Email phishing is still the #1 entry point for social engineering, but attackers no longer stop at the inbox. They follow up with phone calls, pressure employees in real time, and stitch channels together to bypass controls.
Most organizations already run phishing simulations as part of their awareness programs. But very few test their employees against voice phishing (vishing)—and attackers know it.
For CISOs, the challenge is clear: how do you build awareness training that reflects how attackers actually operate?
1. How Attackers Use Each Channel
Phishing (Email-Based Attacks)
- Mass phishing: credential harvesting, malicious links or attachments.
- Spear phishing: highly targeted emails, often tailored to a specific executive or department.
- Business Email Compromise (BEC): impersonation scams requesting wire transfers or gift cards.
Vishing (Voice-Based Attacks)
- IT help desk impersonation: persuading employees to reset credentials or install remote access tools.
- Bank or supplier fraud: requesting sensitive data or payments over the phone.
- **Executive impersonation: **exploiting authority to force rapid action.
Comparison
Both rely on trust and urgency. The difference is that email is asynchronous, while phone calls create immediate pressure and reduce the employee’s time to think.
2. Awareness Training Today
Phishing Training
- Well established and widely deployed.
- Employees often expect simulated phishing campaigns and understand the reporting process.
- Clear measurement metrics (click rate, credential entry rate, report rate).
Vishing Training
- Far less common.
- Requires special consideration of consent and telecom laws (call recording, AI voice use, etc.).
- Harder to scale without automation.
- Measurement requires alternative signals (actions taken, keywords used), not just “click/no click.”
Comparison
Both need measurable outcomes—but phishing is measured by clicks and subsequent errors, while vishing simulations will also measured by behaviors in conversation and failure to follow a privacy related processes.
3. Key Differences in Simulation Design
| Factor | Phishing | Vishing |
|---|---|---|
| Medium | Text/email | Voice/phone |
| Pace | Asynchronous, time to reflect | Real-time, immediate pressure |
| Detection cues | Suspicious links, bad grammar | Caller ID, tone, scripted urgency |
| Training focus | "Don't click, don't enter creds" | "Don't comply on the spot, verify first" |
| Legal complexity | Low (email is easy to simulate) | High (recording, AI voice, consent) |
4. Toward a Unified Awareness Strategy
A siloed approach no longer works. Employees need to be trained to pause, verify, and report—no matter the channel.
Recommendations for CISOs:
- Integrate phishing and vishing into one social engineering playbook.
- Train the same reporting muscle: whether it’s an email or a phone call, the reporting process should be unified and familiar.
- Highlight real attacker playbooks: callback phishing, IT desk scams, and CEO fraud campaigns often blend multiple techniques.
The Rise of Hybrid Attacks
Attackers increasingly combine channels in multi-stage campaigns:
- Callback phishing: an email tells the victim to call a fake support line.
- Follow-up vishing: after a phishing email, a phone call “confirms” the fraudulent request.
- Voicemail deepfakes: a synthetic voice leaves a voicemail directing the employee to a phishing site.
These hybrid attacks are effective because they layer credibility. The email sets the stage, the phone call delivers pressure, and the victim has fewer chances to spot red flags.
Training takeaway: Your awareness program must simulate cross-channel attacks. Teaching employees to handle phishing without vishing—or vice versa—leaves gaps that attackers will exploit.
Conclusion
Phishing simulations are necessary, but no longer sufficient. Vishing is now a critical vector for social engineering, and hybrid campaigns are the logical evolution.
CISOs should:
- Expand awareness training beyond the inbox.
- Incorporate vishing simulations that respect legal and compliance boundaries.
- Prepare employees for hybrid attacks that move seamlessly between email and voice.
At Arsen, we help organizations close this training gap—by simulating the threats attackers actually use today, while preparing for those they’ll use tomorrow.
