What is Vishing?
Our Vishing (voice-phishing) feature allows you to test your users on if they are prone to entering sensitive information through the phone when prompted.
When a vishing campaign begins, our system will dial out to users with a pre-recorded or text-to-speech message which will ask for a specific piece of personal information, such as a PIN, Social Security number, cell phone number, and so on. If the user hangs up without entering data, they pass the vishing test. If they enter the requested number of digits into their phone (depending on the vishing template they received), they've failed.
None of the data entered by your users will be logged or kept on file. Our system only records the number of digits your users enter when prompted.
Currently, the Vishing service provides local area codes for fourteen countries, allowing your users to receive the simulated vishing calls from an area code they are more likely to recognize. See a list of supported countries in the below Local Dialing section.
Text-to-speech is supported for the following languages: Catalan (Spain), Chinese (Mandarin, Cantonese, Taiwanese Mandarin), Danish (Denmark), Dutch (Netherlands), English (Australia, Canada, UK, India, United States), Finnish (Finland), French (Canada, France), German (Germany), Italian (Italy), Japanese (Japan), Korean (Korea), Norwegian (Norway), Polish (Poland), Portuguese (Brazil, Portugal), Russian (Russia), Spanish (Spain, Mexico), and Swedish (Sweden).
KnowBe4 allows you to vish each of your licensed end users up to a maximum of 12 times per year.
KnowBe4 is not liable for any charges incurred by your users as a result of any aspect of this feature. Domestic or international call rates may apply. Check with your telephone service provider for charges.
Before You Start Vishing
Before you run a vishing test, make sure you've imported your users' direct phone numbers in the Phone number field in their profile. You can also add a mobile phone number if desired.
For users located in the United States, area codes are required for a vishing call to be successful. Our system will be able to determine the phone number of the user and dial correctly based on any of these formatting options:
- (###) ### ####
- (###) ###-####
For users located outside the United States, numbers must be formatted to meet E.164 specifications, which is the following:
- A + (plus) sign
- International Country Calling code
- Local Area code
- Local Phone number
For more information about formatting international numbers, view this Twilio guide. Non-U.S. phone numbers that do not meet E.164 standards might be interpreted as U.S. phone numbers, or might not be reached with our Vishing service successfully.
Does vishing work with extensions?
For some auto-attendant phone systems, it is possible for vishing calls to reach phone numbers that include extensions. However, this is not currently a supported feature. We recommend that you run a test on a small group to see if it works for your organization.
Local Dialing Countries/Regions
Vishing includes support for local dialing/area codes in all of the following countries. For countries not included in the list, vishing may still be conducted, but the phone call will use a phone number located in the United States.
KnowBe4 is not liable for any charges or cost associated with the use of this feature, including long distance charges. Domestic or international call rates may apply. Check with your telephone service provider for charges.
- Czech Republic
- Great Britain
- Slovak Republic
- United States
Creating a Vishing Campaign
If you’re ready to start a vishing campaign, follow the steps below.
- From the VISHING area of the console, click the “+Create Vishing Campaign” button.
- Enter a Campaign Name and select the groups you’d like to vish in the Deliver To field. You can vish as many groups as you’d like.
- Choose a Start Time, Time Zone, and Delivery Period.
- The Start Time will be the start of your vishing campaign. After the campaign starts, calls will be placed to users randomly, spaced about 20 seconds apart.
- The Time Zone and Delivery Period will default to the default settings in your Account Settings.
- The Delivery Period will limit the campaign to only initiate calls during the designated time/day period.
- Next, choose what template(s) you’d like to include in your vishing campaign. You can choose multiple categories or templates to randomize as part of your campaign, or you can select a single template to vish all users with.
If you’re using built-in vishing templates, preview the templates or send yourself a test call prior to setting up the campaign.
- Want to randomize the vishing templates used on your campaign? Use the Template drop-down to choose if you want the same random vishing template used for all users or a different random vishing template used for all users.
- Select a Phone Number to Call. This setting will allow you to either use the main number for the employee (listed as “Phone number” in their User Profile) or the Mobile number (listed as “Mobile phone number” in their User Profile). These user profile fields can be imported via CSV, added manually, or synced automatically if using Active Directory Integration (ADI).
