Can Your People Spot a Vishing Attack in Real Time?

Service desks and contact centre teams are increasingly prime targets for attackers using voice-based social engineering, also known as vishing. Instead of exploiting technical vulnerabilities, attackers are exploiting human behaviour using urgency, authority, and deception to gain access to systems, credentials, and sensitive information.

Theta’s Head of Cyber Security Liz Knight, said,  

"Adversaries are bypassing technical controls and exploiting the human element. Service desks and contact centres are now front-line targets, making it essential to test whether our people can detect and respond to real-world social engineering attacks."

Why service desks are in the spotlight

Your service desk is designed to help people quickly. That’s exactly what attackers take advantage of.

In a typical vishing scenario, an attacker might:

• Impersonate an employee who is locked out of their account  

• Pose as a senior executive needing urgent access  

• Claim to be a customer requesting account changes  

• Apply pressure to bypass normal identity verification processes  

These calls are often convincing, well-researched, and timed to catch staff off guard.

The gap between policy and reality

Most organisations already have procedures for handling sensitive requests like password resets, MFA changes, and account updates.  But policies alone don’t stop attacks.  

In real-world situations, staff must make quick decisions while managing:  

• High call volumes  

• Frustrated or urgent callers  

• Complex processes  

• Fear of delaying legitimate requests  

This is where breakdowns happen. Not because people don’t know what to do but because the situation feels real.  

Why traditional training isn’t enough

Security awareness training plays an important role, but it often focuses on theory, so the problem is that recognition doesn’t always translate into action.  

When faced with a convincing caller, employees may still:  

• Skip verification steps  

• Trust assumed authority  

• Make exceptions to “help”  

• Override controls to resolve issues quickly  

Without testing behaviour in realistic scenarios, organisations are left with a false sense of security.  

So, can your people spot a vishing attack in real time?

In response to the current elevated threat landscape, Theta has partnered with Nova Security to deliver a vishing simulation designed to strengthen the resilience of service desk and contact centre teams.

Our vishing (phone-based phishing) simulation is a targeted, covert exercise that evaluates how effectively your team can detect and respond to modern social engineering attacks, providing actionable insights to improve your human defences.

"This vishing simulation provides actionable insights into your team’s resilience, highlighting gaps in human defences and enabling organisations to strengthen the behaviours, processes, and awareness that keep sensitive information secure," commented Knight.

Theta’s Vishing Simulation includes:

• Scenario development aligned to your real processes (e.g., password resets, MFA changes)  

• Controlled, telephone-based social engineering attempts  

• Testing of service desk and contact centre responses  

• Evaluation of verification and escalation procedures  

• A detailed report with findings and recommendations  

What a Vishing Simulation reveals:

• Validate your controls: Do your identity verification and escalation processes hold up under pressure?  

• Assess real behaviour: Do staff follow procedures when faced with urgency or authority?  

• Identify gaps: Where are the breakdowns—in process, training, or decision-making?  

• Measure risk: How exposed is your organisation to this type of attack?  

Why it matters:

A vishing simulation provides the insight you need to:

1. Understand your real-world risk  

2. Train your teams and strengthen your processes  

3. Improve organisational vishing resilience  

It’s important to remember that the goal isn’t to catch people out but to strengthen your organisation’s ability to respond.

Building a stronger human defence

The most effective organisations focus on reinforcing a simple but critical behaviour:  

Stop. Check. Confirm.  

• Stop: pause before acting  

• Check: follow the correct verification process  

• Confirm: validate the request through trusted channels  

When consistently applied, this mindset significantly reduces the likelihood of successful vishing attacks.  

‍