Skip to main content

Voice Phishing - Feature Overview

Gareth Shelwell
Updated

In this article we'll walk you through what simulated voice phishing is, how it will benefit your organization, what some of the limitations are, and finally, how you can get started!

Table of Contents

  1. Voice Phishing
  2. What the Capability Includes
  3. How Double Opt-In Consent Works
  4. Benefits of Voice Phishing Simulation
  5. Limitations of Voice Phishing Simulation
  6. Opt-Out Process
  7. How To Activate Voice Phishing
  8. Supplementary PDF Downloads

1. Voice Phishing

CanIPhish is leading the charge in modern security awareness with the introduction of simulated voice phishing. This advanced capability uses generative AI to deliver lifelike phone calls modeled after real world scams. Each simulation features natural back and forth conversations designed to catch employees off guard and test their ability to respond under pressure.

The AI engages in realistic dialogue, using social engineering tactics to manipulate users into revealing sensitive information. This creates a safe but convincing training environment that reflects how real attackers operate.

We have now crossed a threshold where generative AI can automate large scale voice phishing with speed and accuracy. What once required skilled human callers can now be executed with only a script and a phone number. CanIPhish leverages this same technology to help organizations train and protect their people.

Calls are delivered through VoIP to users who have explicitly opted in. Every simulation is governed by strict consent controls to ensure ethical delivery and full transparency.

2. What the Capability Includes

Our voice phishing simulation is designed to reflect real-world attack techniques while giving administrators full control over who is targeted, when, and how.

  • Prebuilt and customizable simulation templates: Choose from a set of pre-created voice phishing templates. For each template, the AI persona can be customized to further personalize how the AI engages with your employees.
  • Context-aware personalization using AI: Using any predefined user data available, such as name or company, the AI may incorporate these details to increase realism. Every conversation is generated in real time by the AI, making each call a unique experience. This results in varied, dynamic learning opportunities for users.
  • Outcome tracking and platform integration: Every voice phishing attempt is tracked, including whether the call was answered, if the user engaged, and what outcome occurred. These metrics feed directly into your existing CanIPhish dashboard and campaign reporting.
  • Call evidence: Only essential metadata is logged, such as call time, user targeted, and result. We provide a redacted call transcript to provide some intel as to the length of the conversation and how many back-and-forths were had.
  • Strict double opt-in process: Voice phishing simulations are double opt-in only.
  • Fully integrated into the CanIPhish platform: Voice phishing campaigns are managed from the same interface as other

3. How Double Opt-In Consent Works

To ensure responsible use of voice phishing simulations, CanIPhish uses a double opt in consent model. This helps protect user privacy, ensures ethical delivery, and keeps us aligned with legal requirements across different regions.

Double opt-in means users must give consent through two separate steps:

  • Step 1 – Email Consent: This step is initiated within the CanIPhish Cloud Platform, by including relevant employees for phone number verification. Once the verification activity is initiated, employees will receive an email asking them to provide consent by clicking a link that will lead to a consent form.
  • Step 2 – SMS Confirmation: On the consent form, employees will be prompted to click a "I Consent" button. Once clicked, employees will receive a text message asking them to confirm again. This step ensures that the consent is tied to the phone number that will be receiving the simulated call.

This process is necessary because voice phishing involves contacting mobile devices that are not always owned or managed by the organization. To align with best practices and legal standards similar to those used in marketing, both the organization and the individual must agree before any simulations are delivered.

Consent does not need to be given right before each campaign. Once both steps are completed, the user can be included in simulations for up to two years.

CanIPhish complies with local spam and telecommunications laws in the regions where this service is available. For this reason, voice phishing simulations are currently limited to select geographic areas. Every outbound call is tailored to meet the legal requirements of the region it is being delivered to. This includes clearly stating the name of the company the caller is representing, when necessary.

Calls are designed to appear as if they come from the organization the employee belongs to. This helps preserve realism while maintaining transparency about who the simulation is being conducted on behalf of.

4. Benefits of Voice Phishing Simulations

Voice phishing simulations offer a range of practical benefits for organizations looking to strengthen their security culture and adapt to emerging threats. 

