/Rectangle%20239.png?width=13&height=13&name=Rectangle%20239.png){kind=small}
The underestimated voice of cyberattacks
When we talk about cyberattacks, we often picture malware, phishing e-mails, or ransomware. But in many real-world intrusions, the first step is far more subtle: it’s a phone call!
Vishing, or voice phishing, relies on direct human interaction to create trust, urgency, and pressure. A well-crafted voice call can feel more personal, more credible, and harder to question, especially when it comes from a seemingly legitimate source. And yet, this vector remains largely untested in most organizations.
While phishing e-mails are now widely simulated and understood, voice-based attacks go under the radar. Few employees are trained to handle a suspicious call, fewer still know how to escalate it. This lack of preparation makes voice phishing a highly attractive method for both red teamers and real attackers seeking initial access.
Why does vishing matter?
What makes vishing particularly dangerous is its adaptability and invisibility. Unlike e-mail, a phone call isn’t logged or sandboxed. There are no headers to analyze, no URLs to scan. The attacker can shift tone, adjust their story, and push harder if the target hesitates, all in real time.
Vishing exploits subtle human tendencies:
- Respect for authority.
- Fear of delaying a process.
- Discomfort in saying “no” during a live conversation.
- The instinct to help.
Meanwhile, open-source information and professional networks make it easy for attackers to sound credible. With just a name, a job title, and a bit of LinkedIn research, they can build a scenario that feels plausible enough to act on.
Despite these risks, many organizations still don't test this vector, even though, in our experience, it outperforms e-mail phishing in terms of success rate and often goes unreported by employees. This isn't just a training gap: it's a strategic blind spot.
When and how to use vishing in cybersecurity exercises
Before integrating vishing into your security testing strategy, it’s important to recognize what this technique is, and what it isn’t. Unlike phishing e-mails that can be automated and sent at scale, vishing is a targeted, manual, and highly crafted technique. It requires a certain level of organizational maturity to be meaningful.
Start with the basics
Vishing is not the first step in a cybersecurity awareness journey. If your teams are still struggling to detect basic phishing e-mails, then running a vishing simulation may be premature and ineffective.
This type of campaign assumes that:
- Employees already have a solid baseline of awareness.
- Your organization has run prior phishing exercises.
- You are now ready to test more realistic and high-pressure scenarios.
Launching a voice-phishing campaign without that foundation would risk confusing employees more than educating them and would likely result in noise instead of actionable insights.
A targeted and tailored exercise – not a mass test
Vishing is not designed for broad testing across hundreds of users. It is, by nature, focused and precise.
Unlike phishing, where mass e-mails can cast a wide net, vishing simulations aim for depth over volume. They are typically directed at individuals in key roles, such as:
- Executives and executive assistants.
- Finance and procurement officers.
- Legal or compliance stakeholders.
- Any employee with elevated access or influence in critical workflows.
These are the types of individuals most likely to be targeted by real attackers and the ones where a successful vishing attempt would have the greatest impact.
What we observe in the field
Across the many vishing simulations we’ve conducted, one thing is consistent: a well-crafted phone call is far more powerful than most organizations expect.
Even in mature environments where phishing simulations are handled correctly, voice-based attacks continue to generate high engagement and reveal critical weaknesses in human behavior.
Initial hesitation… followed by compliance
We often observe that employees don’t blindly trust, many start with hesitation. But once the attacker establishes minimal credibility (referencing an executive, using a familiar tone, or applying subtle pressure), hesitation turns into cooperation.
Whether it's signing a fake document, downloading a file, or executing a command, curiosity and perceived legitimacy often override instinct.
Office documents are still widely trusted
In multiple simulations, employees opened Excel files containing malicious macros despite security training. The format, tone, and context of the request made it feel legitimate, and no technical control stopped them from enabling content. This highlights a recurring blind spot: well-designed pretexts can bypass both technology and training.
Reporting reflex is rare
While phishing e-mails are now frequently reported thanks to awareness campaigns, vishing attempts almost never are. Even when the user suspects something, they rarely escalate a suspicious phone call, especially when it’s short, polite, and wrapped in authority. This silence can give attackers enough time to move forward unnoticed.
