Our Vishing (voice-phishing) feature allows you to test if your users are prone to entering sensitive information when prompted on the phone.
When a vishing campaign begins, our system will call your users' phones and play a pre-recorded or text-to-speech message. This message will ask for personal information such as a PIN or Social Security number. Vishing templates are programmed to expect a specific number of characters in order to track failures. If the user hangs up without entering data, they will have passed the vishing test. If the user enters the requested number of digits into their phone, this action will be considered a failure.
The data entered by your users will not be logged or kept on file. Our system only records the number of digits your users entered in order to track if they failed the vishing test.
Read the tutorial below or watch our Vishing video to learn about KnowBe4's Vishing feature. For information about creating and customizing vishing templates, please see our How to Customize and Create Vishing Templates article.
KnowBe4 allows you to test each of your licensed users with vishing calls, up to a maximum of 12 times per year.
Aside from your normal subscription fee, KnowBe4 does not charge for vishing your users. However, domestic or international call rates may apply. KnowBe4 is not liable for any charges incurred by your users as a result of any aspect of this feature. Check with your telephone service provider for more information about the charges you might receive.
Before You Start Vishing
Before you run a vishing test, make sure you've added your users' direct phone numbers to the console. You can find this number in the Phone Number field of our users' profiles. You can also add a mobile phone number if desired.
For users located in the United States, area codes are required for a vishing call to be successful. Our system will be able to determine the phone number of the user and dial correctly based on any of the following formatting options:
- (###) ### ####
- (###) ###-####
For users located outside the United States, numbers must meet E.164 formatting specifications. These specifications are outlined below:
- A + (plus) sign
- International Country Calling code
- Local Area code
- Local Phone number
For more information about formatting international numbers, view this Twilio guide. Non-U.S. phone numbers that do not meet E.164 standards might be interpreted as U.S. phone numbers or might be dialed incorrectly by our Vishing service.
Which Countries and Languages Do You Currently Support?
Currently, the Vishing service provides local area codes for fourteen countries, allowing your users to receive the simulated vishing calls from an area code they are more likely to recognize. See a list of supported countries in the Local Dialing section below.
Text-to-speech is supported for the following languages: Catalan (Spain), Chinese (Mandarin, Cantonese, Taiwanese Mandarin), Danish (Denmark), Dutch (Netherlands), English (Australia, Canada, UK, India, United States), Finnish (Finland), French (Canada, France), German (Germany), Italian (Italy), Japanese (Japan), Korean (Korea), Norwegian (Norway), Polish (Poland), Portuguese (Brazil, Portugal), Russian (Russia), Spanish (Spain, Mexico), and Swedish (Sweden).
Does Vishing Work with Extensions?
For some auto-attendant phone systems, it is possible for vishing calls to reach phone numbers that include extensions. However, this is not currently a supported feature. We recommend that you run a test on a small group to see if this method works for your organization.
Vishing includes support for local dialing in the countries and regions listed below.
- Czech Republic
- Great Britain
- Hong Kong
- Ireland (will no longer be supported on January 1, 2022)
- Slovak Republic
- South Africa
- United States
Vishing is designed to use the same area code as the user when placing a call. If a number using the same area code is not available, a number with a different area code from the same country or region will be used.
For countries or regions not listed above, vishing can still be conducted, but the phone call will use a United States phone number.
Aside from your normal subscription fee, KnowBe4 does not charge for vishing your users. However, domestic or international call rates may apply. KnowBe4 is not liable for any charges incurred by your users as a result of any aspect of this feature. Check with your telephone service provider for more information about possible charges.
Creating a Vishing Campaign
To create a vishing campaign, follow the steps below.
- From the VISHING area of the console, click the +Create Vishing Campaign button.
- Enter a Name for the campaign.
- Select which users you’d like to vish in the Deliver To field by selecting either All Users or Specific Groups.
- Use the Start Date field to define the date, time, and time zone you would like to use for this campaign. After the campaign starts, calls will be placed to users randomly, spaced about 20 seconds apart.
