Understanding the legality of conducting voice phishing simulations is crucial for any organization that wants to train employees without running into issues with telecom, privacy, or anti-spam laws and regulations in their host country. In this article, we'll explain how CanIPhish has implemented strict protocols that ensure CanIPhish's voice phishing simulator is used in a safe and compliant manner.
Table of Contents:
- Voice Phishing Compliance Protocols & Practices
- Voice Phishing Compliance By Supported Country
- Frequently Asked Questions
Voice Phishing Compliance Protocols & Practices
To ensure CanIPhish's voice phishing simulator is compliant with global telecommunication, privacy, and anti-spam laws, the following protocols and practices have been implemented:
- Educational Calls: Every call we place is strictly a training exercise – no marketing, surveys, or commercial pitches. Because of this, it falls outside telemarketing/spam regimes in virtually every jurisdiction.
- Leased Numbers (Not Spoofed): We never fake or hijack Calling Line Identification (CLI). Instead, we provision and lease dedicated phone numbers under our control so the displayed caller ID always ties back to an authorized line.
- Ephemeral Audio Processing: Call audio and transcriptions are processed during a live phone call so our AI bot can understand and respond to questions in the real-time voice conversation. No call audio or transcripts are held beyond this live phone call, the only data that is retained is call metadata (e.g. timestamps, call duration, etc.), and the outcome of the voice phishing simulation (e.g. employee compromised/not compromised, and the summary of what information was disclosed, such as last name and job title).
- Double Opt-In Consent: Participants must explicitly opt in twice – first by email, then by SMS by providing a 6-digit challenge-response code back to CanIPhish's consent management system. Consent must be provided before any employee can receive any simulated calls. Additionally, consent is only valid for 24 months, or until an opt-out occurs by the host organization or the individual.
-
Multi-Channel Opt-Out: At any point, participants can withdraw their consent by:
- Notifying their employer's IT or Security Team for manual opt-out.
- Sending an SMS message to a phone number disclosed to the employee during and after the consent process with the keyword STOP or UNSUBSCRIBE for automated opt-out.
- By advising the AI agent they would like to opt-out over an active simulated voice phishing call. This opt-out is initiated by the employee saying the words "STOP CALLING ME", after which, they are prompted to verify their request to opt-out, after which a simple "YES" will result in an automated opt-out and termination of the call.
- By notifying Can I Phish Pty Ltd of their desire to opt-out by emailing support@caniphish.com and providing their phone number in the email.
- Brand-Safe Representation: CanIPhish will only ever masquarade as your organization (per a signed Agency Appointment Agreement) and never impersonate any other entity or brand. This ensures our voice phishing simulations are strictly work-related.
- Privacy-First Safeguards: CanIPhish strictly processes the absolute minimum amount of data required to provide our voice phishing simulator. What data is processed, how, and where can be found in CanIPhish's Privacy Policy and Data Processing Agreement.
Voice Phishing Compliance By Supported Country
CanIPhish has reviewed the relevant telecommunication, privacy, and anti-spam laws and regulations in the following countries to ensure our voice phishing simulator is implemented in a compliant manner.
