Vishing & Smishing
Your email phishing defences measure one channel. Voice and SMS attacks operate on two others, and your team has never been tested on either. We run controlled vishing and smishing campaigns against your workforce, measuring susceptibility department by department and delivering the data your board and auditors can act on.
Voice & SMS Threat Landscape
Your phishing simulation measures one channel. Your voice and SMS channels have never been tested. Attackers know it.
Higher Success Rate
Vishing consistently outperforms email phishing. In controlled simulations, voice calls succeed 3x more often because it is psychologically harder to refuse a real voice.
Deepfake Risk
AI voice cloning enables convincing CEO fraud impersonation. Voice samples are harvested from LinkedIn videos and public recordings. No specialist equipment is required.
Starting From
Combined vishing and smishing campaigns targeting 20-30 employees. Scoped to your organisation, no off-the-shelf packages.
Controls
Why Email Phishing Simulation Is Not Enough
Email phishing simulation tests one channel. Voice and SMS attacks operate on two others that your existing programme does not measure.
Single Channel Coverage
- Tests email link and attachment scepticism
- Caught by secure email gateways and spam filters
- Employee has time to pause, inspect, and report
- No real-time psychological pressure
- One channel tested, two unmeasured
Complete Social Engineering Coverage
- Tests verbal verification and out-of-band procedures
- Bypasses email security gateways entirely
- Real-time voice pressure overrides deliberation instinct
- 3x higher success rate than email phishing
- Voice, SMS, and caller ID spoofing in one engagement
Telephony Attack
Methodology
Testing the human element on the voice and SMS channels. We use psychological triggers (urgency, authority, and familiarity) to measure resilience against the attacks your email filters cannot stop.
Vishing (Voice Phishing)
Our social engineers call your employees pretending to be IT support, HR, or a vendor. We attempt to extract sensitive information (passwords, client data) or trick them into visiting a malicious URL. Each call is scripted around a plausible pretext tailored to your organisation's structure and terminology.
Smishing (SMS Phishing)
We send convincing SMS messages impersonating HMRC tax rebates, Royal Mail delivery failures, or internal IT MFA requests to corporate mobile devices. This tests user vigilance on the mobile channel, where corporate security controls are weakest.
MFA Bypass Attempts
Testing MFA fatigue and token interception by calling users and convincing them to approve a push notification or read out an SMS code. We measure whether your MFA deployment has created a false sense of security without corresponding verification training.
Deepfake Audio (Advanced)
For high-security engagements, we simulate AI voice cloning using synthesised audio harvested from publicly available executive content: LinkedIn videos, conference recordings, and earnings calls. The synthesised voice is delivered via a spoofed caller ID matching the executive's known contact details. This tests whether your verification procedures are robust against the current generation of deepfake attacks.
Pretext Engineering
Before a single call is made, we harvest publicly available intelligence: LinkedIn org charts, staff directories, supplier invoices, and internal terminology from job postings. This OSINT feeds into scenario design, ensuring every pretext is contextually credible and mirrors the reconnaissance a real attacker would conduct.
What is Vishing? What is Smishing?
These are not edge cases. If your team has never been tested on the voice channel, you have no data to prove otherwise.
Phishing vs Vishing vs Smishing: Key Differences
| Attack Dimension | Phishing | Vishing | Smishing |
|---|---|---|---|
| Attack vector | Voice call | SMS / Text message | |
| Typical pretext | Fake invoice, credential reset link | IT support, CEO, bank representative | Royal Mail delivery, HMRC rebate, MFA code request |
| Relative success rate | Baseline | 3-5x higher than email | 2-3x higher than email |
| Primary defence tested | Link and attachment scepticism | Verbal verification procedure | Link and code scepticism on mobile |
| Stopped by email security | Partially | No | No |
Real-World Vishing Examples
Caller poses as internal IT support: "We've detected unusual activity on your account. I need to verify your identity before I can secure it. Can you confirm your current password so I can compare it against our records?" The urgency and authority of the voice override the employee's instinct to pause.
A caller spoofing the CEO's extension contacts a finance team member: "I'm in a board meeting. I need you to process a supplier payment urgently. I'll send you the account details now. Do not discuss this with anyone before it's done." The combination of caller ID spoofing and authority pressure is the most common route to wire transfer fraud.
A caller impersonating a known supplier contacts accounts payable: "We've changed our banking details. I want to make sure your records are updated before the next payment run." No malicious link, no suspicious attachment. Just a voice and a plausible reason to update a bank record.
Common Smishing Attack Patterns
This exact pretext accounts for a significant portion of UK consumer fraud reports via Action Fraud and 7726 submissions.
HMRC impersonation accounts for millions in annual UK fraud losses. The deadline creates urgency that overrides verification instinct.
Corporate impersonation via SMS bypasses email filtering entirely. MDM solutions cannot filter SMS content.
