that technical defences cannot detect. A victim who has refused a push notification or ignored a phishing link may still comply with a convincing caller who seems to represent their bank, workplace IT, or a trusted service. Understanding that session theft attacks often include a phone component helps consumers treat unexpected requests for codes with the same suspicion they would apply to phishing links.
How this scam works on phone calls
An attacker intercepts the victim's session through a phishing proxy or public Wi-Fi interception. A step in the session — account confirmation, transaction approval, or identity verification — requires a code sent to the victim's phone or email. The attacker calls the victim posing as the service's security team, explains there is a verification issue, and asks the victim to read out the code they just received.
Once the code is provided, the attacker completes the authenticated session and has full access. In some cases, the call is made before any interception: the caller builds rapport over multiple calls, establishes trust, and eventually calls at the moment of a real transaction to harvest the code as it arrives.
Common red flags
- Unexpected call from a service representative asking you to read out a code you just received
- Code arrives by SMS or email moments before or during the call
- Caller explains the code is needed to 'verify your identity' or 'resolve a security issue'
- Call urgency increases if you hesitate to provide the code
- After the call, you receive a notification that your account password was changed or a new device was added
- Caller knows your account details but still needs this one final code to complete the security check
How to protect yourself
- Never read one-time codes to anyone over the phone — legitimate services never ask for this
- If you receive a code you did not request, someone is attempting to access your account — change your password immediately
- Hang up and call the service directly using the number on the official website to verify whether there is a genuine issue
- Enable account activity alerts so you are notified immediately of any new device logins or password changes
- Use hardware security keys for critical accounts — they cannot be phished in real-time sessions
How to report it
- Report to Action Fraud (UK) or IC3 (US) with details of the call
- Notify the service whose account was targeted through their official security reporting channel
- Report to your IT security team if a work account was targeted
Frequently asked questions
Why would an attacker call me rather than just use a phishing page?
Some authentication steps — such as time-sensitive one-time codes — expire quickly and require real-time extraction. A live call allows the attacker to get the code while it is still valid and before the session times out.
Is it safe to confirm my identity by phone with my bank?
You can verify your identity in response to a call you initiate using the number on the back of your card. Never confirm identity — especially by reading one-time codes — on a call that arrives unexpectedly.