| Country | Compliance Statement |
| Argentina | CanIPhish’s voice phishing simulations are conducted only with explicit pre-call consent via double-opt-in, placing them outside Argentina’s telemarketing and anti-spam restrictions, and our immediate in-call notice of recording ensures compliance with national data protection and telecom transparency requirements. |
| Armenia | CanIPhish’s voice phishing simulations are strictly educational and not subject to Armenia’s marketing-call bans, and our documented opt-in consent plus upfront announcement of call recording fulfill local electronic communications and data protection transparency obligations. |
| Australia | CanIPhish’s voice phishing simulations, being educational rather than telemarketing, fall outside the ACMA Telemarketing & Research Calls Standard, and our double-opt-in consent together with a clear in-call recording notice fully comply with the Spam Act, Privacy Act, and call-recording laws. |
| Austria | CanIPhish’s voice phishing simulations are purely educational and thus exempt from the direct-marketing restrictions in the Austrian Telecommunications Act (Telekommunikationsgesetz – TKG 2021), which implements the EU ePrivacy Directive; our GDPR-aligned double-opt-in consent and immediate in-call recording notice also satisfy TKG’s interception-and-notice rules and GDPR transparency requirements. |
| Bahrain | CanIPhish’s voice phishing simulations are performed only after express double-opt-in consent and use a genuine CLI as required by Bahrain’s Telecommunications Law (Legislative Decree No. 48 of 2002). |
| Belgium | CanIPhish’s voice phishing simulations rely exclusively on express prior consent—aligning with Belgium’s opt-out framework for manual calls—and our immediate in-call recording notice satisfies Belgium’s Criminal Code prohibition on non-consensual recordings (Article 314bis) and GDPR transparency requirements. |
| Brazil | CanIPhish’s voice phishing simulations are strictly educational and rely on express prior consent, exempting them from Brazil’s do-not-call registry and anti-spam laws, while our upfront announcement that the call will be recorded meets the Brazilian General Data Protection Law’s transparency obligations. |
| Bulgaria | CanIPhish’s voice phishing simulations are conducted solely with express subscriber consent in compliance with Bulgaria’s Electronic Communications Act (which allows telephone marketing only with consent), and our upfront in-call recording notice meets GDPR and Bulgaria’s Personal Data Protection Act transparency standards. |
| Canada | CanIPhish’s voice phishing simulations rely on express pre-call consent under CASL and CRTC rules; our immediate in-call recording notice and built-in opt-out mechanisms comply with Canadian privacy and telephony-recording requirements. |
| Chile | CanIPhish’s voice phishing simulations are educational and not “advertising” under Chile’s Consumer Protection Act (Law 19.496/1997), so they are exempt from telemarketing restrictions; our express, pre-call opt-in and clear live-notice of recording adhere to Chile’s Personal Data Protection Law (PDPL) and constitutional privacy protections. |
| China | CanIPhish’s voice phishing simulations operate only after documented opt-in consent, aligning with China’s telecom regulations for non-commercial calls, and our instant in-call notice of recording satisfies local requirements for transparency in the processing of personal voice data. |
| Colombia | CanIPhish’s voice phishing simulations rely on prior express consent and fall outside Colombia’s commercial telemarketing restrictions; our upfront in-call recording notice and clear opt-out procedures adhere to Colombian consumer-protection and privacy laws. |
| Croatia | CanIPhish’s voice phishing simulations rely on express pre-call consent and are exempt from CECA’s direct-marketing ban. Obtaining express consent also ensures compliance with both Croatian e-Privacy rules and GDPR Article 14. |
| Cyprus | CanIPhish’s voice phishing simulations are non-commercial under Cyprus’s e-Privacy and telecom regulations, and by obtaining express pre-call consent and providing a clear in-call recording notice, we meet all local communication and privacy obligations. |
| Czech Republic | CanIPhish’s voice phishing simulations are strictly educational and not considered direct marketing under the Czech Electronic Communications Act, and our GDPR-compliant double-opt-in consent satisfies national telecom transparency requirements. |
| Denmark | CanIPhish’s voice phishing simulations are educational exercises exempt from Denmark’s marketing-call rules under the Danish Marketing Act and e-Privacy Regulation, and our GDPR-aligned double-opt-in consent plus immediate in-call recording notice satisfy all local data-protection and telecom-transparency obligations. |
| Egypt | CanIPhish’s voice phishing simulations are conducted only after explicit double-opt-in consent and are exempt from Egypt’s anti-spam and telemarketing regulations; our immediate in-call recording notice ensures compliance with local telecom and data-protection rules. |
| Estonia | CanIPhish’s voice phishing simulations fall outside Estonia’s direct-marketing call ban under the Electronic Communications Act, and our GDPR-compliant double-opt-in consent combined with an immediate in-call recording notice ensures full compliance with Estonian telecom and data-protection transparency rules. |