Some users do push back – and that’s encouraging
We’ve seen employees challenge the caller, ask for verification, or insist on internal approval before acting. These behaviors are not yet the norm, but they’re a sign that awareness can evolve into confident, security-driven behavior when the right culture and training are in place.
Performance comparison: phishing vs. vishing
If you’re wondering whether vishing is truly more effective than phishing, the numbers speak for themselves.
Across a wide range of simulated attacks, we consistently observe that vishing significantly outperforms e-mail phishing, not only in success rates but also in its ability to remain undetected.
Phishing simulations
Phishing e-mails are now a standard tool in awareness programs. Most organizations run simulations regularly, and users are increasingly trained to spot red flags.
-
Typical success rates: between 3% and 15%, depending on the organization’s maturity.
-
High reporting rate: in well-trained environments, phishing attempts are often escalated or flagged, which can compromise the entire red team campaign.
In short: phishing still works, but it’s noisy, expected, and often neutralized quickly.
Vishing simulations
Vishing, on the other hand, is much less anticipated. It bypasses inboxes and arrives directly at an employee’s comfort zone: a live conversation.
-
Typical success rates: rarely drop below 50%, even in security-conscious environments, the final success rate varies between 40% to 100%!
-
Very low reporting reflex: most users don’t know how, or don’t feel empowered, to escalate a suspicious call.
Vishing scenarios don’t just succeed more often: they also last longer before being noticed, giving attackers more time to deepen access or pivot.
The attacker’s perspective
Real attackers, like modern red teams, know that vishing offers a lower-friction, higher-impact path to initial access. It’s flexible, reactive, and capitalizes on human behavior in a way that e-mails no longer can. That’s why we increasingly rely on it, and why threat actors do too.
What vishing reveals about your organization
A vishing campaign doesn’t just test how well your employees recognize deception: it shines a light on your broader security culture, escalation processes, and human-layer resilience.
Here’s what a well-executed vishing simulation can uncover:
Behavioral reflexes under pressure
Do employees challenge unexpected requests? Do they ask for verification or simply comply? A phone call forces real-time decisions, with no time to analyze links or forward the e-mail to IT. That’s where instinct, training, and organizational norms come into play. Vishing shows how people react when caught off guard.
The maturity of your escalation and response culture
If something feels wrong, do employees feel confident stopping the process? Do they know who to call, how and what to report? In many cases, vishing exposes a lack of clear escalation reflexes, not due to negligence, but due to uncertainty or fear of being wrong.
Visibility on overlooked risks
Some roles are high-value targets but aren’t included in technical access reviews or phishing simulations. Vishing often reveals who attackers would go after, not based on permission, but on influence, reactivity, and trust.
The real impact of your awareness program
Are your users just clicking through e-learning or are they truly absorbing it?
Vishing helps measure how much awareness translates into real-life resistance, and whether more hands-on, experiential learning is needed.
Vishing doesn’t just test individuals: it reveals how well your people, processes, and culture come together under pressure. And that’s ultimately what determines your ability to stop a real intrusion.
How we help organizations run realistic vishing simulations
We’ve designed and executed vishing exercises across industries: from finance and government to tech and critical infrastructure. Each engagement is built to be realistic, respectful, and impactful, with the goal of improving resilience without creating fear or blame.
We take care of the full process, including:
-
Target selection & scenario design
We tailor each campaign to your environment, your risk profile, and the types of attackers your organization is likely to face.
-
Scriptwriting & pretext engineering
Each call is built on proven psychological techniques: urgency, credibility, pressure, all adapted to your context.
-
Live execution by trained operators
Our callers are experienced professionals, capable of adapting in real time to your employees’ reactions.
-
Detailed reporting & behavioral analysis
Beyond success metrics, we deliver insights into reflexes, escalation habits, and user behavior, without naming or shaming.
-
Actionable recommendations
We help you turn the findings into concrete improvements: awareness workshops, escalation workflows, and role-specific reinforcement.
Whether as a standalone campaign or as part of a broader red teaming initiative, vishing simulations are one of the most powerful tools to test what your defenses can’t log — your people.
