Vishing is on the rise. We’ve seen an increase in threat reports citing voice phishing attacks, so it’s only natural that cybersecurity experts start to look at simulated vishing attacks to their company’s or client’s security.
In this article, I’m going to show you step by step how to run an effective simulated vishing attack.
Key takeaway
- Simulated vishing serves two main purposes – It's used either to audit and evaluate an organization's real-world vulnerability to vishing or to train employees through awareness campaigns that shape safer behaviors.
- Realism is critical for effectiveness – Success depends on tailoring scenarios to industry-relevant threats, using appropriate voices and phone numbers, and targeting the right people, whether VIPs or general staff, to reflect actual attacker strategies.
- AI voice technology scales and enhances training – For large-scale or advanced threat simulations, AI voice tools provide cost-effective, realistic scenarios—especially valuable when preparing for attacks involving voice cloning and deepfakes.
Why simulate a vishing attack?
First things first, why would someone want to simulate a vishing attack?
We’ve seen two main use cases and depending on the goal, some parameters of your simulation might change.
Audit and risk evaluation
The first goal that comes to mind is often to evaluate the company’s resilience toward vishing attacks.
How would people behave facing a realistic, coordinated vishing attack targeted against our company?
This is the most common question and in this case, you don’t want to train people and give away the simulation context with a training component within it.
You want as realistic an execution as it can be. You want to collect behavioral data in a realistic setting. Based on this, you want to build an awareness program that would help fix the weak points you’ll detect in your organization’s defense.
Awareness training
Awareness training is a bit different. Although there is a lot of common ground regarding the way the vishing attack will be simulated, the goal here is to forge new behaviors, make people adopt new, safer habits.
To do so, we need to integrate a feedback loop to make sure they have access to the relevant information, at the proper time.
Select the appropriate scenarios
Now that you are clear about why you want to run a simulation, you’ll need to select the scenarios you’ll want to use.
Much like phishing simulation, you’ll need to craft, order or select — depending on what service you use — one or several scenarios that will be relevant to your goal.
These scenarios have different parameters that will influence their realism which in turn will influence their effectiveness to evaluate or train people.
The pretext
Just like with phishing simulation, you want to select a pretext and scenario that is contextualized and realistic.
Choose scenarios relevant to your context and industry: you don’t need to train people against unrealistic or unapplicable attacks. Think of it like a patch: if you’re running macOS as an OS, you’re not concerned by Microsoft Windows security patches. Same thing here, you don’t need to train people against attacks that don’t apply to you.
Choose scenarios based on actual threats as the possibilities are endless, you might be tempted to trick people with schemes you or your team came up with during a brainstorming meeting. It’s very interesting (and exciting) but unless you’re doing recurring vishing simulations and need to come up with a lot of scenarios to have a higher diversity level, I’d recommend sticking to actively exploited attacks to maximise the effectiveness of the training. Train people against actual threats, not imaginary ones.
Phone numbers
Source local numbers to call from.
Phone number spoofing is illegal in numerous countries so you might not be able to do this for security training operations but at least choose numbers that are relevant geographically, just as attackers will do.
The voice
It goes without saying, but anything out of the ordinary might raise suspicion and decrease the training effect, or the quality of the behavioral data collected during an audit.
This is why I’d recommend using a voice — or an operator — that fits your context.
At Arsen, we’re using several voice models that can use many accents. This allows us to provide global coverage for our international clients.
Select the appropriate targets
Simulated vishing attacks need to address specific people. There are two main use cases here again, tied to two target types.
High-risk users
Your high-risk users are either highly privileged or highly accessible.
VIPs, C-suite, board members have such high-level access or authority within your company that they are very interesting targets for attackers. A compromised account will have a strong security impact on your company.
Just like spear phishing, in these cases, attackers will do their homework before calling their targets, so you should use heavily customized scenarios to increase realism and effectiveness of your simulated vishing attack.
Company-wide campaigns
On the other hand, you might want to run a large scale vishing simulation and cover all your employees.
In this case, targeting everybody will require not only a very versatile scenario, but also a good orchestration and scalable technology to execute as it will be hard for individual red team operators to conduct vishing simulations on everybody within your company.
Schedule and run a campaign
Now that you know what scenario you will use and who you are going to use it for, let’s talk about when.
Vishing attacks are synchronous. They require the target’s availability. I t’s a bit different than email attacks that can be sent whenever — although to increase realism, we do recommend specific timings there too.
You might need to retry calling your targets if they don’t pick up the phone. You will also want to select times when people are more likely to be able to answer their phone to maximize the connection rate.
If you’re working with human operators, they should be able to provide recommendations and guidelines that fit their process and your use case.
If you’re using a vishing simulation platform, then you should use your internal knowledge to chose the appropriate dates for your campaigns.
When do you need to do AI voice simulations?
If you’re doing some research on simulated vishing attacks, you might have seen the new generation of awareness platforms (like us) that use voice AI.
AI vishing is a fairly new threat, but is already used in attacks, so why not use it for your vishing simulations?
AI is a great tool but might not be relevant in your case, so I thought I’d talk a little bit as to when it’s relevant to use AI voice phishing simulations, rather than going to your regular red team.
Call volume and large scale simulations
The most important decision criteria here will be the size of your simulations.
If you want to train every employee in your company against vishing, you’ll need to run vishing simulations fairly often. This will result in a fairly large number of calls.
Let’s say you’re a 500 people company, planning on having at least a quarterly vishing simulation, this would bring your total to 2000 vishing simulations.
This will become very expensive, very fast if you use human operators.
This is where AI vishing simulation will become a cost-efficient way to increase coverage and volume.
Advanced attacks and voice deepfakes
If you want to train your employees against advanced attacks — even just a small group, like your C-suite or high-privilege users — you will need to use tools relying on AI.
Voice cloning or deepfaked voices are increasingly used in attacks. The technology is readily available, easy to use and deploy and is a relevant threat to train against in your awareness programs.
In this case, you’ll have to rely on an AI voice phishing simulation platform, or at least live voice changer to be able to reproduce these threats realistically.
Conclusion
In this article, I’ve described the key steps and parameters you’ll need to adjust to run simulated vishing attacks at your company.
As technology evolves and the threat landscape evolves with it, voice AI capacities will be a strong asset to help build comprehensive training against vishing attacks.
This is why we provide state of the art vishing simulation, where you can execute all the aforementioned points to build a strong vishing awareness basis for your defense.
If this is something you are interested in, feel free to request a demo, we’ll be happy to show you how we can help.