| Finland | CanIPhish’s voice phishing simulations fall outside Finland’s marketing-call prohibition, and our GDPR-compliant opt-in process together with an upfront in-call notice of call recording ensure adherence to Finnish e-Privacy and personal data laws. |
| France | CanIPhish’s voice phishing simulations are purely educational training calls and thus fall outside the scope of France’s direct-marketing rules under the revised Electronic Communications Code (Law No. 2018-1125); our GDPR-aligned double-opt-in consent process and immediate live-notice of call recording satisfy Article 226-1 of the French Penal Code and GDPR transparency obligations. |
| Georgia | CanIPhish’s voice phishing simulations are purely educational and exempt from Georgia’s telemarketing regulations; our express double-opt-in consent and immediate in-call recording notice ensure compliance with local telecom and data protection laws. |
| Germany | CanIPhish’s voice phishing simulations obtain all-party consent via a live-notice before any audio capture—meeting the stringent “no covert recordings” requirement under Section 201a of the German Criminal Code—and we uphold GDPR’s transparency obligations. |
| Greece | CanIPhish’s voice phishing simulations are purely educational and exempt from Greece’s direct-marketing call rules under national telecom law; our GDPR-aligned double-opt-in consent and immediate in-call recording notice ensure full compliance with data protection and telecom transparency requirements. |
| Hungary | CanIPhish’s voice phishing simulations are strictly educational and not covered by Hungary’s Advertising Act or Electronic Communications Act on direct marketing; we secure lawful processing and call recording under GDPR and Hungarian DPA guidance by obtaining express written consent and providing an immediate in-call notification that the call will be recorded. |
| Iceland | CanIPhish’s voice phishing simulations, being educational, are not covered by Iceland’s marketing-call prohibitions under the Electronic Communications Act; our GDPR-aligned double-opt-in consent and clear live-notice of call recording meet Icelandic privacy and telecom laws. |
| India | CanIPhish’s voice phishing simulations are not classified as UCC under TRAI’s TCCCPR-2018 regime, and our web-based double opt-in consent ensures adherence to India’s DND guidelines and IT Act transparency standards. |
| Indonesia | CanIPhish’s voice phishing simulations are educational and not subject to Indonesia’s ban on unsolicited commercial calls; our double-opt-in web consent and immediate live‐notice of call recording ensure compliance with Indonesia’s telecom and personal data regulations. |
| Ireland | CanIPhish’s voice phishing simulations are educational and thus outside the scope of Ireland’s ePrivacy Regulations (implementing the PECR anti-spam rules) for direct-marketing calls; our GDPR-compliant double-opt-in consent process, together with an upfront in-call notice of recording, meets the requirements set by the Data Protection Commission for both electronic communications and data-processing transparency. |
| Israel | CanIPhish’s voice phishing simulations are non-commercial and fall outside Israel’s commercial call restrictions; our documented opt-in consent process and upfront in-call recording notice satisfy Israeli data protection and telecom transparency standards. |
| Italy | CanIPhish’s voice phishing simulations rely on participant consent; all personal data processing is governed under GDPR, and our double-opt-in consent ensures full transparency with participants. |
| Japan | CanIPhish’s voice phishing simulations are carried out solely upon express prior consent, exempting them from Japan’s telemarketing and spam prevention rules, and our immediate live-notice that the call will be recorded complies with the Act on the Protection of Personal Information’s requirements for transparency in data processing. |
| Laos | CanIPhish’s voice phishing simulations rely on express pre-call consent and are exempt from Laos’s commercial telemarketing prohibitions; our double-opt-in process together with an upfront in-call notice of recording satisfy both local telecom regulations and personal data protection requirements. |
| Latvia | CanIPhish’s voice phishing simulations, being non-commercial training calls, fall outside the scope of direct-marketing bans under Article 16 of the ePrivacy Regulation; we secure express pre-call consent and provide an upfront recording notice, fulfilling both national implementation measures and GDPR’s “first communication” transparency obligations. |
| Lebanon | CanIPhish’s voice phishing simulations are purely educational and conducted only after double opt-in consent, which aligns with Lebanon’s Electronic Transactions and Personal Data Law (Law No. 81/2018) that requires consent for lawful personal data processing. Meanwhile, we retain only minimal call metadata, enforcing strict data minimisation and compliance with privacy norms. |
| Liechtenstein | CanIPhish’s voice phishing simulations are non-commercial and not subject to Liechtenstein’s direct-marketing regulations under its Electronic Communications Act; our documented consent process and in-call recording notice ensure full compliance with local privacy and telecom rules. |