- Select the Calling Period you'd like to use. Use these options to define the time frame when the campaign can initiate calls.
- You can either send all of the phone calls when the campaign starts or you can space out the calls across a longer period of time.
- If you choose to send phone calls over time, after the campaign starts your users will be dialed randomly and each call will be placed about 20 seconds apart. Each user will receive one call per vishing campaign.
Note:The business days, hours, and time zone will default to the settings you defined in your Account Settings. If needed, you can manually adjust these settings on each campaign.
- Next, use the first drop-down menu in the Categories field to choose the template categories you’d like to include in your vishing campaign. The first Categories field also includes the different languages to be used in your vishing campaign.
If you’re using built-in vishing templates, preview the templates or send yourself a test call prior to setting up the campaign. You can also set up a test campaign to send to yourself or a small group of users to ensure you're sending out the right templates for your organization.
- Use the second drop-down menu in the Categories field to select the vishing template you want to vish your users with. If you would like to randomize the vishing template for your users instead, you can select either Full Random, which sends a random template to each user, or Random, which sends the same random template to all users.
- In the Phone Number to Call field, select which number should be used to call your users. You can select Phone Number Field or Mobile Phone Number Field. This setting will use either the Phone Number field or the Mobile Phone Number field found in your users' profiles. These user profile fields can be imported via CSV, added manually, or synced automatically if you are using user provisioning.
- If you’re unsure which field is populated in your users' profile, we recommend that you also check the Use Alternate Phone If Available checkbox. This setting will allow the system to call an alternate phone number in case the number you selected for the campaign is not populated with a phone number.
Note:You must have the designated phone number field populated with a properly-formatted phone number in each user's profile to successfully vish each user.
- Click Create Campaign. After the campaign starts, your users will be dialed randomly and each call will be placed about 20 seconds apart. Each user will receive one call per vishing campaign.
From the Vishing tab, you'll see a summary of your vishing call statuses and the Vish-prone Percentage of your vishing campaigns, as well as information about how many campaigns you have, which are active, and which are inactive.
If you select the Campaigns subtab, you can view a list of your vishing campaigns and information about each campaign, such as the groups included in the campaign and the status of the campaign.
For information about the vishing campaign statuses, see the list below:
- Created: The test has been created but has not started yet.
- Started: The test has started and is in progress.
- Completed: The test has ended.
For information about the results of a specific campaign, see the Vishing Campaign Results section below.
Vishing Campaign Results
From the Campaigns subtab of the Vishing tab, select an individual vishing campaign name to see the results. In the Campaign Details section, you will see a graph that represents the number of users who failed versus the number of users who passed, along with the current status of the campaign, the overall Vish-prone Percentage, and the start date of the campaign.
Below this section is a list of all the users included in this campaign. You can use the following filters to get a closer look at how the campaign is going:
- Scheduled - This filter shows you users who are scheduled to receive a vishing call but have not yet.
- Called - This filter shows you the users who have received vishing calls. This filter includes any user who has been called, regardless of whether or not they failed the vishing attempt.
- Call Failed - This filter shows you users who were called but the vishing attempt was unable to run successfully.
- Failed - This filter shows you users who failed the vishing test by entering the appropriate number of digits when prompted. For more information on what determines if a user fails a vishing test, please see our What is Considered a Vishing Test Failure? section below.
- Passed - This filter shows you users who passed the vishing test.
You can also download a CSV containing your campaign results by clicking the Download CSV button. To download a list of all users who have failed on any of your vishing campaigns, navigate to the main Campaigns tab, and click Download All Vishing Failures.
What is Considered a Vishing Test Failure?
A user fails your vishing test if they enter the required number of digits for the designated failure step on the template they received.
Vishing templates are broken into "steps" - Say, Play, and Pause. Say or Play steps can prompt the user to enter a specific number of digits. Say or Play steps can also be designated as the failure step on the template. See more about failure steps in this article.
The required number of digits varies on each built-in system template and is specified in the Required Number of Digits to Proceed field in the vishing template.
Note that the required number of digits may not match exactly with the information that is being requested as part of the vishing template.