Mapped directly to your regulatory controls.
Our report is structured as documented evidence for security awareness audit requirements across ISO 27001, PCI DSS, and GDPR.
ISO 27001:2022
Security awareness and training obligations
PCI DSS v4.0
Security awareness programme requirements
GDPR
Appropriate technical measures for data protection
NIST CSF
All users are informed and trained
Cyber Essentials
Staff awareness verification
DORA
ICT-related incident management and awareness
Globally Accredited Consultants
All testing is conducted by CREST-certified professionals.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Scenario Planning
Days 1-2: Define target list, pretexts (IT Helpdesk, CEO Wire Transfer, Vendor Payment), and rules of engagement. Recording and RIPA compliance protocols agreed.
Execution Campaign
Days 3-7: Calls and SMS campaigns launched over the agreed period. All recordings conducted in strict compliance with RIPA and GDPR under pre-agreed protocols.
Data Analysis
Days 8-10: Pick-up rates, call duration, information disclosed, verification procedure compliance, and escalation behaviour. Results broken down by department.
Feedback & Training
Days 11-14: Structured report with susceptibility rates, training gaps, and remediation priorities. Audio snippets included as training artefacts where recorded under RIPA-compliant protocols.
What You Receive
Every vishing and smishing engagement produces structured deliverables that serve both operational remediation and executive reporting.
Reports are available via our interactive penetration testing portal, with findings delivered live as the engagement progresses.
Close the Loop.
After the Campaign.
Your vishing and smishing campaign identifies which departments and individuals are vulnerable. We feed those findings into targeted awareness training, 24/7 credential abuse monitoring, and your wider social engineering testing programme to close the loop on human-layer risk.
Explore Defensive ServicesManaged Detection & Response
Detect compromised credential usage and anomalous authentication patterns when vishing succeeds.
Email Phishing Simulation
Combine with email phishing for unified reporting across all three social engineering vectors.
Social Engineering Testing
Full programme including physical intrusion, USB drop testing, and targeted spear phishing.
Red Team Operations
Vishing as an initial access vector within a full adversary simulation engagement.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Phishing, vishing, and smishing are three forms of social engineering attack that differ by delivery channel. Phishing is conducted via email. Vishing (Voice Phishing) is conducted via telephone call. Smishing (SMS Phishing) is conducted via text message. All three aim to deceive the target into disclosing credentials, approving transactions, or taking actions that benefit the attacker. Vishing tends to have the highest success rate because real-time voice interaction creates psychological pressure that email and SMS cannot replicate. Testing all three vectors in a controlled simulation provides complete coverage of the social engineering attack surface.
Vishing (Voice Phishing) is a social engineering attack in which an attacker calls a target by phone, impersonating a trusted authority such as an IT helpdesk operator, bank representative, or senior executive. The goal is to manipulate the victim into disclosing sensitive information (passwords, MFA codes, account numbers), approving a fraudulent transaction, or performing an action that creates a security exposure. Vishing is significantly more effective than email phishing because voice interaction creates real-time psychological pressure that written communication cannot replicate.
Smishing (SMS Phishing) is a social engineering attack delivered via SMS or text message. Attackers send messages impersonating trusted organisations (commonly HMRC, Royal Mail, NHS, or a corporate IT department) to trick recipients into clicking malicious links, disclosing MFA codes, or entering credentials into fake websites. Smishing is effective because SMS messages are trusted more than email, are typically read within minutes of receipt, and are often accessed on personal devices outside corporate security controls.
Vishing is consistently the highest-converting social engineering vector in controlled simulation environments. Industry data indicates that voice-based attacks succeed 3 to 5 times more often than equivalent email phishing attempts. The primary reason is psychological: it is significantly harder to refuse or question a human voice in real time than to ignore or report a suspicious email. In red team engagements, vishing is frequently the technique used to gain an initial foothold when the technical perimeter is hardened. Staff will disclose credentials over the phone that they would not enter into an unfamiliar web page.
We ensure strict compliance with RIPA and GDPR in all UK engagements. In a corporate simulation context, employees typically have signed Acceptable Use Policies that cover monitoring activities. We define specific recording protocols during the scoping call and will not proceed without explicit written authorisation from your legal or compliance team. This is addressed before day one of the campaign.
Yes. For high-security engagements, we simulate AI voice cloning using synthesised audio derived from publicly available executive content. This is particularly relevant for C-suite impersonation scenarios and finance team wire transfer requests, where the victim's instinct to trust the caller's voice is the primary vulnerability being tested. The simulation specifically probes whether your out-of-band confirmation procedures would detect a spoofed executive call. We recommend this scenario for organisations with a recent near-miss or whose executives have significant public-facing audio content.
We typically target only corporate-provided numbers unless there is specific authorisation to include BYOD (Bring Your Own Device) in scope. Any extension to personal devices is discussed and agreed in writing during the scoping call.