Resources ⋅ Threat Briefing

Threat Briefing ⋅ Social eNgineering

The Economics of Social engineering

The cost of attacking your organisation by phone just collapsed. Your defences haven't moved. Here's what changed, why it matters, and what good defence actually looks like.

Download the briefing

96%

of employees who took a risky action knew it was risky when they took it. This is not an awareness failure. The gap between knowing and doing is a behaviour problem. And it's never more exposed than on a phone call.

Proofpoint State of the Phish, 2024 · 7,500 adults across 15 countries

$3B+

Lost to business email compromise annually

FBI IC3 Report 2024. The majority involving a phone call at some stage of the attack

~£0

Marginal cost of an AI-powered vishing call in 2025

The barrier to volume phone-based social engineering is now effectively zero

86%

Reduction in susceptibility with continuous simulation training.

KnowBe4 Phishing Benchmarking Report 2025 · 14.5M users · 67.7M simulated tests

The Argument

This isn't about voice cloning

The conversation about AI voice fraud has been dominated by the wrong threat. Deepfaked CEOs and clones voices make headlines. They're real, and they're expensive when they work. But they're not why phone-based social engineering is growing.

The real driver is simpler. Phone attacks work because voice is trusted, and verification is almost universally absent. You don't know what the finance manager at your supplier sounds like. You don't know the IT contractor your team onboarded last month. You've never heard the facilities manager from your building's security firm.

An attacker doesn't need to clone anyone's voice. They just need to sound like a plausible human with a plausible reason to call. That's always been achievable. What's changed is the economics.

The attacker needs one person to comply. The defenders needs everyone to do the right thing, every time, under pressure.

Skilled social engineers, i.e. people who can improvise, adapt, handle objections, stay calm under challenge, used to be the constraint. They're rare, they're expensive, and they can only make so many calls. AI removes that ceiling entirely. The question now isn't whether your people will be targeted. It's whether they've ever been put under that kind of pressure before.

The Shift

What changed... and what didn't

Before 2023

Vishing required skill

Effective phone-based social engineering needed a trained operator. Someone who could read a person, improvise when challenged, maintain a cover story under pressure, and adapt in real time. That skill was the bottleneck. It made volume attacks impractical and limited who could run them.

Now

Vishing requires a script

AI-driven calling platforms can run hundreds of simultaneous calls, adapt to responses, handle common objections, and sound entirely credible. The skill ceiling is gone. The only remaining constraint is a list of names and a plausible pretext. Both are cheap to acquire.

The attacker's economics

Cost per call: near zero

A phishing email costs fractions of a penny and goes to millions. A vishing call used to cost real money: operator time, preparation, risk of exposure. That differential has collapsed. Phone attacks are now as scalable as email attacks, with significantly higher compliance rates.

The defender's economics

Defence is still manual

Most organisations have some phishing awareness training. Almost none have trained their people to challenge a caller, verify identity under pressure, or escalate when something feels off. The attack surface changed. The defence didn't.

The attack surface changed. The defence didn't.

The Shift

The volume of phone-based attacks is rising because the economics favour it. Platforms exist today that can run targeted vishing campaigns at scale, with personalised pretexts, adaptive conversation, and no human operator required.

The targets are the same roles they've always been: finance teams who approve payments, HR staff who handle personal data, IT helpdesks who reset credentials, anyone with access to systems or sensitive information. What's changed is that attackers can now test every one of them, systematically, affordably.

And the honest truth about most organisations is that their people have never been on the receiving end of a well-constructed vishing call. They don't know what pressure sounds like. They haven't practised saying no. They haven't rehearsed the moment where someone sounds authoritative, sounds urgent, and sounds completely legitimate, and they have to decide whether to comply or challenge.

That gap, between what people know they should do and what they actually do under real pressure, is where most incidents happen. It's also, importantly, where training can make the most difference. But only if the training involves actual pressure. Not slides about pressure. Pressure itself.

The honest truth

You can't read your way to a reflex

Every organisation that's run a well-designed vishing simulation reports the same thing: people who were confident they'd handle a suspicious call correctly often don't, until they've been on the receiving end of one.

This isn't a criticism of those people. It's an accurate description of how humans learn. Reflexes are built through rehearsal, not instruction. You don't learn to drive by reading the highway code. You don't learn to handle a vishing call by completing a module about vishing calls.

The good news is that the behaviour transfer is fast once exposure happens. A single well-designed simulation, one that puts people under real pressure, scores their response, and gives immediate feedback, changes how they behave in a way that weeks of e-learning doesn't.

The investment required is modest. The gap it closes is significant. The question is whether your organisation closes it before an attacker finds it first.

A single, well-designed simulation changes how people behave in a way that weeks of e-learning simply can't.

Take it with you

Download the briefing

A clean, shareable version of this briefing, formatted for print or screen. Useful for sharing with a team, briefing a security committee, or making the case internally for a different approach to phone-based threat training.

Download the pdf briefing

Ready to test your people?

CTRL+Vish puts your high-risk roles under real pressure before an attacker does. Training, practice line, live simulations, risk scoring.

You'll talk to a real human... we promise.