| Lithuania | CanIPhish’s voice phishing simulations fall outside Lithuania’s marketing-call prohibitions under the Law on Electronic Communications, and our express pre-call opt-in together with an upfront recording notice ensure full compliance with both national e-privacy rules and GDPR. |
| Luxembourg | CanIPhish’s voice phishing simulations rely on express prior consent as required under Luxembourg’s e-Privacy implementation—automated calls for any purpose require prior consent—and our immediate in-call recording notice ensures we meet both Luxembourg’s electronic communications law and GDPR transparency obligations. |
| Malaysia | CanIPhish’s voice phishing simulations are strictly educational and not subject to Malaysia’s unsolicited call regulations; our express pre-call consent and clear live-notice of recording fulfill the PDPA’s transparency and communications requirements. |
| Malta | CanIPhish’s voice phishing simulations are exempt from Malta’s Electronic Communications Regulations (SL 586.01), which address direct-marketing activities, because our campaigns are strictly educational; our double-opt-in web consent and immediate in-call recording notice comply with both the Processing of Personal Data (Electronic Communications Sector) Regulations and GDPR requirements. |
| Mexico | CanIPhish’s voice phishing simulations fall outside PROFECO’s REPEP do-not-call restrictions on telemarketing, since every call is conducted with explicit, documented consent; we maintain an opt-out mechanism and deliver a clear live-notice of recording to satisfy Mexico’s consumer protection and call-recording evidence standards. |
| Morocco | CanIPhish’s voice phishing simulations are conducted only with documented, prior consent—placing them outside Morocco’s telemarketing consent regime—and our immediate live-notice of call recording for training purposes ensures adherence to Moroccan telecom law and data-protection transparency standards. |
| Netherlands | CanIPhish’s voice phishing simulations fall outside the Dutch Telecoms Act’s marketing-call prohibitions, and our GDPR-compliant double-opt-in consent together with an immediate in-call recording notice align with the Dutch DPA’s transparency and opt-out requirements. |
| New Zealand | CanIPhish’s voice phishing simulations fall outside New Zealand’s Unsolicited Electronic Messages Act as they are non-marketing training calls; our express consent process and immediate in-call recording notice ensure compliance with local privacy and telecom laws. |
| Nigeria | CanIPhish’s voice phishing simulations are non-commercial and thus exempt from Nigeria’s NCC regulations on unsolicited calls; our documented opt-in process and instant in-call recording notice comply with the NDPR and telecom consumer‐protection guidelines. |
| North Macedonia | CanIPhish’s voice phishing simulations are non-commercial and exempt from North Macedonia’s marketing-call rules under its Electronic Communications Law; our double-opt-in consent and clear in-call recording announcement meet both national e-privacy requirements and GDPR transparency obligations. |
| Norway | CanIPhish’s voice phishing simulations are non-commercial under Norway’s Marketing Control Act, and we secure and document express consent per the Personal Data Act (GDPR); our upfront recording notice satisfies local transparency requirements. |
| Philippines | CanIPhish’s voice phishing simulations are non-commercial training calls and thus exempt from Philippine telemarketing rules; our documented opt-in consent and immediate in-call recording notice comply with the Data Privacy Act and telecom transparency standards. |
| Poland | CanIPhish’s voice phishing simulations are non-commercial and exempt from Poland’s telemarketing restrictions under the Act on Provision of Electronic Services; our documented double-opt-in consent and immediate in-call recording disclosure meet Polish telecommunications and GDPR transparency standards. |
| Portugal | CanIPhish’s voice phishing simulations are non-commercial and exempt from Portugal’s direct-marketing ban under Law 41/2004, and our GDPR-compliant double-opt-in consent together with an immediate in-call recording notice ensure full compliance with the Portuguese Electronic Communications Law (Law 16/2022) and GDPR requirements. |
| Romania | CanIPhish’s voice phishing simulations are conducted only with prior, informed consent and are not subject to Romania’s direct-marketing bans under the e-Privacy Directive; our web-based opt-in and clear live-notice of recording align with both Romanian telecom regulations and GDPR. |
| Saudi Arabia | CanIPhish’s voice phishing simulations are used exclusively for training and therefore are not subject to the CITC’s telemarketing consent regime for commercial calls; our double-opt-in web consent and immediate in-call recording notice comply with Saudi one-party recording norms and the CITC’s consumer protection regulations. |
| Serbia | CanIPhish’s voice phishing simulations rely on explicit, prior consent in line with Serbia’s Law on Electronic Trade and Law on Advertising—both of which mandate clear sender identity and opt-out rights—and our immediate live-call recording notice ensures full transparency under Serbia’s Personal Data Protection Law, which mirrors GDPR standards. |
| Singapore | CanIPhish’s voice phishing simulations are exempt from Singapore’s anti-spam and telemarketing provisions; our GDPR-aligned double-opt-in consent and instant in-call recording notice adhere to PDPA privacy obligations and telecom guidelines. |
