Skip to main content

Voice Phishing - Comprehensive Guide

Gareth Shelwell
Updated

Simulated voice phishing is a type of phishing payload where employees receive lifelike phone calls designed to mirror real-world scams. CanIPhish uses advanced AI and contextual intelligence to deliver highly realistic simulations as part of our phishing simulator. 

This article will cover how to use the feature. The following supplementary articles exist:

Voice Phishing - Getting Started Guide
Voice Phishing Simulation (Vishing) - Feature Overview
Simulated Voice Phishing Compliance Statement

Table of Contents:

  1. Overview
  2. Interaction Tracking
  3. Call Evidence
  4. OSINT-Based Personalization
  5. Supported Phone Numbers
  6. Supported Languages
  7. Supported Countries
  8. Finding Voice Phishing Templates
  9. Launching a Voice Phishing Campaign
  10. Running a Test Call
  11. Updating a Template
  12. Getting Started
  13. Supplementary Fact Sheets

Overview

Employees targeted by a simulated voice phishing campaign will receive a VoIP phone call from an AI-powered caller. These conversations are context-aware and tailored to mimic actual social engineering attempts. The AI Agent is capable of engaging in dynamic, real-time dialogue and will use information drawn from publicly available sources, along with predefined employee data, to make the call as convincing as possible.

All calls are governed by a strict double opt-in process, meaning only employees who have explicitly agreed to participate will ever be contacted. Once a call begins, the AI introduces itself and initiates a conversation that may involve identity validation or subtle manipulation tactics commonly seen in real attacks. At no point is employee audio recorded or stored. Only essential metadata is logged, such as call time, user targeted, and result.

Interaction Tracking

Beyond standard campaign tracking, voice phishing simulations log the following interaction types:

  • Call Delivered: Logged when a call reaches an employee, even if unanswered.
  • Call Answered: Logged when the employee speaks during the call.
  • Employee Compromised: Triggered when the employee shares two pieces of requested information.
  • Call Reported: Admins can manually mark calls as reported.

Call Evidence

At no point is employee audio recorded or stored. To preserve privacy and comply with global regulations, CanIPhish only logs essential metadata during voice phishing simulations. This includes:

  • Time and date
  • Employee phone number
  • Call duration
  • Call outcome (e.g. compromised or not compromised)
  • Redacted transcript

No call transcripts or voice recordings are retained. This ensures all simulations are conducted in a privacy-first manner while still allowing administrators to review high-level outcomes.

OSINT-Based Personalization

Voice phishing simulations become significantly more realistic when powered by open-source intelligence (OSINT). CanIPhish uses OSINT to scan publicly accessible data to build an AI Knowledge Source that informs and personalizes each simulation. To learn more about OSINT-based personalization, head to this dedicated article.

Supported Phone Numbers

CanIPhish has acquired phone numbers in various locations across the world. By default, the phone number selected is based on the storage location setup in your CanIPhish tenant. However, the geographic location of phone numbers we use for voice phishing campaigns can also be hardcoded. Currently, CanIPhish maintains phone numbers in the following geographic locations:

  • United States
  • Canada
  • Australia
  • United Kingdom
  • Finland
  • Chile
  • Israel
  • Denmark

Supported Languages

English is the only officially supported and tested language.

In saying this, the AI Agent is capable of speaking in 28 other languages, including: French (European), Spanish (LATAM), Portuguese (Brazilian), Chinese (Mandarin), Arabic, Hindi, Italian, Korean, Dutch, Turkish, Swedish, Indonesian, Filipino, Japanese, Ukrainian, Greek, Czech, Finnish, Romanian, Russian, Danish, Bulgarian, Malay, Slovak, Croatian, Tamil, Polish, and German. Where specified, the AI agent will attempt to talk in these languages, falling back to English should there be any translation difficulties.

Supported Countries

CanIPhish has reviewed the relevant telecommunications, privacy, and anti-spam laws in each country to ensure our voice phishing simulator is implemented compliantly. We currently support voice phishing simulations in 65 countries.

Argentina, Armenia, Australia, Austria, Bahrain, Belgium, Brazil, Bulgaria, Canada, Chile, China, Colombia, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Laos, Latvia, Liechtenstein, Lithuania, Luxembourg, Malaysia, Malta, Mexico, Morocco, Netherlands, New Zealand, Nigeria, North Macedonia, Norway, Philippines, Poland, Portugal, Romania, Saudi Arabia, Serbia, Singapore, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Thailand, Tunisia, Türkiye, United Arab Emirates, United Kingdom, United States, Vietnam.

Finding Voice Phishing Templates

Simulated Voice Phishing is available to Enterprise Tier customers who have opted in to voice phishing, signed the Agency Agreement, and had Voice Phishing unlocked on their tenant. To locate voice phishing templates:

Step 1: Navigate to Phishing Content, then Voice Phishing

Launching a Voice Phishing Campaign

Creating a voice phishing campaign is just like creating a regular email phishing campaign. 

  1. Click New Campaign
  2. Go through the Initial Setup & Employee Selection as usual
  3. Select Voice Phishing in the top bar to expose the voice phishing templates. From here, continue as usual.

Note: You cannot blend an email campaign and voice campaign together.

Running a Test Call

Before going live, you can run a test call to experience the simulation firsthand.

To run a test call:

  1. Go to the Voice Phishing Library.
  2. Choose a template you'd like to preview.
  3. Click on the center of the scenario tile (you will see a magnifying glass)
  4. Enter a verified phone number and click Submit Phone Number

You’ll receive a call within seconds from the AI Agent using the selected scenario. This is a great way to validate the realism and flow of the call before launching to employees. Only one test call can be performed at a time. A maximum of 30 tests can be conducted per month.

Updating a Template

Voice phishing templates can be customized to better suit your target audience.

To update a template:

  1. Navigate to the Voice Phishing Library.
  2. Find the template you want to modify and click Update to replace the module or Duplicate to create a new template and preserve the original.
  3. In the Conversation Designer section, adjust the AI persona, AI Persona Name, AI Vocal Pitch, and AI tone.  

  4. Click Save to apply your changes.

Customizing templates allows you to fine-tune simulations for specific roles, departments, or organizations.

Getting Started

Voice Phishing is available to Enterprise Tier subscribers only. If not yet activated, an onboarding banner will be shown at the top of the Voice Phishing page.

For step-by-step setup, refer to our Voice Phishing – Getting Started Guide.

Supplementary Fact Sheets

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk