Adding a Vishing Template
Adding a Vishing Template
Overview
A vishing (voice phishing) template is a script for an automated phone call that simulates a fraudulent caller — IT support, HR, a bank, or another trusted entity — attempting to extract sensitive information or prompt the target to take a risky action.
Vishing is one of the hardest attack vectors for users to resist. Unlike email, it creates real-time social pressure and bypasses the visual cues people learn to watch for in phishing emails.
Step 1 — Navigate to template creation
Go to Templates → click New Template → click Create under Vishing Scenario Creator.
Step 2 — Enter basic information
| Field | Notes |
|---|---|
| Template name | Describe the scenario: "IT Helpdesk — Password Reset", "HR — Payroll Verification" |
| Template description | Who does the caller claim to be? What is the caller trying to get the target to do? |
| Tags | Tag by scenario type: it-impersonation, hr-fraud, bank-fraud, executive-fraud |
| Difficulty level | Beginner (obvious script) → Advanced (natural, conversational, highly convincing) |
Step 3 — Build your script
The script editor lets you chain messages and interactions:
Write a message The opening message the automated bot delivers. Write it as spoken dialogue — short sentences, natural pacing.
Example: "Hello, this is Alex from IT Security. We've detected unusual login activity on your account and need to verify your identity to prevent it being locked."
Add next action → Say Add follow-up spoken messages that play in sequence.
Example: "I'll need to verify your employee ID before we proceed. Please say your employee number after the tone."
Add next action → Input Prompt the bot to collect input from the target — a keypress or spoken response. This is what gets recorded as a "data entry" event in your campaign results.
Example: Prompt to press 1 to confirm identity, or to speak their OTP.
Add on phish Create conditional branches based on how the target responds. For example: if the target presses 1 (indicating compliance), branch to an awareness message. If they hang up, record as "resisted".
Step 4 — Click Submit
Your vishing template is saved and ready to use in a campaign.
Writing effective vishing scripts
Open with authority. Real vishing attacks almost always start with the caller establishing credibility: "This is [name] from [department/organisation]."
Create urgency. "Your account will be locked in the next hour unless we verify your identity." Urgency reduces the time the target has to think critically.
Keep it natural. Robotic-sounding scripts are easier to spot. Read the script aloud — if it sounds awkward, rewrite it.
Match the caller persona to the target. IT calls work for all staff. HR calls (about pay, benefits, or onboarding) work especially well for new hires. Executive impersonation calls work for finance teams.
Have a clear "hook." What is the caller trying to get the target to do? Press a key, say their OTP, confirm their password, call back a number? The hook should be specific and plausible.
Legal and ethical considerations
- Always stay within your organisation's security policy and any applicable HR guidelines
- Do not use personal information beyond what is professionally known
- Ensure any data captured during vishing simulations is handled securely and confidentially
- Brief your IT/SOC team before running vishing campaigns to avoid false incident reports