  • Prepares users for a real-world threat: This simulation gives users a chance to experience what a real voice phishing attempt might sound like in a safe, controlled setting.
  • Builds confidence and recognition skills: Exposure to realistic voice interactions helps employees develop stronger instincts and make safer decisions when dealing with unexpected or suspicious calls.
  • Reinforces existing training: Voice phishing adds a new dimension to your social engineering program. It complements email simulations by engaging users through a different channel, reinforcing awareness across multiple fronts.
  • Delivers personalized learning experiences: AI dynamically generates every response, resulting in unique and varied conversations. This reflects the unpredictability of real-world attacks, whether they originate from AI conversational bots or human scammers.
  • Integrated reporting and insights: Results from voice phishing simulations feed directly into your CanIPhish dashboard. You can track outcomes alongside email phishing data, identify at-risk users, and monitor trends over time.
  • Captures simulation context without compromising privacy: While user audio is never recorded, the AI’s side of the conversation is retained for reference. This allows administrators to understand what was said during the call without capturing any personal or sensitive user responses.
  • Supports compliance and ethical delivery: The platform follows local spam and telecommunication laws, applies a strict double opt in consent process, and limits availability to approved regions. This ensures simulations are both effective and ethically delivered.
  • Fully managed within the CanIPhish platform: Campaigns are created, tracked, and reported using the same platform you already use for other simulations. There are no new tools to learn or manage.

5. Limitations of Voice Phishing Simulations

Voice phishing simulation is a powerful feature, but it comes with a few important limitations that organizations should be aware of before use.

  • Opt-in is required: The service is available only to users who have completed the double opt-in process. This includes email and SMS consent. No calls will be made to users who have not explicitly opted in.
  • Recordings and transcriptions are not stored: To protect employee privacy and comply with local laws, the platform does not store recordings or transcriptions of the the call. Audio and transcriptions are only processed during an active phone call to determine what the AI should respond with, and also to determine if the employee fell victim to the voice phish. Administrators can only see call metadata and the call outcome, but never the verbal audio or transcription of what was spoken during the call.
  • Available in select regions only: Voice phishing simulations are only supported in specific geographic regions where CanIPhish can ensure compliance with local spam and telecommunications laws. Organizations operating globally should check availability by region.
  • Requires accurate mobile numbers: Calls rely on the organization supplying accurate, up-to-date mobile numbers for employees. If a phone number is incorrect or unassigned, the user cannot complete the opt-in process and will not be eligible for the simulation.
  • Caller identity is always framed as internal: Simulated calls are designed to appear as though they originate from the user’s own organization.
  • Two-way interaction, not human-assisted: The AI listens and responds to the user during the call, allowing for natural back-and-forth interaction. However, there is no human on the other end, and the AI operates within the boundaries of the simulation design. It cannot escalate or adapt outside the defined scenario. 

6. Opt-Out Process

Employees who have previously completed the double opt-in process can opt out of voice phishing simulations at any time. Several methods are available to make this process accessible and flexible:

  • Notify your IT or Security Team: You can request to opt out through your internal IT or security team. They can manually remove you from the simulation list.
  • Reply via SMS: Respond to the same SMS number used during the opt-in process by sending the keyword STOP or UNSUBSCRIBE. This will trigger an automatic opt-out and remove your number from future campaigns. The SMS number used may vary based on your location.
  • Speak during an active call: If you receive a simulated voice phishing call, you can opt out by saying the phrase stop calling me. The AI will confirm your request and ask you to verify by saying yes. Once confirmed, the call will end and the number will have its consent status set to "Declined" in the verified phone numbers list viewable by administrators.
  • Contact CanIPhish Support: You can email support@caniphish.com to request manual opt out. Be sure to include your phone number so our team can identify your record and complete the request.

Once the opt-out is confirmed through any of the above methods, the employee will no longer receive voice phishing calls unless the employee themselves manually opts-in again.

7. How to Activate Voice Phishing

Voice Phishing is not activated by default. It's only available to Enterprise Tier Subscribers. Once you have purchased an Enterprise Tier Subscription, an activation notification will appear at the top of the Voice Phishing page, which can be found under Phishing Content > Voice Phishing (https://caniphish.com/User/VoicePhishing).

For more information on how to activate voice phishing, head to our dedicated Voice Phishing - Getting Started Guide

8. Supplementary PDF Downloads

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk