How AI Changed Vishing: Case of PlugValley

Vishing or voice phishing is not a new attack. Fraudsters have been calling people and pretending to be banks, government agencies, and tech support for decades. What has changed is not the concept.

Running a vishing operation used to demand a lot from an attacker. A convincing voice. Fluency in the target’s language. The ability to stay composed when a target pushes back or asks an unexpected question. The mental stamina to make dozens of calls a day, absorb the rejections, and keep going. These were real constraints. They limited who could run these attacks and how many they could run at once.

AI has worked through that list almost entirely, and this blog exist to show exactly how.

The Components That Made It Possible

Voice synthesis crossed a practical threshold. For a vishing call to work, the voice does not need to be indistinguishable from a human under careful analysis. It needs to be convincing enough in a short, stressful phone call where the target is not expecting a bot. Modern text-to-speech clears that bar. Platforms offer selectable voices, genders, accents, and languages. An operator targeting a US audience picks one voice. Targeting a Spanish speaker, they pick another.

Caller ID spoofing is not new technology, but it has been packaged into the same workflow as everything else. The number on the target’s screen matches the institution being impersonated. That alignment, a convincing voice coming from a number that looks right, is enough to get most people past their initial skepticism before the script even starts.

Scripted call modes remove the need for improvisation. The operator selects a scenario: a bank fraud alert, a social media security warning, a delivery issue. The system handles the script.

Voicemail detection means wasted calls get cut automatically. The system detects whether a human answered or whether it hit voicemail, ends the call if it is the latter, and moves on. No operator attention required.

Real-time credential capture closes the loop. When a target reads out a code, the system pulls it from the call and surfaces it to the operator instantly, before the target has even hung up. The window between getting a credential and using it is seconds.

Each of these capabilities existed before, but Vishing-as-a-Service platforms like PlugValley assemble them into a single product with a clean interface, a subscription model, and a support channel.

PlugValley: A Platform Built Around Autonomized Vishing

PlugValley markets itself as “a trusted community where privacy matters, quality is guaranteed, and safety is our priority.” The branding is clean. The interface is polished. Version 1.0.2, marked Operational.

Underneath that is a full-stack fraud operation. The platform has a community forum, a tiered marketplace, an escrow system for disputes, and the OTP Bot as its core product. That bot is an AI-powered calling system that impersonates legitimate services, calls targets, and delivers extracted credentials to the operator through a live dashboard.

The left sidebar lays out the full scope: community features, marketplace, verified sellers, auto-escrow, affiliate program, and under OTP Bot: Create Call, Custom Scripts, and Custom Actions. It is an ecosystem built around the attack.

The marketplace tries to supply what the bot needs to run. Bank logs, account credentials, and leads are bought and sold through a tiered seller system. Verified Sellers have confirmed status. Normal Sellers is open to anyone. An escrow system handles disputes. Buyers post requests. Sellers build reputations.

Free content fills in the rest of the knowledge gap. A post from a user offers a free BEC Guide covering how to get leads, check recovery numbers on compromised email accounts, set up persistence, and move through infrastructure after a credential is captured. The requirements listed: an OTP bot, a SIP dialer, a Windows VPS, social engineering skills, and optionally a RAT or stealer setup. A private version is coming soon.

The platform even supports installation as a Progressive Web App. iOS, Android, and desktop are all listed. The prompt encourages operators to add PlugValley to their home screen for quick access, the same design pattern used by legitimate productivity software..

What the Operator Actually Does

This is worth being specific about, because it changes the threat model considerably.

In a traditional vishing attack, the threat actor’s social skills are the weapon itself. Their voice, their judgment, their real-time decisions determine whether the call succeeds. In an AI-powered platform, the operator is a supervisor. They configure the call, watch a dashboard, and click buttons to direct the bot toward the next piece of information. If the target hangs up, they move to the next number.

On PlugValley, setting up a call is a three-step process. Step one is Call Information. The operator picks a voice, sets the target phone number, selects a call mode, enters the victim’s name, and optionally adds the last four digits of a card number. That card digits field exists to make the script more convincing. When the bot reads those digits back mid-call, it sounds like the institution already has the target’s account on file.

Step two is Call Settings. The operator picks a verification mode. Normal prompts the target to press a key on their keypad before the bot continues. No Action reads the script without waiting for a response. Disabled skips verification entirely. Then three toggles: spoofing on or off, SIP streaming on or off, voicemail detection on or off.