| Slovenia | CanIPhish’s voice phishing simulations are purely educational and thus fall outside Slovenia’s direct-marketing call restrictions under the Electronic Communications Act; our GDPR-aligned double-opt-in consent and immediate in-call recording notice ensure full compliance with national privacy and telecom transparency rules. |
| South Africa | CanIPhish’s voice phishing simulations are purely training calls and exempt from direct-marketing rules under the ECT Act; our express opt-in consent, valid CLI, and immediate in-call recording notice align with POPIA’s transparency requirements and telecom standards. |
| South Korea | CanIPhish’s voice phishing simulations are purely educational and exempt from South Korea’s telemarketing consent requirements; by obtaining express prior consent via double-opt-in we comply with local telecommunications and privacy regulations. |
| Spain | CanIPhish’s voice phishing simulations are conducted only after prior, double-opt-in consent and include an immediate in-call recording notice, satisfying Spain’s requirement that calls be recorded only with consent as recognized in the Code of Civil Procedure. |
| Sweden | CanIPhish’s voice phishing simulations are educational and thus exempt from the Swedish Marketing Act’s direct-marketing restrictions—but we still obtain express opt-in consent and provide an immediate in-call recording notice to comply with GDPR’s “first communication” transparency requirements and Sweden’s e-Privacy rules. |
| Switzerland | CanIPhish’s voice phishing simulations are purely educational and exempt from Switzerland’s direct-marketing call prohibitions; our GDPR-aligned double-opt-in consent and immediate recording notice satisfy Swiss data-protection and telecom transparency requirements. |
| Thailand | CanIPhish’s voice phishing simulations fall outside Thailand’s commercial telemarketing restrictions under the CTI Act; by using prior web-based consent and an up-front recording notice, we satisfy both the PDPA’s consent requirements and telecom transparency rules. |
| Tunisia | CanIPhish’s voice phishing simulations operate strictly as educational calls and only proceed after explicit double-opt-in consent, placing them outside Tunisia’s commercial telemarketing regime; our multi-channel opt-out options ensure full compliance with Tunisian telecom and personal data protection rules. |
| Türkiye | CanIPhish’s voice phishing simulations are conducted only with express prior consent and are not classified as telemarketing under Türkiye’s UCC regulations; our immediate live-notice of call recording at the start of each call satisfies local telecom and privacy requirements. |
| United Arab Emirates | CanIPhish’s voice phishing simulations are purely educational and not unsolicited marketing calls under the TRA’s Unsolicited Electronic Communications policy, as we obtain express pre-call consent via double-opt-in; our immediate in-call recording notice also aligns with the Telecommunications Law’s interception rules enforced by the TRA. |
| United Kingdom | CanIPhish’s voice phishing simulations are purely educational and fall outside PECR’s direct-marketing restrictions; our GDPR-aligned double-opt-in consent provides the lawful basis, and our immediate in-call recording notice meets ICO transparency expectations. |
| United States | CanIPhish’s voice phishing simulations are non-marketing training calls outside the TCPA’s promotional scope; our double-opt-in consent and upfront notice of recording secure compliance with federal and state call-recording laws and consent obligations. |
| Vietnam | CanIPhish’s voice phishing simulations are conducted only with prior, express consent and fall outside Vietnam’s commercial telemarketing prohibitions; our double-opt-in process and upfront call recording notice satisfy Vietnam’s telecom and privacy requirements. |
Frequently Asked Questions
What Is An Agency Appointment Agreement?
An Agency Appointment Agreement is a contract in which you (the Principal) formally empower CanIPhish (the Agent) to represent your brand solely for voice-phishing simulations. It’s required to establish our legal authority and define exactly what we may do on your behalf. Essentially, given that phone calls are highly regulated, it ensures that CanIPhish can legally masquerade as your brand when facilitating voice phishing simulations that are configured and run at your direction.
Why Is Simulated Voice Phishing So Much More Strict Than Simulated Email Phishing?
Simulated voice phishing triggers a host of additional legal and practical constraints that simply don’t apply to simulated phishing emails:
- Telecommunication & Anti-Spam Laws: Voice calls are governed by telemarketing and unsolicited-call regulations (e.g. TCPA, Spam Act, CASL, e-Privacy), requiring valid CLI, caller‐ID rules and “do not call” considerations. Whereas email simulations run entirely inside a corporate environment.
- Personal Device Use: Phone calls go straight to an employee's personal phone, whereas an email to a work inbox is firmly a corporate work asset. Given that employees' personal phones are in use, we require their explicit consent to participate, something which simulated phishing emails don't require.
Comments
0 comments
Please sign in to leave a comment.