- If you’re unsure which field is populated, we recommend that you also check the “Try Mobile/Landline if Landline/Mobile number is not present” checkbox. This setting is a fallback option, in case one of the fields you are using is not populated with a phone number.
- You must have the designated phone number field in each user's profile populated with a properly-formatted phone number to successfully vish each user.
Phone Number to Call
- Start your campaign! After the campaigns starts, your users will be dialed randomly and each call will be placed about 20 seconds apart. Each user will receive one call per vishing campaign.
Vishing Campaign Results
On the VISHING > Campaigns tab, click on an individual vishing campaign to see which users failed your vishing test.
The vishing campaign report page will display the following items:
- The vish-prone percentage, or the percentage of users who failed your vishing test
- The list of users who failed the vishing test
- The numbers that were dialed are part of the campaign
- The vishing templates users received
- How many digits users entered into the phone
- The status of each call (For example, if the call did not go through or received a "busy" signal)
What is considered a vishing test failure?
A user fails your vishing test if they enter the required number of digits for the template they received. The number of digits varies based on the type of sensitive information being requested (credit card number vs. zip code, etc.). Note that the digits required as part of the vishing template may not match the actual number of digits in that particular category of personal information.
You can download a CSV containing your campaign results on this page. You can also download a list of all users who have failed on any of your vishing campaigns from the main VISHING > Campaigns tab by clicking “Download All vishing Failures”.
Customizing or Creating Vishing Templates
Our Vishing feature has a variety of built-in vishing templates available for use or customization. You can also create your own custom vishing templates by using our text-to-speech feature or by importing mp3 files.
Creating Your “Failure” Step
The key to creating a successful vishing template is to decide what your “point of failure” will be. What piece of personal information will you request from the user that will determine that they failed?
Templates must have a designated “failure” step within them that requires the recipient of the call to enter a certain number of digits. The “failure” step will be indicated by a black exclamation point symbol.
"Failure" Step Indicator
To create a vishing template, you must first create a vishing template category to store it in. Vishing template categories can be selected as part of vishing campaigns, allowing you to use multiple, randomized vishing templates within a single campaign if desired.
To create a category:
- Click the Templates tab beneath VISHING.
- Click “+Create new category”.
Category Creation Button
- Enter your category name. For example, “Banking”.
- Create additional categories as needed.
To create a vishing template:
- Click the Templates tab beneath VISHING.
- Click “+Create template”. (Don't see this button? Make sure you create a template category first.)
Template Creation Button
- Enter a Template Name.
- Select the Category you’d like to store this template in.
- Select a Text-To-Speech Language. The selected language is what will be used to interpret the text you include in any “Say” steps included in this template.
- Click the “+Add a new step” button. Select whether you want this step to Say, Play, or Pause.
- Say - This will enable our text-to-speech feature. Text-to-speech interprets the text you include to create an audible vishing script that will be used on the vishing call to your user. If this step will be your “failure” step, be sure to include the number of digits you are prompting your user to enter through the phone.
- Play - This will play an mp3 file of your choice as part of your vishing call. Imported mp3 files must be less than 1MB. Enter an audio description (optional) if desired. If this step will be your “failure” step, be sure to include the number of digits you are prompting your user to enter through the phone.
- Pause - This will pause the call for the designated number of seconds.
- Save each step. When you’ve added all of the steps you’d like, you can save your template.
How to Customize a System Vishing Template
To modify a built-in template, click on the checkbox to the left of the template you'd like to modify and copy it into your own category.
Copy to Category Dropdown
From your own category under My Templates, you can modify the specifics of that template.
Note that the built-in "Play" step content cannot be modified as it uses pre-loaded .mp3 files. For modifying "Play" step content, you can copy the audio description and paste it into a new "Say" step to use the text-to-speech feature.
"Say" steps can be modified to change the output of the text-to-speech function. You can also modify the number of digits required in that step that will determine if a user failed the test.
Previewing and Testing Templates
From the My Templates or System Templates tabs beneath VISHING, you can preview or test vishing templates by clicking the eyeball icon to the right of the template.
The preview will detail all steps in the selected vishing template, including the “failure” step and number of digits the user must enter to fail the vishing test.
The bottom of the preview will include a text box where you can enter your phone number to test out the vishing template. Follow our phone number formatting requirements to ensure the call will be successful.