Step three is a confirmation screen. Everything is summarized before the call is created. The operator reviews it and hits Create Call.

The cognitive load on the operator is minimal. They are not speaking. They are not improvising. There is no accent to betray them, no nerves to manage, no risk of breaking character. They are making decisions from a dashboard while the bot does the work.

Inside a Live Call

Once the call is placed, the operator watches it happen in real time.

The dashboard shows a status panel with the target number and a running timer. Below it is the action grid: OTP (6 digits), OTP (4 digits), 2FA App, CC Number, CC Expiration, CVV, ATM PIN, Date of Birth. Eight buttons. The operator clicks one to trigger the bot to ask the target for that specific piece of information. The bot handles the voice, the framing, and the pacing.

On the right side of the screen the Call Captures panel waits. Below it, the Real-time Activity log timestamps every event as it happens.

The logs are the clearest way to understand the speed of this. A documented session shows the full sequence:

Twenty-seven seconds between the target answering and the operator triggering the 2FA request. One second for the target to press 1. Twenty-two seconds for them to read out the code. Six seconds to close the call. Fifty-six seconds total.

The code appeared in the Call Captures panel the moment the target said it out loud.

A second documented session shows the system handling a harder target. The first attempt hit voicemail. The platform detected it, flagged it in the log, and the operator placed a second call. That one was answered. Human detected. The operator triggered an OTP request. The target hung up.

The dashboard updated immediately. Status: “Victim hangup.” The action grid went inactive. A note appeared explaining that no further triggers were possible on a completed call.

The operator closes the call and moves on. No manual logging. No friction. The platform is designed for exactly this rhythm: place, attempt, capture or move on, repeat.

The Skill Floor Argument

The most significant thing AI did to vishing is not make individual attacks more sophisticated. It made unsophisticated attackers capable of running them.

Someone who cannot speak English convincingly can now run English-language vishing calls. Someone who has never social-engineered anyone can follow a dashboard and click action buttons. Someone with no infrastructure knowledge can subscribe to a platform that handles everything from voice synthesis to caller ID spoofing to credential delivery, and be operational the same day.

The attacks that result are not more refined than what a skilled human operator would run. In some ways they are less so, because the script is fixed and the bot cannot improvise when a conversation goes sideways. But skill was the limiting factor, and that limiting factor has been largely removed.

The platform even signals this in how it is designed. PlugValley distinguishes between Simple Calls, which use default scripts and are described as great for beginners or if you want to get started quickly, and Advanced Calls for users who want more control. The onboarding language is the language of a SaaS product built for non-technical users.

What to Take From This

The threat is not that AI did something impossible. Vishing has worked for decades. The shift is that the human bottleneck is gone. One operator with a subscription can run calls that previously required a trained social engineer, at scale, across time zones, without fatigue, without an accent giving them away, and without the emotional toll of doing it all day.

That pattern, the skill floor dropping while volume goes up, is showing up across the attack chain. Vishing is one node. The operator no longer needs to be the threat. The platform is.

For individuals, the defensive position has not changed but still needs repeating: no legitimate service will call you and ask for a one-time code, a CVV, or a PIN. If a voice on the phone is asking for a code, the call is the attack.

For organizations, the calculus is harder. The number looks real. The voice sounds real. The script may reference account details that match. Security awareness training helps, but it only works if people remember it in the moment, which is exactly what these calls are engineered to prevent.

Hackers Are Already Using AI, So Should Your Defense

The same logic that makes PlugValley effective, autonomous agents running at scale with minimal human oversight, is exactly what defense needs to match it.

SOCRadar Agentic Threat Intelligence is built on that premise. Launched at Black Hat 2025, the platform deploys autonomous AI agents that proactively detect, analyze, and respond to external threats without waiting for an analyst to connect the dots. Traditional threat intelligence is passive. It surfaces data and leaves the decisions to your team. Agentic threat intelligence acts on that data, continuously, at machine speed.

The platform is modular by design. Specialized agents target specific threat categories: phishing, brand abuse, credential leaks, impersonation, IP exposure, and identity threats. Organizations deploy only the agents relevant to their risk surface, mix and match workflows, and customize agent behavior to match their specific environment. Everything is managed from a single marketplace and dashboard.