Just like attackers, we’ve been ramping up vishing simulations at Arsen. We’ve seen more demands from cybersecurity professionals than ever before.
Although a lot of requests were about vishing simulations to evaluate resilience and audit companies, we’ve seen inquiries shift toward vishing awareness training.
In this article, I’m going to deep dive into how to protect employees with a vishing awareness training program.
The goal here is to make people learn and adopt new behaviors, forge reflexes that will protect them against voice phishing attempts.
Let’s dive in.
The takeaway
- Awareness alone isn't enough—behavioral preparedness is key – Effective training must go beyond theoretical knowledge to develop real-world reflexes and protocols that employees can rely on during high-pressure vishing attacks.
- Realistic, recurring simulations are essential – Building strong defense habits requires frequent, diverse vishing simulations that reflect real threats, helping employees recognize and respond appropriately over time.
- Training should be context-specific and continuously improved – Mixing custom e-learning with adaptive feedback from employees ensures relevance and effectiveness, creating a more resilient organization against voice phishing threats.
Fundamentals of awareness training
First, a refresher.
One of the main problems when it comes to cybersecurity awareness training is that people often mix up awareness and preparedness.
You might be aware of a threat, but not prepared against it.
Our goal is NOT to have people highly knowledgeable about vishing but getting caught each time a social engineer calls them.
The goal is to have people sufficiently trained so that they follow proper protocol. This will allow them to detect the threat and take appropriate actions. Most often, this allows security professional to take over and stop the attack.
This is why good security training includes both theory and practice.
Specific notes about vishing and social engineering
Vishing is a form a social engineering. It’s just a vector (voice) through which social engineering techniques are applied.
Just like phishing, in which case the vector is email.
A key principle of social engineering attacks is to put their victim into an emotional state.
This emotional state will create reactions that won’t rely on the rational state, the one trained with classic e-learning content.
This means people can have perfect knowledge on how to behave if they face an attack, but can’t use this knowledge when they face it.
This is why it’s especially important to have practical training when it comes to teaching employees how to defend against vishing attacks.
Impact of awareness training
Although vishing is fairly new, cybersecurity awareness training has been around for some time now. We’re lucky to have scientific literature that can help paint a clearer picture of its effectiveness improving behaviors.
For instance, a meta-analysis published in Computers & Security found that security training has a positive effect on end-users, particularly in influencing behavior.
A systematic review of current cybersecurity training methods concluded that the majority of studies report positive effects of training.
Finally, a study on Social Engineering Awareness Training explored the impact of a behavioral change model, highlighting the importance of practical training.
Based on these elements, numerous studies point toward the positive impact of awareness training programs and simulations. On top of this, practical applications seems to have the best effect on new behavior creation.
Vishing awareness training
Now that we’ve established a few fundamentals on awareness training, let’s address vishing awareness training.
Here is what you need.
Periodic vishing simulations
Because the goal is to forge new behaviors, you can’t rely on punctual, once-a-year vishing simulation. You’ll need repetition to build habits and awareness.
So you'll need simulated vishing attacks to train these reflexes.
Depending on your size, communication habits and exposure, your vishing awareness training program should deploy vishing simulations from once a quarter to once a month.
Less than that will make people forget and lower their guard.
More than that and it can negatively impact the productivity of the company. This could also create internal push back.
In specific cases, intense training weeks or months to build foundational reflexes and drive process adoptions can be a good idea.
Vishing scenario diversity
If you don’t have enough diversity, you risk overspecializing people into detecting your flavor of vishing simulation, not in detecting vishing attacks in general.
So make sure you use different scenarios, with different voices, phone numbers and at different times.
This will help forge reliable habits and not a sixth-sense as to when the infosec team is vishing employees for their quarterly report.
Feedback requests and continuous improvements
To maximize the effectiveness of your training program, take the time to talk to your employees.
Maybe some scenarios aren’t that realistic. Maybe some people don’t know how to behave in specific cases.
It’s very interesting to talk to your best and worst performers.
Best performers can share tips and tricks and be an internal advocate.
Worst performers can show holes in the pedagogy and training program deployed.
Vishing awareness program
As we’ve just seen, the key components will be a healthy mix of theoretical knowledge to give the necessary information to your employees and realistic, periodic simulations to create reflexes.
So let’s craft our vishing awareness program. A few elements will vary depending on your context and size but here are generic
Feel free to reach out if you want more detailed and more specific guidelines adapted to your use case.
We already established that you’ll want to schedule varied periodic vishing simulations.
Now, we also want to add some level of theoretical knowledge so that people know what we’re talking about.
Here are a few elements worth talking about in vishing e-learning programs:
- Introduction to vishing: so that your people know more about the threat
- Types of attacks: introduce classic vishing scenarios so they might ring a bell when employees get targeted
- Voice cloning attacks: why they shouldn’t trust a voice
- Double verification process: the process everybody should go through before sharing information or acting on voice instructions
- Behavior to adopt: how to report a vishing once you have detected it
Now, as you’ll notice, most of these pieces of content are very dependant on your context and security stack. This is why we recommend building custom elearning content for your employees.
Inside the Arsen platform, you’ll find a content generator that will help you craft micro-learning content adapted to your company in a few minutes.
This should give you a complete solution to raise awareness against vishing and properly train your employees against vishing attacks.
Conclusion
In this article, I’ve explained the key elements necessary to build up a vishing awareness training program for your company.
Of course, doing all of this manually would require a lot of man-hours and practical vishing training is still hard to come by, especially at scale.
This is why we built Arsen and our vishing simulation module. You have everything you need to craft a complete vishing awareness program. From adaptive, realistic simulations, to custom e-learning components, we cover the full spectrum.
If you’re looking to build a vishing awareness program, please reach out or request a demo, our team will be happy to answer all your questions.
